Machine IP →
Nmap scan →
nmap -A -Pn -p- -T4 -o nmap.txt 192.168.244.132
OS Detection →
OS: Linux; CPE: cpe:/o:linux:linux_kernel
|Port||Service||Other details (if any)|
|22||SSH||OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)|
|80||HTTP||Apache httpd 2.4.29 ((Ubuntu))|
GoBuster scan →
gobuster dir -u http://192.168.244.132 -f -w /home/tanq/installations/SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x html,php,txt
Directories/files listed →
- icons/ (403)
Robots txt file lists
Enum_this_Box as allowed.
mini.php is actually a shell interface with some limited options. This was used to read the local flag. This also had the functionality to upload files. This was used to upload the pentest monkey’s reverse shell code and get full shell.
Looked at the
/etc/passwd file, the users of importance are →
oracle. The user
oracle’s entry is →
oracle:$1$|O@GOeN\$PGb9VNu29e9s6dMNJKH/R0:1004:1004:,,,:/home/oracle:/bin/bash. Using John the Ripper to crack this gives the credentials
oracle:hiphop. This did not work for ssh though.
hydra to brute-force other users by using →
hydra -l karla -P /home/tanq/installations/SecLists/rockyou.txt ssh://192.168.225.132. Ran linenum script for more enumeration, however, nothing useful was discovered. Tried user:user form of credentials for all users, which gave a success for
goat:goat. This gives the user shell as user
sudo -l to enumerate privilege of the
goat user, they are allowed to run
/usr/bin/mysql as root without any password. MySQL has a functionality for spawning a shell. Executing
sudo /usr/bin/mysql gives the mysql shell and using
\! bash in the mysql shell spawns a bash shell as the user
root. This gives the root flag.