Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/hommie]
└─$ nmap -sC -sV -p- -oA nmap 172.16.139.240 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 13:05 WAT
Nmap scan report for 172.16.139.240
Host is up (0.00021s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 0        0               0 Sep 30  2020 index.html
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.16.139.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
|   256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
|_  256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds

Boom we have three open ports ftp,ssh and http seems we have anonymous access to ftp let try it.

image

But it lead to a rabbit hole let brute force directory.

image

Nothing also just a empty private key so i go back to scan for UDP ports.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/hommie]
└─$ sudo nmap -sU -sV -p1-100 172.16.139.240
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 13:11 WAT
Stats: 0:01:04 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 75.40% done; ETC: 13:12 (0:00:21 remaining)
Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:02:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Nmap scan report for 172.16.139.240
Host is up (0.00041s latency).
Not shown: 98 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
69/udp open|filtered tftp
MAC Address: 08:00:27:53:9D:C2 (Oracle VirtualBox virtual NIC)

Interesting we have the tftp port open let try to get the id_rsa key on it.

image

we know the username is alexia let hit SSH.

image

Privilege Escalation

image

Command to check for SUID:- find / -perm -u=s -type f 2>/dev/null .

We have /opt/showMetheKey so i decided to strings it to see what the SUID is doing.

image

We know anything we run the SUID binary it check the home directory path and check for the id_rsa private key.

image

Now let abuse it.

image

image

We are root.

Second Method To Root

Exporting PATH to root.

image

Now let run the SUID binary again.

image

Now SSH with private key.

image

we are root but the root flag is missing.

image

image

We are root and done.

Greeting From Muzec



Back To Home