Enumeration With Nmap
We always start with an nmap scan…..
Nmap -sC -sV -oA nmap <Target-IP>
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/noob] └─$ nmap -sC -sV -p- -oA nmap 172.16.139.238 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 12:00 WAT Nmap scan report for 172.16.139.238 Host is up (0.00016s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA) | 256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA) |_ 256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519) 65530/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API) |_http-title: Site doesn't have a title (text/plain; charset=utf-8). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds
We have two open ports ssh and HTTP running on 65530 let confirm it.
404 page not found interesting let burst for directory.
┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/noob] └─$ gobuster dir -u http://172.16.139.238:65530/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,phtml,html,txt
We found a single directory let access it.
Interesting and cool between we all love access to
.ssh folder lol with some juicy ssh private key.
First the public key to check for the user.
We have username now time to get the private key.
Now let hit SSH.
We are in let get root.
sudo -l we go nothing let try to check process that is running like man i got nothing also running
linpeas.sh but my thinking was is it possible the
nt4share is being running by root?? let give it a try creating a symbolic link with the root folder.
Created and listing directories.
Boom we have access to the root folder now let get the ssh private key.
We are root and done.
Greeting From Muzec