Ctf Resurrection
WriteUp Taller Pentestin4Ever Sh3llCon 2020 Maquina Resurection.
Agradecimientos a Nacho y a los Organizadores de Sh3llCon
Indice:
-Arranque y configuracion de la maquina a auditar: Resurection
- 1.1.1) Enumeración Puertos: nmap (simple)
- 1.1.2) Enumeración: Puertos2 (nmap opcion -sC)
- Enumeración Puertos: informacion obtenida
- 1.2) Enumeración: Vulnerabilidades1 (nmap -script *vuln*)
- 1.3) Enumeración: Servicios (nma -script enum)
- Enumeración: Vulnerabilidades-Servicios: informacion obtenida
- 1.3.1) Enumeracion: ftp
- 1.3.2) Enumeracion http busqueda directorios
- 1.3.3) Re-Enumeracion http (nibbleblog)
- 2.1) Explotacion nibbleblog: Conseguir Usuario/password
- 2.2) Explotacion nibbleblog: conseguir shell (usando metaexploit)
- 2.3) Explotacion nibbleblog: conseguir shell (sin metaexploit): Averiguar vulnerabilidades nibbleblog
- 2.3) Explotacion ssh: Conseguir Usuario/password (a mano)(sin metaexploit)
Arranque y configuracion de la maquina a auditar penny en virtualbox
Nota: Configuro la red como adaptador solo anfitrion.
La red de mis VM es 192.168.56.XX(este dato puede ser diferente en tu equipo (ip a |grep global)
em50l@jejo.es$ ip a |grep vbox
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
Luego hago un nmap -sn 192.168.56.1/24 o nmap -sn 192.168.56.* a ver que sale:
jejo@em50l:~$ nmap -sn 192.168.56.1/24 -T4 Nmap scan report for 192.168.56.107 Host is up (0.00089s latency).
La ip de la maquina en mi caso es 192.168.56.107
Otra forma menos intrusiva. (si estamos en el mismo segmento es usar netdiscover.)
kali@kali2020:~$ sudo netdiscover
root@kali:~# netdiscover -r 192.168.56.0/24
Currently scanning: Finished! | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:00 1 60 Unknown vendor
192.168.56.101 08:00:27:79:6e:28 1 60 PCS Systemtechnik GmbH
192.168.56.107 08:00:27:9e:6e:e9 1 60 PCS Systemtechnik GmbH
Aqui veo 3 ips:
- 192.168.56.1 Del anfitrion ,
- 192.168.56.101 Kali linux
- 192.168.56.107 la de la maquina a auditar.
1) Enumeración
1.1.1) Enumeración Puertos: nmap (simple)
kali@kali2020:~$ nmap -nT3 192.168.56.107 Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 00:31 CEST PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds
jejo@em50l:~$ nmap -n 192.168.56.107 -p 1-65000 -T3 Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-26 11:53 CET Nmap scan report for 192.168.56.107 Host is up (0.0079s latency). Not shown: 64995 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 3.65 seconds
Informacion obtenida: Puertos 21,22,80,445
1.1.2) Enumeración: Puertos2 (nmap opcion-sC)
Unos 30segundos
jejo@em50l:~$ nmap -nT3 192.168.56.107 -p 21,22,80,139,445 -sC Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-26 12:01 CET Nmap scan report for 192.168.56.107 Host is up (0.00039s latency). PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh | ssh-hostkey: | 2048 e6:0e:5d:ec:a3:0f:09:1e:bc:a8:11:8f:f5:b7:02:ae (RSA) | 256 bf:cb:b4:ee:b8:91:e8:25:04:00:94:b4:24:34:3f:d1 (ECDSA) |_ 256 57:4a:70:3c:e9:54:2b:61:16:bf:ea:34:c8:52:5b:7b (EdDSA) 80/tcp open http | http-robots.txt: 2 disallowed entries |_/nibbleblog/ /secret.txt |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_clock-skew: mean: -15h25m24s, deviation: 0s, median: -15h25m24s |_nbstat: NetBIOS name: UBUNTU-16, NetBIOS user:, NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: ubuntu-16 | NetBIOS computer name: UBUNTU-16\x00 | Domain name: 04.3-server-amd64 | FQDN: ubuntu-16.04.3-server-amd64 |_ System time: 2020-01-25T20:36:09+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-01-25 20:36:09 |_ start_date: 1600-12-31 23:45:16 Nmap done: 1 IP address (1 host up) scanned in 24.81 seconds
