search

Swamp

Difficulty: Easy

hashtag
Recon

  1. We begin by performing a network scan to identify the host of the victim machine:

sudo nmap -sn 192.168.56.0/24

  • Host identificados:

    • 192.168.56.1

    • 192.168.56.100

    • 192.168.56.102 (target)

    • 192.168.56.101 (our Kali machine)

  1. We performed a scan with nmap:

sudo nmap -sCV -p- --open -T5 192.168.56.102

  • Command breakdown:

    • -sC: Runs the default nmap scripts (NSE, Nmap Scripting Engine), focused on basic information and detection of common vulnerabilities.

    • -sV: Detects the version of services running on open ports.

    • -p-: Scans all possible TCP ports (from 1 to 65535), not just the most common ones.

    • --open: Shows only the ports that are open, hiding those that are closed/filtered.

    • -T5: Uses “maximum speed” for scanning, reducing wait times between tests. This is the most aggressive level and can generate more network traffic.

  • Identified ports:

    • 22/tcp

    • 53/tcp

    • 80/tcp

  1. The open port 80 indicates that there is a website, and there is a redirect to the domain swamp.nyx. We will add it to the /etc/hosts file on our attacking machine:

  1. We verify this by accessing it from the browser of the attacking machine:

hashtag
DNS Zone Transfer

  1. With this type of attack, we will attempt to obtain information from the DNS domain (for example, subdomains).

  1. We discovered multiple subdomains, we will add them to the /etc/hosts file:

  • We see that the subdomains refer to the movie Shrek (the swamp, the donkey, Fiona, etc.). We can enter the added subdomains.

  1. We visit farfaraway.swamp.nyx from the browser:

  1. We inspect the source code of the page and see that the script.js file is imported:

  1. We analyzed the file code in the Debugger and located the following encoded string:

  1. It appears to be encoded in base64, so let's decode it:

  • We obtain the credentials shrek:putopesaoelasno

  1. Previously, we identified that port 22/tcp is open, which is the port used for the SSH service. We will attempt to access it with the credentials we have obtained.

hashtag
Privilege Escalation

  1. We have gained access to the target system with the user shrek. Let's see if we can run as root.

  • It is identified that the header_checker binary can be executed.

  1. We checked that it needs header_checker to run:

  1. Let's try to see what header_checker does:

  • What header_checker is doing is a curl.

  1. We will try to inject a command right after using the binary to see if it executes:

  • We execute the command as root, so we could inject commands that run as root on the target system.

  1. We put another console on our attacking machine to listen:

  1. From the terminal with the SSH session shrek@swamp, we run the command to receive the connection on the attacking machine:

  1. We can execute commands on the target system:

  • We display the contents of user.txt, which is one of the flags.

  1. We search for and display the flag root.txt, which would be the other one we would have left:

AnteriorVulnyxSiguienteESP

Última actualización