Muzec's Cyber Security Blog

Hack. Sleep. Repeat

View on GitHub

Enumeration With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -oA nmap <Target-IP>

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/noob]
└─$ nmap -sC -sV -p- -oA nmap  172.16.139.238 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-22 12:00 WAT
Nmap scan report for 172.16.139.238
Host is up (0.00016s latency).
Not shown: 65533 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 66:6a:8e:22:cd:dd:75:52:a6:0a:46:06:bc:df:53:0f (RSA)
|   256 c2:48:46:33:d4:fa:c0:e7:df:de:54:71:58:89:36:e8 (ECDSA)
|_  256 5e:50:90:71:08:5a:88:62:7e:81:07:c3:9a:c1:c1:c6 (ED25519)
65530/tcp open  http    Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.29 seconds

We have two open ports ssh and HTTP running on 65530 let confirm it.

image

404 page not found interesting let burst for directory.

┌──(muzec㉿Muzec-Security)-[~/Documents/HackMyVm/noob]                                                                                                                 
└─$ gobuster dir -u http://172.16.139.238:65530/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,phtml,html,txt 

image

We found a single directory let access it.

image

Interesting and cool between we all love access to .ssh folder lol with some juicy ssh private key.

image

First the public key to check for the user.

image

We have username now time to get the private key.

image

Now let hit SSH.

image

We are in let get root.

Privilege Escalation

image

Check for SUID and sudo -l we go nothing let try to check process that is running like man i got nothing also running linpeas.sh but my thinking was is it possible the nt4share is being running by root?? let give it a try creating a symbolic link with the root folder.

image

Created and listing directories.

image

Accessing the nt4share again.

image

Boom we have access to the root folder now let get the ssh private key.

image

Hitting SSH.

image

We are root and done.

Greeting From Muzec



Back To Home