Informacion Obtenida:
80 Apache2 Ubuntu http-robots.txt: 2 disallowed entries /nibbleblog/ /secret.txt
Samba Samba 4.3.11-Ubuntu OS: Windows 6.1 (Samba 4.3.11-Ubuntu) Computer name: ubuntu-16 NetBIOS computer name: UBUNTU-16\x00 Domain name: 04.3-server-amd64 FQDN: ubuntu-16.04.3-server-amd64
Computer name: ubuntu-16
De otra forma
kali@kali2020:~$ nmap 192.168.56.107 -p 21,22,80,139,445 --script=default Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-28 01:45 CEST Nmap scan report for 192.168.56.107 Host is up (0.00069s latency). PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Sep 29 2019 cms | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.68.5 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh | ssh-hostkey: | 2048 e6:0e:5d:ec:a3:0f:09:1e:bc:a8:11:8f:f5:b7:02:ae (RSA) | 256 bf:cb:b4:ee:b8:91:e8:25:04:00:94:b4:24:34:3f:d1 (ECDSA) |_ 256 57:4a:70:3c:e9:54:2b:61:16:bf:ea:34:c8:52:5b:7b (ED25519) 80/tcp open http | http-robots.txt: 2 disallowed entries |_/nibbleblog/ /secret.txt |_http-title: Apache2 Ubuntu Default Page: It works 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_clock-skew: mean: -39m59s, deviation: 1h09m16s, median: 0s |_nbstat: NetBIOS name: UBUNTU-16, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: ubuntu-16 | NetBIOS computer name: UBUNTU-16\x00 | Domain name: 04.3-server-amd64 | FQDN: ubuntu-16.04.3-server-amd64 |_ System time: 2020-04-28T01:45:14+02:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-04-27T23:45:14 |_ start_date: N/A Nmap done: 1 IP address (1 host up) scanned in 29.30 seconds
Informacion Obtenida:
Anonymous FTP login allowed
http-robots.txt: 2 disallowed entries
/nibbleblog//secret.txt\192.168.56.107\IPC$:
account_used: guest
Path: C:\tmp Anonymous access: READ/WRITE
Current user access: READ/WRITE
1.2) Enumeración: Vulnerabilidades1 (nmap -script *vuln*)
unos 30segundos
jejo@em50l:~$ nmap -n 192.168.56.107 -p 21,22,80,139,445 -script *vuln* Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-26 12:11 CET Nmap scan report for 192.168.56.107 Host is up (0.00041s latency). PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_smb-vuln-ms10-054: false |_smb-vuln-ms10-061: false | smb-vuln-regsvc-dos: | VULNERABLE: | Service regsvc in Microsoft Windows systems vulnerable to denial of service | State: VULNERABLE | The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference | pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes | while working on smb-enum-sessions. |_ Nmap done: 1 IP a#### Informacion Obtenida: * http://192.168.56.107/robots.txt: Robots file * Passwords: min length: 5; * \\192.168.56.107\IPC$: account_used: guest Path: C:\tmp Anonymous access: READ/WRITE Current user access: READ/WRITE ddress (1 host up) scanned in 33.22 seconds
Informacion Obtenida:
- regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service
No nos sirve un ataque dos. Luego continuamos.
