Rustscan
rustscan -a 10.10.215.65 -- -A -sC -sV.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.215.65:22
Open 10.10.215.65:8001
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8a:bf:6b:1e:93:71:7c:99:04:59:d3:8d:81:04:af:46 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCicax/djwvuiP5H2ET5UJCYL3Kp7ukHPJ0YWsSBUc6o8O/wwzOkz82yJRrZAff40NmLEpbvf0Sxw2JhrtoxDmdj+FSHpV/xDUG/nRE0FU10w
DB75fYP4VFKR8QbzwDu6fxkgkZ3SAWZ9R1MgjN3B49hywgwqMRNtw+z2r2rXeF56y1FFKotBtK1wA223dJ8BLE+lRkAZd4nOr5HFMwrO+kWgYzfYJgSQ+5LEH4E/X7vWGqjdBIHSoYOUvzGJJmCu
m2/MOQPoDw5B85Naw/aMQqsv7WM1mnTA34Z2eTO23HCKku5+Snf5amqVwHv8AfOFub0SS7AVfbIyP9fwv1psbP
| 256 40:fd:0c:fc:0b:a8:f5:2d:b1:2e:34:81:e5:c7:a5:91 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBENyLKEyFWN1XPyR2L1nyEK5QiqJAZTV2ntHTCZqMtXKkjsDM5H7KPJ5EcYg5Rp1zPzaDZxBmP
P0pDF1Rhko7sw=
| 256 7b:39:97:f0:6c:8a:ba:38:5f:48:7b:cc:da:72:a8:44 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJmb0JdTeq8kjq+30Ztv/xe3wY49Jhc60LHfPd5yGiRx
8001/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: En-Pass
So we have 2 ports open , 8001 (HTTP) and 22 (SSH)
PORT 8001 (HTTP)
At the the bottom of the page we see an encrypted text
Which is ROT13
We have another text which is encrypted
This again lead us to nowhere. So I decided to fuzz for directories
Doing with feroxbuster I found that /web
has more directories or files in it
As we found /reg.php
There’s a input filed where we can type and submit.Trying for RCE by running id
resulted incorrect
Looking at the source it’s running a php script that is checking for input so here !preg_ match('/[a-zA-Z0-9]/i
will reject the regular expression pattern for upper and lowercase characters also digits and explode
is going to split the string into sub string using ,
. Then the for loop will run 8 times and it's checking if the string's first character has a length of 2 and last character of the string which is 8th (starting from 0) character must be of length 3 then it's further checking that 5th character and 8th character must not be equal similarly for 3rd and 7th value.
So this means we can only use special characters
@@,$,$,*,$,!,$,!,@@@
This will pass the checks as the value on the 0th index is of length 2 @@
8th index value is of length 3 @@@
Value at 5th index is not similar to the value at 8th index ! , @@@
And the value at 3rd index is not similar to value at 7th index *,!
It’s not necessary that this will be the exact string
$$,!,&,!,^,^,^,*,%%%
This can pass the checks as well
On entering the string
While ferxobuster was running in the background there were directories up to configure
I ran dirsearch again and finally found a file
It’s better to run other tools because gobuster was failing for me and feroxbuster didn’t find the key
file
But I don’t know the username so can’t really ssh into the machine
These archives had the same files and some had recursive archive with content sadman
So we have the key which is passphrase of id_rsa and we also have the ssh private key so let’s see if we can login
And this gives us an error maybe sandman
isn't the correct username. Looking at the hint we see that it's saying something about bypassing
We know that there is 403.php
page that gives us 403 status code which is Forbidden client error
So I googled for by pass scripts and found this so thought about trying and see if this lead us to somewhere
I don’t think this worked
Then I used another script from github
https://github.com/intrudir/403fuzzer
You can see the status code is 200 but here focus on the length for 200 status code as this the home page (/
)
Here we see a change in length of status code 200 which is 917
so let's try using this as our url
And bingo we got the username so now let’s ssh into the box
Transfer psyp64
on the machine
A cronjob for root user is running that first changes the ownership of file.yml
then runs the python script and removes the file.yml also there exists a yaml de-serialization vulnerability so we can make a payload for setting SUID on /bin/bash
We can grab the root flag !!