Nmap scan report for 192.168.1.6
Host is up (0.00022s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain (unknown banner: not currently available) | dns-nsid:
|_ bind.version: not currently available
|_ currently available
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
65222/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| 2048 f7:ea:48:1a:a3:46:0b:bd:ac:47:73:e8:78:25:af:42 (RSA)
| 256 2e:41:ca:86:1c:73:ca:de:ed:b8:74:af:d2:06:5c:68 (ECDSA)
|_ 256 33:6e:a2:58:1c:5e:37:e1:98:8c:44:b1:1c:36:6d:75 (ED25519)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
MAC Address: 08:00:27:0D:8F:62 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.75 second
Fuzzing for directories didn’t returned interesting for us other than robots.txt
robots.txt we find a domain name so there is a port 53 open we can check for zone transfer by that.
DNS Zone Transfer
Through TXT records we find a directory named
/fhcrefrperg.But this wasn't a directory it was encrypted using a cipher so headed to cyberchef and check if it was ROT13 which was correct.
But this key was protected with a passphrase.
Using ssh2john we got the hash for the
id_rsa key now let's crack it with john the ripper
And boom we are in !!!
Look for any SUID on the machine
I found a article regarding exploiting systemctl service which has a SUID or can be run as sudo
Now we can exploit
systemctl by making a service and ruuning it with systemctl