En la maquina Cap emplearemos Wireshark para encontrar unas crendenciales de un usuario y con el acceder al SSH donde podremos hacer la escalada de privilegios que son python3.8 capabilities.
# Nmap 7.94SVN scan initiated Sun Aug 18 00:54:24 2024 as: nmap -p- --open -sCVS -vvv -n -Pn -oN target 10.10.10.245Nmapscanreportfor10.10.10.245Hostisup,receiveduser-set (0.11s latency).Scannedat2024-08-1800:54:24CESTfor176sNotshown:63221closedtcpports (reset), 2311 filtered tcp ports (no-response)Someclosedportsmaybereportedasfiltereddueto--defeat-rst-ratelimitPORTSTATESERVICEREASONVERSION21/tcpopenftpsyn-ackttl63vsftpd3.0.322/tcpopensshsyn-ackttl63OpenSSH8.2p1Ubuntu4ubuntu0.2 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|3072fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)|ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABgQC2vrva1a+HtV5SnbxxtZSs+D8/EXPL2wiqOUG2ngq9zaPlF6cuLX3P2QYvGfh5bcAIVjIqNUmmc1eSHVxtbmNEQjyJdjZOP4i2IfX/RZUA18dWTfEWlNaoVDGBsc8zunvFk3nkyaynnXmlH7n3BLb1nRNyxtouW+q7VzhA6YK3ziOD6tXT7MMnDU7CfG1PfMqdU297OVP35BODg1gZawthjxMi5i5R1g3nyODudFoWaHu9GZ3D/dSQbMAxsly98L1Wr6YJ6M6xfqDurgOAl9i6TZ4zx93c/h1MO+mKH7EobPR/ZWrFGLeVFZbB6jYEflCty8W8Dwr7HOdF1gULr+Mj+BcykLlzPoEhD7YqjRBm8SHdicPP1huq+/3tN7Q/IOf68NNJDdeq6QuGKh1CKqloT/+QZzZcJRubxULUg8YLGsYUHd1umySv4cHHEXRl7vcZJst78eBqnYUtN3MweQr4ga1kQP4YZK5qUQCTPPmrKMa9NPh1sjHSdS8IwiH12V0=|25696:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)|ecdsa-sha2-nistp256AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDqG/RCH23t5Pr9sw6dCqvySMHEjxwCfMzBDypoNIMIa8iKYAe84s/X7vDbA9T/vtGDYzS+fw8I5MAGpX8deeKI=|2563f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)|_ssh-ed25519AAAAC3NzaC1lZDI1NTE5AAAAIPbLTiQl+6W0EOi8vS+sByUiZdBsuz0v/7zITtSuaTFH80/tcpopenhttpsyn-ackttl63gunicorn|http-methods:|_SupportedMethods:HEADGETOPTIONS|_http-title:SecurityDashboard|_http-server-header:gunicorn|fingerprint-strings:|FourOhFourRequest:|HTTP/1.0404NOTFOUND|Server:gunicorn|Date:Sat,17Aug202422:55:27GMT|Connection:close|Content-Type:text/html; charset=utf-8|Content-Length:232|<!DOCTYPEHTMLPUBLIC"-//W3C//DTD HTML 3.2 Final//EN">|<title>404NotFound</title>|<h1>NotFound</h1>|<p>TherequestedURLwasnotfoundontheserver.IfyouenteredtheURLmanuallypleasecheckyourspellingandtryagain.</p>|GetRequest:|HTTP/1.0200OK|Server:gunicorn|Date:Sat,17Aug202422:55:21GMT|Connection:close|Content-Type:text/html; charset=utf-8|Content-Length:19386|<!DOCTYPEhtml>|<htmlclass="no-js"lang="en">|<head>|<metacharset="utf-8">|<metahttp-equiv="x-ua-compatible"content="ie=edge">|<title>SecurityDashboard</title>|<metaname="viewport"content="width=device-width, initial-scale=1">|<linkrel="shortcut icon"type="image/png"href="/static/images/icon/favicon.ico">|<linkrel="stylesheet"href="/static/css/bootstrap.min.css">|<linkrel="stylesheet"href="/static/css/font-awesome.min.css">|<linkrel="stylesheet"href="/static/css/themify-icons.css">|<linkrel="stylesheet"href="/static/css/metisMenu.css">|<linkrel="stylesheet"href="/static/css/owl.carousel.min.css">|<linkrel="stylesheet"href="/static/css/slicknav.min.css">|<!--amchar|HTTPOptions:|HTTP/1.0200OK|Server:gunicorn|Date:Sat,17Aug202422:55:22GMT|Connection:close|Content-Type:text/html; charset=utf-8|Allow:HEAD,GET,OPTIONS|Content-Length:0|RTSPRequest:|HTTP/1.1400BadRequest|Connection:close|Content-Type:text/html|Content-Length:196|<html>|<head>|<title>BadRequest</title>|</head>|<body>|<h1><p>Bad Request</p></h1>|InvalidHTTPVersion'Invalid HTTP Version: 