HackingLab – Devrandom CTF1

Iniziamo con la scansione della rete con arp-scan per identificare la macchina target sulla rete; la sintassi è: arp-scan –interface=eth0 –localnet.
La macchina target risponde all’IP 192.168.188.67.

kali@kali:/usr/share$ sudo arp-scan --interface=eth0 --localnet
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:23:ff:90, IPv4: 192.168.188.53
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.188.1   98:9b:cb:9f:3a:e3       AVM Audiovisuelles Marketing und Computersysteme GmbH
192.168.188.20  cc:b0:da:aa:38:07       Liteon Technology Corporation
192.168.188.26  40:b0:34:db:2a:65       Hewlett Packard
192.168.188.29  00:03:7f:c3:11:0c       Atheros Communications, Inc.
192.168.188.43  54:b8:0a:01:ad:33       D-Link International
192.168.188.27  7c:2f:80:f5:84:18       Gigaset Communications GmbH
192.168.188.64  cc:b0:da:aa:38:07       Liteon Technology Corporation
192.168.188.67  08:00:27:bd:d6:4b       PCS Systemtechnik GmbH
192.168.188.25  34:41:5d:e7:72:d7       Intel Corporate
192.168.188.23  48:d6:d5:03:07:22       Google, Inc.

10 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.297 seconds (111.45 hosts/sec). 10 responded

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
22 – ssh,
80 – http.

kali@kali:/usr/share$ sudo nmap -sV -sT -O -A -p- 192.168.188.67
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 08:33 EDT
Nmap scan report for lucifer.fritz.box (192.168.188.67)
Host is up (0.00078s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 83:e5:a1:51:b1:f6:98:d3:19:e7:59:10:f7:f4:e8:5e (RSA)
|   256 b2:a6:79:c3:ad:2f:ba:cc:02:b3:42:0d:a2:a3:9e:60 (ECDSA)
|_  256 ec:1f:d4:29:9f:a5:ae:ca:93:f4:a8:6b:fd:61:44:45 (ED25519)
80/tcp open  http    Apache httpd
| http-robots.txt: 3 disallowed entries 
|_/wp-admin/ /wp-login.php /?include=info
|_http-server-header: Apache
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:BD:D6:4B (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.78 ms lucifer.fritz.box (192.168.188.67)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 34.56 seconds

Per valutare le eventuali vulnerabilità abbiamo quindi utilizzato nikto sulla porta 80; la sintassi è nikto -host <INDIRIZZO IP> -port <PORTA> dove:
-host indica l’indirizzo IP della macchina target,
-port indica la porta su cui effettuare la scansione delle vulnerabilità.
La scansione ha trovato una possibile vulnerabilità interessante nella directory secret

kali@kali:/usr/share$ nikto -host 192.168.188.67 -port 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.188.67
+ Target Hostname:    192.168.188.67
+ Target Port:        80
+ Start Time:         2020-06-01 08:38:41 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/wp-login.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ RFC-1918 IP address found in the 'link' header. The IP is "192.168.1.214".
+ Uncommon header 'link' found, with contents: <http://192.168.1.214/index.php/wp-json/>; rel="https://api.w.org/"
+ Entry '/?include=info/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 3 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3268: /secret/: Directory indexing found.
+ OSVDB-3092: /secret/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-admin/: Admin login page/section found.
+ OSVDB-3268: /wp-content/uploads/: Directory indexing found.
+ /wp-content/uploads/: WordPress uploads directory is browsable. This may reveal sensitive information
+ 7921 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2020-06-01 08:40:03 (GMT-4) (82 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Abbiamo iniziato a enumerare le directory con dirb utilizzando la sintassi dirb http://<INDIRIZZO IP>. L’enumerazione ha indicato la directory secret come navigabile ed ha indicato la presenza del file robots.txt.

DIRB
kali@kali:/usr/share$ dirb http://192.168.188.67

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jun  1 08:40:52 2020
URL_BASE: http://192.168.188.67/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.188.67/ ----
+ http://192.168.188.67/index.php (CODE:200|SIZE:74)                                                                               
+ http://192.168.188.67/robots.txt (CODE:200|SIZE:86)                                                                              
==> DIRECTORY: http://192.168.188.67/secret/                                                                                       
+ http://192.168.188.67/server-status (CODE:403|SIZE:199)                                                                          
==> DIRECTORY: http://192.168.188.67/wp-admin/                                                                                     
==> DIRECTORY: http://192.168.188.67/wp-content/                                                                                   
==> DIRECTORY: http://192.168.188.67/wp-includes/                                                                                  
                                                                                                                                   
