Aidor

Enumeration

Vamos a empezar con un nmap:

┌──(pylon㉿kali)-[~/…/pylon/Dockerlabs/Aidor/nmap]
└─$ nmap -p- --open -sS --min-rate=5000 -n -Pn -vvv 172.17.0.2     
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-21 19:03 CET
Initiating ARP Ping Scan at 19:03
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 19:03, 0.04s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 19:03
Scanning 172.17.0.2 [65535 ports]
Discovered open port 22/tcp on 172.17.0.2
Discovered open port 5000/tcp on 172.17.0.2
Completed SYN Stealth Scan at 19:03, 0.65s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000050s latency).
Scanned at 2025-11-21 19:03:49 CET for 0s
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
5000/tcp open  upnp    syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.84 seconds
           Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)

Vamos a realizar una segunda enumeración para obtener más información:

┌──(pylon㉿kali)-[~/…/pylon/Dockerlabs/Aidor/nmap]
└─$ nmap -p22,5000 -sCV 172.17.0.2           
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-21 19:25 CET
Nmap scan report for 172.17.0.2
Host is up (0.000051s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0p2 Debian 7 (protocol 2.0)
5000/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.13.5)
|_http-server-header: Werkzeug/3.1.3 Python/3.13.5
|_http-title: Iniciar Sesi\xC3\xB3n
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.46 seconds

Vemos el puerto 5000 , con la información dada podemos ver que se trata de una web creada en Python. Vamos a darle un vistazo a la aplicación web:

Vemos un inicio de sesión podríamos probar credenciales típicas como:

admin:admin
administrator:administrator
test:test

Pero nada de esto funcionará. Vemos otra opción que es para registrarnos, veamos que tal:

Ya que tenemos la oportunidad vamos a crearnos una cuenta:

Shell as aidor

Vemos que nos hizo una redirección a /dashboard . Ojeando vemos que no hay grandes funciones en la aplicación web. Pero me llamó la atención una cosa:

Vemos el parámetro id, donde nos otorga el número 56. Podríamos probar a cambiar el número a uno más bajo a ver si estamos ante un IDOR y podemos acceder al panel de otro usuario:

Vemos que ahora estamos en el panel del usuario aidor . Así que estamos ante un IDOR, viendo su panel me encuentro lo siguiente:

Vemos que podemos cambiarle la contraseña o copiar el hash de la actual, vamos a intentar crackearlo con crackstation:

Vemos que la contraseña del usuario aidor es chocolate. Vamos a probarla por SSH:

┌──(pylon㉿kali)-[~]
└─$ ssh aidor@172.17.0.2
aidor@172.17.0.2's password: 
Linux 7fa1aaff0355 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Nov 21 18:39:37 2025 from 172.17.0.1
aidor@7fa1aaff0355:~$

Shell as root

Enumerando encontré lo siguiente:

aidor@7fa1aaff0355:/home$ ls -la
total 52
drwxr-xr-x 1 root  root   4096 Nov 21 18:32 .
drwxr-xr-x 1 root  root   4096 Nov 21 17:19 ..
drwx------ 1 aidor aidor  4096 Nov 21 17:55 aidor
-rw-r--r-- 1 root  root   4862 Nov 17 14:59 app.py
-rw-r--r-- 1 root  root  24576 Nov 21 18:32 database.db
drwxr-xr-x 2 root  root   4096 Nov 17 14:52 templates

Vemos el archivo database.db vamos a ver su contenido:

aidor@7fa1aaff0355:/home$ sqlite3 database.db 
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite>

Vamos a enumerar las tablas:

sqlite> .tables
users

Vamos a obtener todas las columnas de la tabla a ver su contenido:

