-
we used
sudo netdiscover -r 192.168.161.0/24with our ip to find the vmware ip -
we use
nmap -T4 -p- -A 192.168.161.130to find all info about the system -
80/443 default webpage found with apache server running
-
use
niktofor vulnerable scanning
-
Found that
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. -
Information disclosure- Server version
-
We can use three tools for directory busting:
- gobuster
- dirb
- dirbuster
-
Found usage subdirectory which disclosed following info: Generated by Webalizer Version 2.01
-
Using masscan to find ports:
sudo masscan -p1-65535 192.168.161.130 --rate 1000
then we can do 
This method is faster
- SMB version found using metasploit- Unix (Samba 2.2.1a)
- Then use smbclient to gain access to smb (can potentially contain valuable data) which led to find:
smbclient \\\\192.168.161.130\\IPC$- Access Denied
smbclient \\\\192.168.161.130\\ADMIN$- Requires password
THIS PATH IS A DEADEND
POTENTIALLY OPEN TO trans2open exploit https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/samba/trans2open
- Requires password
THIS PATH IS A DEADEND
POTENTIALLY OPEN TO trans2open exploit https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/linux/samba/trans2open
- We try to make a connection using:
ssh 192.168.161.130 -oKexAlgorithms=+diffie-hellman-group1-sha1 -oHostKeyAlgorithms=+ssh-dss -c aes128-cbcThe output:
DSA key fingerprint is SHA256:lEaf2l45SOoTn6qFh/EObfveZjbgCPuTHIXBFtD9mY8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.161.130' (DSA) to the list of known hosts.
[email protected]'s password
We do this to check for exposed banners(which could have ssh version or created by which companies etc).
mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell.is the one we targeting- 80/443 -> Found exploit - https://github.com/heltonWernik/OpenLuck
- We chose smb to exploit (trans2open using metasploit)
- Didn't work first time because of some payload issue. We were using staged [[Exploitation#Staged vs Non- Staged]]
- We switch to non staged payload ( :( no meterpreter)
We gain root after running exploit
- Didn't work first time because of some payload issue. We were using staged [[Exploitation#Staged vs Non- Staged]]
- Using OpenFuck to manually exploit:
- We got shell access with root privileges.
- Undetected malicious activity
We got root access and can access the passwd file:
Note: The passwd file no longer directly has the passwords
Instead we see the shadow file in /etc/shadow:
- Using hydra
hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://192.168.161.130 -t 4 -V - Using metasploit
- use
SSH_Loginafter search
- use
