sjd

TAG -> Dockerlabs | CTF

Datos

Máquina -> sjd
Dificultad -> Muy Fácil
Creador -> Sjd

Como primer paso verificamos conectividad con la maquina usando el comando ping.

ping -c 1 172.17.0.2 -R

Resultado

PING 172.17.0.2 (172.17.0.2) 56(124) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.052 ms
RR: 	172.17.0.1
		172.17.0.2
		172.17.0.2
		172.17.0.1

--- 172.17.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.052/0.052/0.052/0.000 ms

Mediante el ttl podemos darnos una idea sobre a que nos estamos enfrentando, en este caso una maquina Linux, ahora hagamos un escaneo de puertos usando mi script de Python.

PortScanner -i 172.17.0.2 -t 1000 -s 2 -a C V

Resultado

[+] Autor: Anonymous17
[+] Targeted: 172.17.0.2
[+] (TTL -> 64): Linux
[!] Escaneo de puertos (socket):

  [!]Puerto 22 abierto!
  [!]Puerto 80 abierto!

[+] Lista de puertos abiertos: [22, 80]
[+] Información de servicios y versiones:

  [+] 22/tcp      ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
  [+] 80/tcp      http        Apache httpd 2.4.58 ((Ubuntu))

[+] Comprobando vulnerabilidades:

  [+] SSH parece seguro contra enumeración de usuarios  
  [+] Tecnologías detectadas en HTTP:

        http://172.17.0.2:80 [200 OK] Apache[2.4.58],
        Country[RESERVED][ZZ],
        Email[silvio@delacal.com.ar],
        HTML5,
        HTTPServer[Ubuntu Linux][Apache/2.4.58 (Ubuntu)],
        IP[172.17.0.2],
        Script,
        Title[Reparación de Computadoras SJD],

[*] Evidencia guardada en output.txt

Vemos 2 puertos abiertos, lo primero que se me ocurre, al ver un Email, es fuerza bruta con hydra a ese usuario, mediante el ssh, pero no funciona.

hydra -l silvio -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt ssh://172.17.0.2 -t 4 -vV

Resultado

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-02 01:44:26
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344401 login tries (l:1/p:14344401), ~3586101 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://silvio@172.17.0.2:22
[INFO] Successful, password authentication is supported by ssh://172.17.0.2:22
[ATTEMPT] target 172.17.0.2 - login "silvio" - pass "123456" - 1 of 14344401 [child 0] (0/0)
[ATTEMPT] target 172.17.0.2 - login "silvio" - pass "12345" - 2 of 14344401 [child 1] (0/0)
[ATTEMPT] target 172.17.0.2 - login "silvio" - pass "123456789" - 3 of 14344401 [child 2] (0/0)
[ATTEMPT] target 172.17.0.2 - login "silvio" - pass "password" - 4 of 14344401 [child 3] (0/0)
[ATTEMPT] target 172.17.0.2 - login "silvio" - pass "iloveyou" - 5 of 14344401 [child 1] (0/0)
^C[ERROR] Received signal 2, going down ...
The session file ./hydra.restore was written. Type "hydra -R" to resume session.

Después de un rato, no consigo nada, mientras hacia esto hice otros escaneos básicos con nmap.

nmap -p- --open -sS --min-rate 5000 -n -Pn 172.17.0.2 -oG allPorts.txt

Resultados

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 01:46 EST
Nmap scan report for 172.17.0.2
Host is up (0.0000050s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 02:42:AC:11:00:02 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

Mediante la función de s4vitar -> extractPorts saco la información más relevante.

-> extractPorts allPorts.txt
───────┬──────────────────────────────────────────────────────
       │ File: extractPorts.tmp
───────┼──────────────────────────────────────────────────────
   1   │ 
   2   │ [*] Extracting information...
   3   │ 
   4   │     [*] IP Address: 172.17.0.2
   5   │     [*] Open ports: 22,80
   6   │ 
   7   │ [*] Ports copied to clipboard
   8   │ 
───────┴──────────────────────────────────────────────────────

Luego escaneo los puertos más detalladamente.

nmap -p 22,80 -sCV 172.17.0.2 -oN targeted.txt

Resultado

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 01:48 EST
Nmap scan report for 172.17.0.2
Host is up (0.000050s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 e3:6b:e1:c3:e0:14:74:3e:df:a3:f1:d8:64:69:80:50 (ECDSA)
|_  256 17:ce:1a:bb:ef:6d:9e:9d:c2:41:41:0b:0f:82:32:0d (ED25519)
80/tcp open  http    Apache httpd 2.4.58 ((Ubuntu))
|_http-server-header: Apache/2.4.58 (Ubuntu)
|_http-title: Reparaci\xC3\xB3n de Computadoras SJD
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

En este punto procedo a ver la página web.