1.3) Enumeración: Servicios (nmap -script *enum*)
jejo@em50l:~$ nmap -n 192.168.56.107 -p 21,22,80,139,445 -script *enum* Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-26 12:15 CET Nmap scan report for 192.168.56.107 Host is up (0.00037s latency). PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh | ssh2-enum-algos: | kex_algorithms: (6) | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group-exchange-sha256 | diffie-hellman-group14-sha1 | server_host_key_algorithms: (5) | ssh-rsa | rsa-sha2-512 | rsa-sha2-256 | ecdsa-sha2-nistp256 | ssh-ed25519 | encryption_algorithms: (6) | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | aes256-gcm@openssh.com | mac_algorithms: (10) | umac-64-etm@openssh.com | umac-128-etm@openssh.com | hmac-sha2-256-etm@openssh.com | hmac-sha2-512-etm@openssh.com | hmac-sha1-etm@openssh.com | umac-64@openssh.com | umac-128@openssh.com | hmac-sha2-256 | hmac-sha2-512 | hmac-sha1 | compression_algorithms: (2) | none |_ zlib@openssh.com 80/tcp open http | http-enum: |_ /robots.txt: Robots file 139/tcp open netbios-ssn 445/tcp open microsoft-ds Host script results: |_msrpc-enum: NT_STATUS_OBJECT_NAME_NOT_FOUND | smb-enum-domains: | Builtin | Groups: n/a | Users: n/a | Creation time: unknown | Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords | Account lockout disabled | UBUNTU-16 | Groups: n/a | Users: n/a | Creation time: unknown | Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords |_ Account lockout disabled | smb-enum-sessions: |_| smb-enum-shares: | account_used: guest | \\192.168.56.107\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (ubuntu-16 server (Samba, Ubuntu)) | Users: 3 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.56.107\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: |_ Current user access: | smb-mbenum: | DFS Root | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Master Browser | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Print server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Server service | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Unix server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Windows NT/2000/XP/2003 server | UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) | Workstation |_ UBUNTU-16 0.0 ubuntu-16 server (Samba, Ubuntu) Nmap done: 1 IP address (1 host up) scanned in 33.07 seconds
Informacion Obtenida:
http://192.168.56.107/robots.txt: Robots file
Passwords: min length: 5;
\192.168.56.107\IPC$:
account_used: guest
Path: C:\tmp
Anonymous access: READ/WRITE
Current user access: READ/WRITE
1.3.1) Enumeracion: ftp
modo manual: timeout 1 cat < /dev/tcp/192.168.56.107/21 / timeout 1 telnet 192.168.56.107 21
em50l@jejo.es$ timeout 5 telnet 192.168.56.107 21 Trying 192.168.56.107... Connected to 192.168.56.107. Escape character is '^]'. 220 (vsFTPd 3.0.3)
Usando nmap: nmap 192.168.56.107 -sC -p 21
jejo@em50l:~$ nmap 192.168.56.107 -sC -p 21 Starting Nmap 7.60 ( https://nmap.org ) at 2020-01-26 12:36 CET Nmap scan report for 192.168.56.107 Host is up (0.00073s latency). PORT STATE SERVICE 21/tcp open ftp | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_drwxr-xr-x 2 0 0 4096 Sep 29 17:17 cms | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:192.168.56.1 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 1 | vsFTPd 3.0.3 - secure, fast, stable |_End of status Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
vsFTPd 3.0.3 y… !!! Anonymous FTP login allowed!!!
Bien si me conecto al ftp como anonimo: mc ftp://192.168.56.104
Uso el mc (Midnight comander) para navegar mas rapidamente.
Izquierdo Archivo Utilidades Opciones ┌<─ ftp://192.168.56.107/ ────────────────────────────.[^]>┐ │.n Nombre │Tamaño │fecha Modifi│ │/.. │DIR-ANT│ 8 ene 21:58│ │/cms │ 4096│29 sep 17:17│ │ .cmspass.bk │ 57│29 sep 17:20│ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ └──────────────────────────────────────────────────────────┘
Veo un archivo llamado .cmspass.bk
jejo@em50l:~$ curl ftp://192.168.56.107/.cmspass.bk Recordatorio YmlnYmFuZ3RoZW9yeTIwMTg=
Ojo que los intros engañan.
Parece un texto codificado en base64. (Aprenderas a reconocerlos. mayusculas minucuslas sin espacios y terminado en igual)
Si no sabes identificar el codigo puedes probar suerte con:
http://fbcs.bplaced.net/multi_encoder_decoder.html
Veamos que estonde:curl -s ftp://192.168.56.107/.cmspass.bk |base64 -d
jejo@em50l:~$ curl -s ftp://192.168.56.104/.cmspass.bk |base64 -d bigbangtheory2018
Informacion Obtenida: bigbangtheory2018 parece un password.
