Netdiscover
Rustscan
rustscan -a 192.168.1.9 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 192.168.1.9:80
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/textpattern/textpattern
|_http-server-header: Apache/2.2.22 (Debian)
|_http-title: driftingblues
PORT 80 (HTTP)
Seeing robots.txt
So we will be fuzzing for files with .zip extension
We found the zip archive but downloading and opening it this will ask for a so we need to crack the password. I will be using frackzip.
We got the password now to enter the cracked password
Now login with these creds to textpattern
We have the ability to upload a file , I uploaded a phpbash to execute that file go to “/textpattern/files/phpbash.php”
Now we have a shell we could either use this or start a reverse shell
Seeing the kernel version we can search for this exploit
There’s an exploit for this kernel
Compile and execute the exploit it will ask for the password for a username we will input the password and it create a user firefart ,it will replace /etc/passwd file having the UID and GID set to 0 and home directory as /root so basically we will be root after running this exploit
We are root