'RTSP/1.0''|</body>|_</html>1serviceunrecognizeddespitereturningdata.Ifyouknowtheservice/version,pleasesubmitthefollowingfingerprintathttps://nmap.org/cgi-bin/submit.cgi?new-service:SF-Port80-TCP:V=7.94SVN%I=7%D=8/18%Time=66C12A4C%P=x86_64-pc-linux-gnu%r(GSF:etRequest,2F4C,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\SF:x20Sat,\x2017\x20Aug\x202024\x2022:55:21\x20GMT\r\nConnection:\x20closeSF:\r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x20SF:19386\r\n\r\n<!DOCTYPE\x20html>\n<html\x20class=\"no-js\"\x20lang=\"en\SF:">\n\n<head>\n\x20\x20\x20\x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20SF:\x20<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\xSF:20\x20\x20\x20<title>Security\x20Dashboard</title>\n\x20\x20\x20\x20<meSF:ta\x20name=\"viewport\"\x20content=\"width=device-width,\x20initial-scaSF:le=1\">\n\x20\x20\x20\x20<link\x20rel=\"shortcut\x20icon\"\x20type=\"imSF:age/png\"\x20href=\"/static/images/icon/favicon\.ico\">\n\x20\x20\x20\xSF:20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/bootstrap\.min\.cssSF:\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/SF:font-awesome\.min\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\SF:x20href=\"/static/css/themify-icons\.css\">\n\x20\x20\x20\x20<link\x20rSF:el=\"stylesheet\"\x20href=\"/static/css/metisMenu\.css\">\n\x20\x20\x20SF:\x20<link\x20rel=\"stylesheet\"\x20href=\"/static/css/owl\.carousel\.miSF:n\.css\">\n\x20\x20\x20\x20<link\x20rel=\"stylesheet\"\x20href=\"/statiSF:c/css/slicknav\.min\.css\">\n\x20\x20\x20\x20<!--\x20amchar")%r(HTTPOptSF:ions,B3,"HTTP/1\.0\x20200\x20OK\r\nServer:\x20gunicorn\r\nDate:\x20Sat,SF:\x2017\x20Aug\x202024\x2022:55:22\x20GMT\r\nConnection:\x20close\r\nConSF:tent-Type:\x20text/html;\x20charset=utf-8\r\nAllow:\x20HEAD,\x20GET,\x2SF:0OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,121,"HTTP/1\.1SF:\x20400\x20Bad\x20Request\r\nConnection:\x20close\r\nContent-Type:\x20tSF:ext/html\r\nContent-Length:\x20196\r\n\r\n<html>\n\x20\x20<head>\n\x20\SF:x20\x20\x20<title>Bad\x20Request</title>\n\x20\x20</head>\n\x20\x20<bodSF:y>\n\x20\x20\x20\x20<h1><p>Bad\x20Request</p></h1>\n\x20\x20\x20\x20InvSF:alid\x20HTTP\x20Version\x20'Invalid\x20HTTP\x20Version:\x20'RSF:TSP/1\.0''\n\x20\x20</body>\n</html>\n")%r(FourOhFourRequest,SF:189,"HTTP/1\.0\x20404\x20NOT\x20FOUND\r\nServer:\x20gunicorn\r\nDate:\xSF:20Sat,\x2017\x20Aug\x202024\x2022:55:27\x20GMT\r\nConnection:\x20close\SF:r\nContent-Type:\x20text/html;\x20charset=utf-8\r\nContent-Length:\x202SF:32\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//W3C//DTD\x20HTML\x203\.2\SF:x20Final//EN\">\n<title>404\x20Not\x20Found</title>\n<h1>Not\x20Found</SF:h1>\n<p>The\x20requested\x20URL\x20was\x20not\x20found\x20on\x20the\x20SF:server\.\x20If\x20you\x20entered\x20the\x20URL\x20manually\x20please\x2SF:0check\x20your\x20spelling\x20and\x20try\x20again\.</p>\n");ServiceInfo:OSs:Unix,Linux; CPE:cpe:/o:linux:linux_kernelReaddatafilesfrom:/usr/bin/../share/nmapServicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.# Nmap done at Sun Aug 18 00:57:20 2024 -- 1 IP address (1 host up) scanned in 175.28 seconds
Intrusión
Vamos a ver el puerto 80:
Podremos ver que estamos como el usuario Nathan, si investigamos un poco por la web podremos encontrarnos lo siguiente:
Podremos ver que es como una captura de la red, si vemos en la izquierda en el panel podremos ver Security Snapshot (5 Second PCAP + Analysis) si entramos podremos ver lo siguiente:
Podremos ver que nos a llevado a /data/6 y podemos descargarnos un archivo .pcap pero si nos lo descargamos y lo abrimos no habra nada, intentaremos ver mas data de la siguiente manera:
Podremos ver que ahora si habra data, asi que nos bajaremos el .pcap:
Ahora lo abriremos con WireShark:
Si bajamos un poco podremos ver data por el puerto 21 que es el FTP, y si vemos bien se efectua un login donde podemos encontrar la contraseña:
Probaremos a iniciar por FTP a ver si son validas:
Bien son validas, ahora probaremos por SSH a ver si tambien nos funciona: