Netdiscover
NMAP
Nmap scan report for 192.168.1.96 [6/43]
Host is up (0.00024s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 0 0 0 Sep 30 09:39 index.html
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c6:27:ab:53:ab:b9:c0:20:37:36:52:a9:60:d3:53:fc (RSA)
| 256 48:3b:28:1f:9a:23:da:71:f6:05:0b:a5:a6:c8:b7:b0 (ECDSA)
|_ 256 b3:2e:7c:ff:62:2d:53:dd:63:97:d4:47:72:c8:4e:30 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:AD:86:5A (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.39 seconds
PORT 21 (FTP)
Now we have write permissions in the folder so let’s try to upload a random text file.I tried to upload an empty text file a.txt
and it got uploaded to ftp server.
So now we can upload a php reverse shell
Download the shell from here https://github.com/pentestmonkey/php-reverse-shell and edit the lhost and lport (optional).
But whenever I was trying to execute the php revershell it wasn’t executing.
PORT 80
At this point I had no idea what to do , I tried running gobuster
but it only returned the index.html and the files we were uploading so I again started to enumerate ports through nmap
I ran a udp scan on the machine specifying the flag -sU
and -p 1-100
for scanning the ports from 1 to 100 because udp scan takes a lot of time than tcp scan.So what we got was a dhcp and tftp service ruuning on udp. We can enumrate tftp which is trivial file transfer protocol and it's different than ftp.
We got connected to tftp because it doesn’t use any authentication also tftp has a only a few commands as comapred to ftp we can only get or put a file so I assumed id_rsa
must be here as it was hinted on the web page
Set the permissions on id_rsa
chmod 600
Going into /opt
directory we can see binary having a SUID
Running the binary gives us the ssh key for alexia
I ran strings on the binary and saw that it was printing the ssh key with cat
so here we can exploit PATH variable
root.txt isn’t in the root’s home directory so use the find
command to search for the flag : )