Enumeration With Nmap
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/hommie] └─$ nmap -sC -sV -p- -oA nmap 172.16.139.240 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 13:05 WAT Nmap scan report for 172.16.139.240 Host is up (0.00021s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rw-r--r-- 1 0 0 0 Sep 30 2020 index.html | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:172.16.139.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 4 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA) | 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA) |_ 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519) 80/tcp open http nginx 1.14.2 |_http-server-header: nginx/1.14.2 |_http-title: Site doesn't have a title (text/html). Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.27 seconds
Boom we have three open ports ftp,ssh and http seems we have anonymous access to ftp let try it.
But it lead to a rabbit hole let brute force directory.
Nothing also just a empty private key so i go back to scan for UDP ports.
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/hommie] └─$ sudo nmap -sU -sV -p1-100 172.16.139.240 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 13:11 WAT Stats: 0:01:04 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan UDP Scan Timing: About 75.40% done; ETC: 13:12 (0:00:21 remaining) Stats: 0:02:35 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Stats: 0:02:40 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 0.00% done Nmap scan report for 172.16.139.240 Host is up (0.00041s latency). Not shown: 98 closed ports PORT STATE SERVICE VERSION 68/udp open|filtered dhcpc 69/udp open|filtered tftp MAC Address: 08:00:27:53:9D:C2 (Oracle VirtualBox virtual NIC)
Interesting we have the
tftp port open let try to get the id_rsa key on it.
we know the username is
alexia let hit SSH.
Command to check for SUID:-
find / -perm -u=s -type f 2>/dev/null .
/opt/showMetheKey so i decided to strings it to see what the SUID is doing.
We know anything we run the SUID binary it check the home directory path and check for the id_rsa private key.
Now let abuse it.
We are root.
Second Method To Root
Exporting PATH to root.
Now let run the SUID binary again.
Now SSH with private key.
we are root but the root flag is missing.
We are root and done.
Greeting From Muzec