1.3.1) Posibles exploits vsFTPd searchsploit vsFTPd
root@kali:~# searchsploit vsFTPd
------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------------- ----------------------------------------
vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption | exploits/linux/dos/5814.pl
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1) | exploits/windows/dos/31818.sh
vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2) | exploits/windows/dos/31819.pl
vsftpd 2.3.2 - Denial of Service | exploits/linux/dos/16270.c
vsftpd 2.3.4 - Backdoor Command Execution (Metasploit) | exploits/unix/remote/17491.rb
------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Nada para vsFTPd 3.0.3
1.3.2) Enumeracion http
modo manual: curl -kvs http://192.168.56.107 | grep server
jejo@em50l:~$ curl -kvs http://192.168.56.107 | grep server * Connected to 192.168.56.107 (192.168.56.107) port 80 (#0) > GET / HTTP/1.1 > Host: 192.168.56.107 > User-Agent: curl/7.64.0 > Accept: */* > < HTTP/1.1 200 OK < Server: Apache/2.4.18 (Ubuntu) < Last-Modified: Wed, 25 Sep 2019 13:13:24 GMT
Informacion Obtenida: Apache/2.4.18 (Ubuntu)
1.3.2) Posibles exploits Apache/2.4.18 (Ubuntu)
searchsploit Apache2 2.4.1
https://duckduckgo.com/html/?q=exploit-db%20apache2%202.4
root@kali:~# searchsploit apache 2.4.1
-------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------- ----------------------------------------
Apache 2.4.17 - Denial of Service | exploits/windows/dos/39037.php
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Esca | exploits/linux/local/46676.php
-------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Parece que por aqui se puede sacar algo.
Aunque como de momento no puedo colocar archivos php en el servidor no me sirve.
Tendre que probar a usarlo mas adelante.
:( sin resultados :(
1.3.2) Enumeracion http busqueda directorios.
Enumeracion http dirb
root@kali:~# dirb http://192.168.56.107/
-----------------
DIRB v2.22
By The Dark Raver
START_TIME: Sun Jan 26 07:32:40 2020
URL_BASE: http://192.168.56.107/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
---- Scanning URL: http://192.168.56.107/ ----
+ http://192.168.56.107/index.html (CODE:200|SIZE:11321)
+ http://192.168.56.107/robots.txt (CODE:200|SIZE:97)
+ http://192.168.56.107/server-status (CODE:403|SIZE:279)
-----------------
END_TIME: Sun Jan 26 07:32:48 2020
DOWNLOADED: 4612 - FOUND: 3
Veamos que esconde robots
jejo@em50l:~$ curl http://192.168.56.107/robots.txt User-agent:* Disallow:/nibbleblog/ Disallow:/secret.txt
En http://192.168.56.107/nibbleblog/ Parece que hay un Blog.
Veamos que esconde secret
jejo@em50l:~$ curl http://192.168.56.107/secret.txt Hey Carol! Acuerdate de revisar el blog y actualizarlo que sino sera demasiado facil!
