Source

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.184.138

Detailed Nmap Scan :

Command Breakdown:

(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,10000
(-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,10000 -oN nmap 10.10.184.138

Enumeration

Lets visit the site on port 10000

Looks like we should go to https//<ip>, lets do that

Lets go to Advanced and hit Accept Risk and Continue

We have a login page. We do not have credentials so lets go to searchsploit and look for exploits on the application and the specific version we see in the nmap scan. I searched for it on searchsploit and got nothing back

So I went to Google and looked for exploit and found this. Its a python script , lets copy it to our machine and call is exploit.py

They show how to use it as well, so lets go ahead and use it.

In the end they give us the option of sending a command, we sent id and it worked, lets read the user flag and the root flag.

We have both the flags.

PreviousMadness NextThompson

Last updated 3 years ago