Estando en la página web, se me ocurre hacer Fuzzing.

feroxbuster --url http://172.17.0.2/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,html -t 200

Resultado

                                                                 
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.17.0.2/
 🚀  Threads               │ 200
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 🔎  Extract Links         │ true
 💲  Extensions            │ [txt, php, html]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      149l      326w     4468c http://172.17.0.2/descargas.html
200      GET        8l       83w     4889c http://172.17.0.2/img/flags.png
200      GET       14l      100w     5349c http://172.17.0.2/img/img-box.png
200      GET       28l      164w    12872c http://172.17.0.2/img/7zip.png
200      GET       18l      101w     7634c http://172.17.0.2/img/81871.png
200      GET       49l      304w    22471c http://172.17.0.2/img/1.jpg
200      GET      147l      824w    63540c http://172.17.0.2/img/gimp.png
200      GET      429l     1091w    56322c http://172.17.0.2/img/mkt-ponemos-tu-tienda-en-buscadores.png
200      GET       26l      122w     8155c http://172.17.0.2/icons/openlogo-75.png
200      GET      154l      947w    72939c http://172.17.0.2/img/ccleaner.png
200      GET      816l     2069w    95359c http://172.17.0.2/img/cabecera-web-hosting.jpg
200      GET      206l      563w     6968c http://172.17.0.2/index.php
200      GET      175l      951w   137151c http://172.17.0.2/img/bg-asesor.jpg
301      GET        9l       28w      306c http://172.17.0.2/img => http://172.17.0.2/img/
200      GET      206l      563w     6968c http://172.17.0.2/
200      GET      368l      933w    10703c http://172.17.0.2/index1.html
200      GET        3l        6w       42c http://172.17.0.2/pass.txt
200      GET      755l     4581w   383511c http://172.17.0.2/img/libreoffice.png
200      GET       14l       52w     5304c http://172.17.0.2/img/avast.png
200      GET       11l       65w     4180c http://172.17.0.2/img/logo-donwebbywebdotcom-white.png
200      GET       17l       77w     5413c http://172.17.0.2/img/logo-donwebbywebdotcom.png
200      GET       24l      119w    11251c http://172.17.0.2/img/notepadplusplus.png
200      GET       34l      263w    21306c http://172.17.0.2/img/descarga.jpeg
200      GET       59l      307w    22516c http://172.17.0.2/img/png-icono.png
200      GET      125l      651w    53887c http://172.17.0.2/img/ss.png
200      GET      442l     1166w    58829c http://172.17.0.2/img/mkt-envia-ofertas.png
200      GET      444l     1186w    62072c http://172.17.0.2/img/mkt-contacta-mas-clientes.png
200      GET      205l     1433w   118138c http://172.17.0.2/img/vlc.png
200      GET      256l     1255w   163590c http://172.17.0.2/img/bg-diy.jpg
[####################] - 48s   882340/882340  0s      found:29      errors:2      
[####################] - 48s   882180/882180  18421/s http://172.17.0.2/ 
[####################] - 2s    882180/882180  518929/s http://172.17.0.2/img/ => Directory listing (add --scan-dir-listings to scan)

Me llama la atención http://172.17.0.2/pass.txt, así que procedo a ver que es desde el navegador.

Al parecer es un nombre y al lado base64, el cual puedo descifrar por decirlo así fácilmente desde terminal.

El único que parece diferente es el que está al lado de root, así que pruebo a ver si tenemos suerte.

Y efectivamente es así, una máquina bastante sencilla para practicar principios básicos de hacking ético.

PreviousFirstHacking NextWhereIsMyWebShell

Last updated 4 months ago

PING 172.17.0.2 (172.17.0.2) 56(124) bytes of data. 64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.052 ms RR: 172.17.0.1 172.17.0.2 172.17.0.2 172.17.0.1 --- 172.17.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.052/0.052/0.052/0.000 ms

[+] Autor: Anonymous17 [+] Targeted: 172.17.0.2 [+] (TTL -> 64): Linux [!] Escaneo de puertos (socket): [!]Puerto 22 abierto! [!]Puerto 80 abierto! [+] Lista de puertos abiertos: [22, 80] [+] Información de servicios y versiones: [+] 22/tcp ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) [+] 80/tcp http Apache httpd 2.4.58 ((Ubuntu)) [+] Comprobando vulnerabilidades: [+] SSH parece seguro contra enumeración de usuarios [+] Tecnologías detectadas en HTTP: http://172.17.0.2:80 [200 OK] Apache[2.4.58], Country[RESERVED][ZZ], Email[silvio@delacal.com.ar], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.58 (Ubuntu)], IP[172.17.0.2], Script, Title[Reparación de Computadoras SJD], [*] Evidencia guardada en output.txt

Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-02 01:44:26 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344401 login tries (l:1/p:14344401), ~3586101 tries per task [DATA] attacking ssh://172.17.0.2:22/ [VERBOSE] Resolving addresses ... [VERBOSE] resolving done [INFO] Testing if password authentication is supported by ssh://silvio@172.17.0.2:22 [INFO] Successful, password authentication is supported by ssh://172.17.0.2:22 [ATTEMPT] target 172.17.0.2 - login "silvio" - pass "123456" - 1 of 14344401 [child 0] (0/0) [ATTEMPT] target 172.17.0.2 - login "silvio" - pass "12345" - 2 of 14344401 [child 1] (0/0) [ATTEMPT] target 172.17.0.2 - login "silvio" - pass "123456789" - 3 of 14344401 [child 2] (0/0) [ATTEMPT] target 172.17.0.2 - login "silvio" - pass "password" - 4 of 14344401 [child 3] (0/0) [ATTEMPT] target 172.17.0.2 - login "silvio" - pass "iloveyou" - 5 of 14344401 [child 1] (0/0) ^C[ERROR] Received signal 2, going down ... The session file ./hydra.restore was written. Type "hydra -R" to resume session.