Busco .txt .html .php .cgi …
kali@kali2020:~$ dirb http://192.168.56.107 /usr/share/dirb/wordlists/big.txt -X .txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
EXTENSIONS_LIST: (.txt) | (.txt) [NUM = 1]
GENERATED WORDS: 20458
---- Scanning URL: http://192.168.68.134/ ----
+ http://192.168.68.134/robots.txt (CODE:200|SIZE:97)
+ http://192.168.68.134/secret.txt (CODE:200|SIZE:86)
me encuentro de nuevo secret.txt
1.3.3) Re-Enumeracion http (nibbleblog)
kali@kali2020:~$ dirb http://192.168.68.134/nibbleblog/ ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat May 2 02:23:21 2020 URL_BASE: http://192.168.68.134/nibbleblog/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.68.134/nibbleblog/ ---- ==> DIRECTORY: http://192.168.68.134/nibbleblog/admin/ + http://192.168.68.134/nibbleblog/admin.php (CODE:200|SIZE:1413) ==> DIRECTORY: http://192.168.68.134/nibbleblog/content/ + http://192.168.68.134/nibbleblog/index.php (CODE:200|SIZE:7723) ==> DIRECTORY: http://192.168.68.134/nibbleblog/languages/ ==> DIRECTORY: http://192.168.68.134/nibbleblog/plugins/ + http://192.168.68.134/nibbleblog/README (CODE:200|SIZE:4628) ==> DIRECTORY: http://192.168.68.134/nibbleblog/themes/
msf5 > use auxiliary/scanner/ssh/ssh_enumusers msf5 auxiliary(scanner/ssh/ssh_enumusers) > show options Module options (auxiliary/scanner/ssh/ssh_enumusers): Name Current Setting Required Description ---- --------------- -------- ----------- CHECK_FALSE false no Check for false positives (random username) Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port THREADS 1 yes The number of concurrent threads THRESHOLD 1 yes Amount of seconds needed before a user is considered found (timing attack only) USERNAME no Single username to test (username spray) USER_FILE no File containing usernames, one per line Auxiliary action: Name Description ---- ----------- Malformed Packet Use a malformed packet msf5 auxiliary(scanner/ssh/ssh_enumusers) > set -g rhosts 192.168.56.107 rhosts => 192.168.56.107 msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file /usr/share/wordlists/metasploit/unix_users.txt user_file => /usr/share/wordlists/metasploit/unix_users.txt msf5 auxiliary(scanner/ssh/ssh_enumusers) > run [*] 192.168.56.107:22 - SSH - Using malformed packet technique [*] 192.168.56.107:22 - SSH - Starting scan .... [+] 192.168.56.107:22 - SSH - User 'backup' found [+] 192.168.56.107:22 - SSH - User 'bin' found [+] 192.168.56.107:22 - SSH - User 'daemon' found [+] 192.168.56.107:22 - SSH - User 'ftp' found [+] 192.168.56.107:22 - SSH - User 'games' found [+] 192.168.56.107:22 - SSH - User 'gnats' found [+] 192.168.56.107:22 - SSH - User 'irc' found [+] 192.168.56.107:22 - SSH - User 'list' found [+] 192.168.56.107:22 - SSH - User 'lp' found [+] 192.168.56.107:22 - SSH - User 'mail' found [+] 192.168.56.107:22 - SSH - User 'man' found [+] 192.168.56.107:22 - SSH - User 'messagebus' found [+] 192.168.56.107:22 - SSH - User 'news' found [+] 192.168.56.107:22 - SSH - User 'nobody' found [+] 192.168.56.107:22 - SSH - User 'proxy' found [+] 192.168.56.107:22 - SSH - User 'root' found [+] 192.168.56.107:22 - SSH - User 'sshd' found [+] 192.168.56.107:22 - SSH - User 'sync' found [+] 192.168.56.107:22 - SSH - User 'sys' found [+] 192.168.56.107:22 - SSH - User 'syslog' found [+] 192.168.56.107:22 - SSH - User 'uucp' found [+] 192.168.56.107:22 - SSH - User 'www-data' found
https://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/#
Apendice A (otras enumeraciones)
Enumeracion http nikto
kali@kali2020:~$ nikto -host 192.168.68.134 - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.68.134 + Target Hostname: 192.168.68.134 + Target Port: 80 + Start Time: 2020-04-28 02:19:14 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.18 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + No CGI Directories found (use '-C all' to force check all possible dirs) + Cookie PHPSESSID created without the httponly flag + Entry '/nibbleblog/' in robots.txt returned a non-forbidden or redirect HTTP code (200) + Entry '/secret.txt' in robots.txt returned a non-forbidden or redirect HTTP code (200) + "robots.txt" contains 2 entries which should be manually viewed. + Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch. + Server may leak inodes via ETags, header found with file /, inode: 2c39, size: 593606af9ddd6, mtime: gzip + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS + OSVDB-3233: /icons/README: Apache default file found. + 7917 requests: 0 error(s) and 11 item(s) reported on remote host + End Time: 2020-04-28 02:20:06 (GMT2) (52 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Enumeracion usando wfuzz