---- Entering directory: http://192.168.188.67/secret/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/ ----
+ http://192.168.188.67/wp-admin/admin.php (CODE:200|SIZE:74)                                                                      
==> DIRECTORY: http://192.168.188.67/wp-admin/css/                                                                                 
==> DIRECTORY: http://192.168.188.67/wp-admin/images/                                                                              
==> DIRECTORY: http://192.168.188.67/wp-admin/includes/                                                                            
+ http://192.168.188.67/wp-admin/index.php (CODE:200|SIZE:74)                                                                      
==> DIRECTORY: http://192.168.188.67/wp-admin/js/                                                                                  
==> DIRECTORY: http://192.168.188.67/wp-admin/maint/                                                                               
==> DIRECTORY: http://192.168.188.67/wp-admin/network/                                                                             
==> DIRECTORY: http://192.168.188.67/wp-admin/user/                                                                                
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/ ----
+ http://192.168.188.67/wp-content/index.php (CODE:200|SIZE:0)                                                                     
==> DIRECTORY: http://192.168.188.67/wp-content/languages/                                                                         
==> DIRECTORY: http://192.168.188.67/wp-content/plugins/                                                                           
==> DIRECTORY: http://192.168.188.67/wp-content/themes/                                                                            
==> DIRECTORY: http://192.168.188.67/wp-content/upgrade/                                                                           
==> DIRECTORY: http://192.168.188.67/wp-content/uploads/                                                                           
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/maint/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/network/ ----
+ http://192.168.188.67/wp-admin/network/admin.php (CODE:200|SIZE:74)                                                              
+ http://192.168.188.67/wp-admin/network/index.php (CODE:200|SIZE:74)                                                              
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-admin/user/ ----
+ http://192.168.188.67/wp-admin/user/admin.php (CODE:200|SIZE:74)                                                                 
+ http://192.168.188.67/wp-admin/user/index.php (CODE:200|SIZE:74)                                                                 
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/languages/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/plugins/ ----
+ http://192.168.188.67/wp-content/plugins/index.php (CODE:200|SIZE:0)                                                             
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/themes/ ----
+ http://192.168.188.67/wp-content/themes/index.php (CODE:200|SIZE:0)                                                              
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/upgrade/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                   
---- Entering directory: http://192.168.188.67/wp-content/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Mon Jun  1 08:41:24 2020
DOWNLOADED: 32284 - FOUND: 12

Aprendo il file wrap sotto /secret abbiamo trovato una username e password: john:Password123.

kali@kali:/usr/share$ dirb http://192.168.188.67/secret

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Mon Jun  1 08:43:45 2020
URL_BASE: http://192.168.188.67/secret/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.188.67/secret/ ----
+ http://192.168.188.67/secret/wrap (CODE:200|SIZE:6539)                                                                           
                                                                                                                                   
-----------------
END_TIME: Mon Jun  1 08:43:49 2020
DOWNLOADED: 4612 - FOUND: 1

Aprendo il file robots.txt troviamo un riferimento ad una url nascosta: /?include=info.
Proviamo a sostituire ad info il path ad /etc/passwd nella speranza di riuscire ad estrarre l’elenco degli utenti, con successo.

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin _apt:x:103:65534::/nonexistent:/usr/sbin/nologin messagebus:x:104:110::/nonexistent:/usr/sbin/nologin sshd:x:105:65534::/run/sshd:/usr/sbin/nologin john:x:1000:1000:john,,,:/home/john:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lisa:x:1001:1001:,,,:/home/lisa:/bin/bash henri:x:1002:1002:,,,:/home/henri:/bin/bash mysql:x:106:113:MySQL Server,,,:/nonexistent:/bin/false proftpd:x:107:65534::/run/proftpd:/usr/sbin/nologin ftp:x:108:65534::/srv/ftp:/usr/sbin/nologin wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash victor:x:1004:1004:,,,:/home/victor:/bin/bash trevor:x:1005:1005:,,,:/home/trevor:/bin/bash 

Ripuliamo il file degli utenti per riportare solo quelli che possono effettuare login.

john:x:1000:1000:john,,,:/home/john:/bin/bash
lisa:x:1001:1001:,,,:/home/lisa:/bin/bash
henri:x:1002:1002:,,,:/home/henri:/bin/bash
wordpressftp:x:1003:1003:,,,:/var/www/html:/bin/rbash victor:x:1004:1004:,,,:/home/victor:/bin/bash
trevor:x:1005:1005:,,,:/home/trevor:/bin/bash

Leave a Reply

Your email address will not be published. Required fields are marked *