๐Katana - 192.168.168.83
Nmap -sCV -A -p- 192.168.168.83 --min-rate=10000 -oA katanaportscan
PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 89:4f:3a:54:01:f8:dc:b6:6e:e0:78:fc:60:a6:de:35 (RSA) | 256 dd:ac:cc:4e:43:81:6b:e3:2d:f3:12:a1:3e:4b:a3:22 (ECDSA) |_ 256 cc:e6:25:c0:c6:11:9f:88:f6:c4:26:1e:de:fa:e9:8b (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-title: Katana X |_http-server-header: Apache/2.4.38 (Debian) 7080/tcp open ssl/empowerid | ssl-cert: Subject: commonName=katana/organizationName=webadmin/countryName=US | Not valid before: 2020-05-11T13:57:36 |Not valid after: 2022-05-11T13:57:36 | tls-alpn: | h2 | spdy/3 | spdy/2 | http/1.1 |_ssl-date: TLS randomness does not represent time 8088/tcp open http LiteSpeed httpd |_http-server-header: LiteSpeed |_http-title: Katana X 8715/tcp open http nginx 1.14.2 |http-title: 401 Authorization Required | http-auth: | HTTP/1.1 401 Unauthorized\x0D | Basic realm=Restricted Content |_http-server-header: nginx/1.14.2 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=10/19%OT=21%CT=1%CU=40003%PV=Y%DS=4%DC=I%G=Y%TM=671 OS:38442%P=x86_64-pc-linux-gnu)SEQ()SEQ(SP=104%GCD=1%ISR=102%TI=Z%CI=Z%II=I OS:%TS=A)SEQ(SP=104%GCD=1%ISR=103%TI=Z%CI=Z%II=I%TS=A)SEQ(SP=FD%GCD=1%ISR=F OS:D%TI=Z%TS=A)OPS(O1=M578ST11NW7%O2=M578ST11NW7%O3=M578NNT11NW7%O4=M578ST1 OS:1NW7%O5=M578ST11NW7%O6=M578ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=F OS:E88%W6=FE88)ECN(R=N)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M578NNSNW7%CC=Y%Q=)T1(R=N OS:)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T4(R=Y%DF=Y OS:%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F= OS:AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N) OS:U1(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)I OS:E(R=N)IE(R=Y%DFI=N%T=40%CD=S)
Directory Bruteforcing
dirb http://192.168.168.83/
Basic scan dirb http://example.com Scan with wordlist dirb http://example.com /usr/share/dirb/wordlists/common.txt Ignore errors dirb http://example.com -S Use custom port dirb http://example.com -p 8080 Task Command Basic scan dirb http://example.com Scan with wordlist dirb http://example.com /usr/share/dirb/wordlists/common.txt Ignore errors dirb http://example.com -S Use custom port dirb http://example.com -p 8080
Gobuster Cheatsheet
Dir mode To find directories and files
gobuster dir -u -w <wordlist_file.txt> -x <file_extensions>
gobuster dir -u http://workers.htb -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,php3,html
vhost mode Check if subdomain exists by visiting url and verifying the IP address
Sintaxis:
gobuster vhost -v -w <wordlist.txt> -u -o <output_file.txt>
gobuster vhost -v -w /home/username/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://workers.htb -o vhosts.txt
To find subdomains in a specific domain
gobuster dns -d -w <word_list.txt> -I
gobuster dns -d workers.htb -w /home/username/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -I
Dirb cheetset
dirb http://13.38.76.46:8080/ /usr/share/wordlists/dirb/common.txt
Dirsearch
$ git clone https://github.com/maurosoria/dirsearch.git $ cd dirsearch/
python3 dirsearch.py -u -e
$ ./dirsearch.py -u http://10.10.248.154:3000 -w /opt/wordlists/directory-list-2.3-medium.txt -e php,html
This showed that there is are ports 21 (ftp), 22 (ssh), 80 (http), 7080 (ssl/empowerid), 8088 (http), and 8715 (http) open.
My next step was to gobuster the various webpages. The first one was to gobuster the website on port 80 using gobuster dir -u http://$IP/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404 -x php,asp,js,txt,html which specified to ignore error codes that were 404s (-b 404) and to include the extensions php, asp, js, txt, and html to the searches. The results are shown below.
gobuster dir -u http://192.168.168.83/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404 -x php,asp,js,txt,html
The second scan was for port 8088 using gobuster dir -u http://$IP:8088/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404 -x php,asp,js,txt,html which specified to ignore error codes that were 404s (-b 404) and to include the extensions php, asp, js, txt, and html to the searches. The results are shown below.
gobuster dir -u http://192.168.168.83:8088 -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404 -x php,asp,js,txt,html
The third scan was for port 8715 using gobuster dir -u http://$IP:8715/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404,401 -x php,asp,js,txt,html which specified to ignore error codes that were 404s and 401s (-b 404,401) and to include the extensions php, asp, js, txt, and html to the searches. In order for the scan to run, I needed to not include anything with a 401 status code. The results are shown below.
gobuster dir -u http://192.168.168.83:8715/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -b 404,401 -x php,asp,js,txt,html
Python Stable shell command
python -c 'import pty; pty.spawn("/bin/bash")'
Python PTY Module
python -c 'import pty; pty.spawn("/bin/bash")'
Fully Interactive TTY
stty raw -echo && fg
Post local.txt run sudo -l If its asking for password then no access for current user to run sudo
Getcap -r / 2>/dev/null -->when you need to check the cpability privilege use this command
find / -user root -perm -4000 2>/dev/null
Since we donโt have permission to read the โ/etc/shadowโ file and the user โwww-data@katanaโ canโt run sudo, we will look up for SUID permissions:
find / -type f -perm -04000 -ls 2>/dev/null
https://www.hackingdream.net/2020/03/linux-privilege-escalation-techniques.html
Gtfobin - capabilities use python
Last updated
Was this helpful?