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 01:46 EST Nmap scan report for 172.17.0.2 Host is up (0.0000050s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 02:42:AC:11:00:02 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

-> extractPorts allPorts.txt ───────┬────────────────────────────────────────────────────── │ File: extractPorts.tmp ───────┼────────────────────────────────────────────────────── 1 │ 2 │ [*] Extracting information... 3 │ 4 │ [*] IP Address: 172.17.0.2 5 │ [*] Open ports: 22,80 6 │ 7 │ [*] Ports copied to clipboard 8 │ ───────┴──────────────────────────────────────────────────────

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-02 01:48 EST Nmap scan report for 172.17.0.2 Host is up (0.000050s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 e3:6b:e1:c3:e0:14:74:3e:df:a3:f1:d8:64:69:80:50 (ECDSA) |_ 256 17:ce:1a:bb:ef:6d:9e:9d:c2:41:41:0b:0f:82:32:0d (ED25519) 80/tcp open http Apache httpd 2.4.58 ((Ubuntu)) |_http-server-header: Apache/2.4.58 (Ubuntu) |_http-title: Reparaci\xC3\xB3n de Computadoras SJD MAC Address: 02:42:AC:11:00:02 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.53 seconds

___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://172.17.0.2/ 🚀 Threads │ 200 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 🔎 Extract Links │ true 💲 Extensions │ [txt, php, html] 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 403 GET 9l 28w 275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 404 GET 9l 31w 272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 149l 326w 4468c http://172.17.0.2/descargas.html 200 GET 8l 83w 4889c http://172.17.0.2/img/flags.png 200 GET 14l 100w 5349c http://172.17.0.2/img/img-box.png 200 GET 28l 164w 12872c http://172.17.0.2/img/7zip.png 200 GET 18l 101w 7634c http://172.17.0.2/img/81871.png 200 GET 49l 304w 22471c http://172.17.0.2/img/1.jpg 200 GET 147l 824w 63540c http://172.17.0.2/img/gimp.png 200 GET 429l 1091w 56322c http://172.17.0.2/img/mkt-ponemos-tu-tienda-en-buscadores.png 200 GET 26l 122w 8155c http://172.17.0.2/icons/openlogo-75.png 200 GET 154l 947w 72939c http://172.17.0.2/img/ccleaner.png 200 GET 816l 2069w 95359c http://172.17.0.2/img/cabecera-web-hosting.jpg 200 GET 206l 563w 6968c http://172.17.0.2/index.php 200 GET 175l 951w 137151c http://172.17.0.2/img/bg-asesor.jpg 301 GET 9l 28w 306c http://172.17.0.2/img => http://172.17.0.2/img/ 200 GET 206l 563w 6968c http://172.17.0.2/ 200 GET 368l 933w 10703c http://172.17.0.2/index1.html 200 GET 3l 6w 42c http://172.17.0.2/pass.txt 200 GET 755l 4581w 383511c http://172.17.0.2/img/libreoffice.png 200 GET 14l 52w 5304c http://172.17.0.2/img/avast.png 200 GET 11l 65w 4180c http://172.17.0.2/img/logo-donwebbywebdotcom-white.png 200 GET 17l 77w 5413c http://172.17.0.2/img/logo-donwebbywebdotcom.png 200 GET 24l 119w 11251c http://172.17.0.2/img/notepadplusplus.png 200 GET 34l 263w 21306c http://172.17.0.2/img/descarga.jpeg 200 GET 59l 307w 22516c http://172.17.0.2/img/png-icono.png 200 GET 125l 651w 53887c http://172.17.0.2/img/ss.png 200 GET 442l 1166w 58829c http://172.17.0.2/img/mkt-envia-ofertas.png 200 GET 444l 1186w 62072c http://172.17.0.2/img/mkt-contacta-mas-clientes.png 200 GET 205l 1433w 118138c http://172.17.0.2/img/vlc.png 200 GET 256l 1255w 163590c http://172.17.0.2/img/bg-diy.jpg [####################] - 48s 882340/882340 0s found:29 errors:2 [####################] - 48s 882180/882180 18421/s http://172.17.0.2/ [####################] - 2s 882180/882180 518929/s http://172.17.0.2/img/ => Directory listing (add --scan-dir-listings to scan)