sqlite> select * from users;
3|juan.perez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|juan.perez@example.com
4|maria.garcia|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|maria.garcia@example.com
5|carlos.lopez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|carlos.lopez@example.com
6|ana.martinez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|ana.martinez@example.com
7|luis.rodriguez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|luis.rodriguez@example.com
8|laura.gonzalez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|laura.gonzalez@example.com
9|miguel.hernandez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|miguel.hernandez@example.com
10|isabel.diaz|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|isabel.diaz@example.com
11|javier.sanchez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|javier.sanchez@example.com
12|elena.fernandez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|elena.fernandez@example.com
13|david.moreno|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|david.moreno@example.com
14|carmen.romero|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|carmen.romero@example.com
15|francisco.alvarez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|francisco.alvarez@example.com
16|patricia.gomez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|patricia.gomez@example.com
17|antonio.molina|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|antonio.molina@example.com
18|rocio.ortiz|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|rocio.ortiz@example.com
19|jose.serrano|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|jose.serrano@example.com
20|teresa.marin|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|teresa.marin@example.com
21|alejandro.navarro|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|alejandro.navarro@example.com
22|silvia.torres|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|silvia.torres@example.com
23|rafael.dominguez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|rafael.dominguez@example.com
24|monica.ramirez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|monica.ramirez@example.com
25|pedro.castro|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|pedro.castro@example.com
26|natalia.ortega|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|natalia.ortega@example.com
27|admin|d033e22ae348aeb5660fc2140aec35850c4da997|admin@company.com
28|sergio.vazquez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|sergio.vazquez@example.com
29|beatriz.iglesias|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|beatriz.iglesias@example.com
30|victor.morales|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|victor.morales@example.com
31|clara.santos|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|clara.santos@example.com
32|angel.cortes|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|angel.cortes@example.com
33|lucia.guerrero|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|lucia.guerrero@example.com
34|oscar.flores|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|oscar.flores@example.com
35|irene.medina|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|irene.medina@example.com
36|ruben.suarez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|ruben.suarez@example.com
37|veronica.delgado|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|veronica.delgado@example.com
38|manuel.herrera|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|manuel.herrera@example.com
39|eva.mendez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|eva.mendez@example.com
40|alberto.cruz|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|alberto.cruz@example.com
41|celia.aguilar|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|celia.aguilar@example.com
42|daniel.vidal|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|daniel.vidal@example.com
43|marina.prieto|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|marina.prieto@example.com
44|adrian.campos|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|adrian.campos@example.com
45|sandra.leon|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|sandra.leon@example.com
46|marcos.rivera|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|marcos.rivera@example.com
47|lorena.arias|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|lorena.arias@example.com
48|jordi.pascual|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|jordi.pascual@example.com
49|noelia.benitez|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|noelia.benitez@example.com
50|guillermo.vicente|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|guillermo.vicente@example.com
51|raquel.mora|5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8|raquel.mora@example.com
52|pingu|dd0284ae23bfe3ed87de34568afa73e03380b7990fcb69b2d11cc902eb1060a3|pingu@pingu.es
53|pepe|7c9e7c1494b2684ab7c19d6aff737e460fa9e98d5a234da1310c97ddf5691834|pepe@pepe.es
54|aidor|7499aced43869b27f505701e4edc737f0cc346add1240d4ba86fbfa251e0fc35|aidor@aidor.es
55|pylon|d7c2503d825d83d6be31b7d847613de984cd9ecb4d052f6d9c2a71e74313dd3a|pylon@dockerlabs.es
56|pylone|0887d99b00dd4d992bcf3392b7959d313b3f759f372f8c6b3ace58406c6b6d00|pylone@dockerlabs.es

Vemos unos cuantos usuarios y su respectiva contraseña en hash. Antes de empezar a hacer fuerza bruta vamos a leer el /etc/passwd para ver que usuarios existen:

aidor@7fa1aaff0355:/home$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
aidor:x:1000:1000:aidor,,,:/home/aidor:/bin/bash
sshd:x:995:65534:sshd user:/run/sshd:/usr/sbin/nologin

No vemos ningún usuario que coincida en la base de datos. Vamos a leer el app.py :

app.py

from flask import Flask, render_template, request, redirect, url_for, session, flash
import sqlite3
import hashlib
import os

app = Flask(__name__)
app.secret_key = 'my_secret_key'

# Ruta para conectar a la base de datos
def get_db():
    conn = sqlite3.connect('database.db')
    return conn

# Crear la base de datos y la tabla si no existen
def create_db():
    if not os.path.exists('database.db'):
        conn = get_db()
        cursor = conn.cursor()
        # Crear la tabla de usuarios si no existe
        cursor.execute('''
        CREATE TABLE IF NOT EXISTS users (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            username TEXT NOT NULL UNIQUE,
            password TEXT NOT NULL,
            email TEXT NOT NULL
        )
        ''')
        # Insertar un usuario de ejemplo si la tabla está vacía
        cursor.execute('SELECT COUNT(*) FROM users')
        count = cursor.fetchone()[0]
        # if count == 0:
        #     cursor.execute('''
        #     INSERT INTO users (username, password, email) VALUES
        #     ('root', 'aa87ddc5b4c24406d26ddad771ef44b0', 'admin@example.com')
        #     ''')  # La contraseña "admin" es hash SHA-256
        conn.commit()
        conn.close()

@app.route('/', methods=['GET', 'POST'])
def index():
    if request.method == 'POST':
        username = request.form['username']
        password = request.form['password']

        # Hash de la contraseña
        hashed_password = hashlib.sha256(password.encode()).hexdigest()

        conn = get_db()
        cursor = conn.cursor()
        cursor.execute('SELECT * FROM users WHERE username=? AND password=?', (username, hashed_password))
        user = cursor.fetchone()
        conn.close()

        if user:
            session['user_id'] = user[0]  # Guardar el ID del usuario en la sesión
            # Redirigir al dashboard con el ID en la URL
            return redirect(url_for('dashboard', id=user[0]))
        else:
            return 'Usuario o contraseña incorrectos', 401

    return render_template('index.html')

# Página de registro
@app.route('/register', methods=['GET', 'POST'])
def register():
    if request.method == 'POST':
        username = request.form['username']
        email = request.form['email']
        password = request.form['password']

        # Hash de la contraseña
        hashed_password = hashlib.sha256(password.encode()).hexdigest()

        conn = get_db()
        cursor = conn.cursor()
        # Verificar si el usuario ya existe
        cursor.execute('SELECT * FROM users WHERE username=?', (username,))
        existing_user = cursor.fetchone()
        if existing_user:
            return 'El usuario ya existe', 400

        # Insertar el nuevo usuario en la base de datos
        cursor.execute('''
        INSERT INTO users (username, password, email) VALUES (?, ?, ?)
        ''', (username, hashed_password, email))
        conn.commit()

        # Obtener el ID del usuario recién creado
        cursor.execute('SELECT id FROM users WHERE username=?', (username,))
        new_user = cursor.fetchone()
        conn.close()

        if new_user:
            session['user_id'] = new_user[0]
            return redirect(url_for('dashboard', id=new_user[0]))

    return render_template('register.html')

# Página de dashboard con parámetro id en la URL
@app.route('/dashboard')
def dashboard():
    # Obtener el ID de la URL o de la sesión
    user_id = request.args.get('id') or session.get('user_id')

    if not user_id:
        return redirect(url_for('index'))

    conn = get_db()
    cursor = conn.cursor()
    cursor.execute('SELECT * FROM users WHERE id=?', (user_id,))
    user = cursor.fetchone()
    conn.close()

    if not user:
        return redirect(url_for('index'))

    # Actualizar la sesión con el ID del usuario
    session['user_id'] = user[0]

    return render_template('dashboard.html', user=user)

# Ruta para cambiar contraseña
@app.route('/change_password', methods=['POST'])
def change_password():
    if 'user_id' not in session:
        return redirect(url_for('index'))
    
    user_id = session['user_id']
    new_password = request.form['new_password']
    
    # Hash de la nueva contraseña
    hashed_password = hashlib.sha256(new_password.encode()).hexdigest()
    
    conn = get_db()
    cursor = conn.cursor()
    cursor.execute('UPDATE users SET password=? WHERE id=?', (hashed_password, user_id))
    conn.commit()
    conn.close()
    
    return redirect(url_for('dashboard', id=user_id))

# Ruta de logout
@app.route('/logout')
def logout():
    session.pop('user_id', None)
    return redirect(url_for('index'))

if __name__ == '__main__':
    create_db()  # Llamamos a la función para crear la base de datos al iniciar la app
    app.run(debug=True, host='0.0.0.0', port=5000)  # Especificamos el puerto 5000

Destaca esta línea:

        # if count == 0:
        #     cursor.execute('''
        #     INSERT INTO users (username, password, email) VALUES
        #     ('root', 'aa87ddc5b4c24406d26ddad771ef44b0', 'admin@example.com')
        #     ''')  # La contraseña "admin" es hash SHA-256

Vamos a crackearla:

aidor@7fa1aaff0355:/home$ su 
Password: 
root@7fa1aaff0355:/home# whoami
root

AnteriorEjotapete SiguienteTryHackMe

Última actualización hace 2 meses

hashtagEnumeration

hashtagShell as aidor

hashtagShell as root

Enumeration

Shell as aidor

Shell as root