kali@kali2020:~$ wfuzz -c -w /usr/share/wfuzz/wordlist/general/megabeast.txt --hc 404 "http://192.168.68.134/FUZZ" ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://192.168.68.134/FUZZ Total requests: 45459 =================================================================== ID Response Lines Word Chars Payload =================================================================== Total time: 117.8456 Processed Requests: 45459 Filtered Requests: 45459 Requests/sec.: 385.7503
no he encontrado ninguna carpeta
Enumeracion dirsearch
https://github.com/maurosoria/dirsearch
kali@kali2020:~/dirsearch-master$ ./dirsearch.py -u http://192.168.68.134 -e php,cgi,txt,html _|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| ) Extensions: php, cgi, txt, html | HTTP method: get | Threads: 10 | Wordlist size: 7130 Error Log: /home/kali/dirsearch-master/logs/errors-20-04-29_02-44-32.log Target: http://192.168.68.134 [02:44:32] Starting: [02:44:33] 403 - 279B - /.htgroup [02:44:33] 403 - 279B - /.htaccess~ [02:44:33] 403 - 279B - /.htusers [02:44:33] 403 - 279B - /.htpasswds [02:44:47] 200 - 11KB - /index.html [02:44:52] 200 - 97B - /robots.txt [02:44:52] 403 - 279B - /server-status/ Task Completed
enumeracion metaexploit
msf5 > use auxiliary/scanner/http/apache_userdir_enum msf5 auxiliary(scanner/http/apache_userdir_enum) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/http/apache_userdir_enum) > set verbose false verbose => false msf5 auxiliary(scanner/http/apache_userdir_enum) > run [*] http://192.168.68.134/ - No users found. [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
nada
msf5 > use auxiliary/scanner/http/dir_scanner msf5 auxiliary(scanner/http/dir_scanner) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/http/dir_scanner) > run [*] Detecting error code [*] Using code '404' as not found for 192.168.68.134 [+] Found http://192.168.68.134:80/icons/ 403 (192.168.68.134) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf5 auxiliary(scanner/http/dir_scanner) >
nada
msf5 > use auxiliary/scanner/http/files_dir msf5 auxiliary(scanner/http/files_dir) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/http/files_dir) > run [*] Using code '404' as not found for files with extension .null [*] Using code '404' as not found for files with extension .bak [*] Using code '404' as not found for files with extension .cfg [*] Using code '404' as not found for files with extension .class [*] Using code '404' as not found for files with extension .conf [*] Using code '404' as not found for files with extension .html [+] Found http://192.168.68.134:80/index.html 200 [*] Using code '404' as not found for files with extension .ini [*] Using code '404' as not found for files with extension .log [*] Using code '404' as not found for files with extension .old [*] Using code '404' as not found for files with extension .php [*] Using code '404' as not found for files with extension .tar [*] Using code '404' as not found for files with extension .tmp [*] Using code '404' as not found for files with extension .txt [+] Found http://192.168.68.134:80/secret.txt 200 [*] Using code '404' as not found for files with extension .zip [*] Using code '404' as not found for files with extension ~ [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
nada
msf5 > use auxiliary/scanner/http/robots_txt msf5 auxiliary(scanner/http/robots_txt) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/http/robots_txt) > run [*] [192.168.68.134] /robots.txt found [+] Contents of Robots.txt: User-agent:* Disallow:/nibbleblog/ Disallow:/secret.txt [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
me encuentro de nuevo nibbleblog y secret.txt
sf5 > use auxiliary/scanner/ssh/ssh_enumusers msf5 auxiliary(scanner/ssh/ssh_enumusers) > set user_file /usr/share/wordlists/metasploit/unix_users.txt user_file => /usr/share/wordlists/metasploit/unix_users.txt msf5 auxiliary(scanner/ssh/ssh_enumusers) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/ssh/ssh_enumusers) > run [*] 192.168.68.134:22 - SSH - Using malformed packet technique [*] 192.168.68.134:22 - SSH - Starting scan [+] 192.168.68.134:22 - SSH - User 'backup' found [+] 192.168.68.134:22 - SSH - User 'bin' found [+] 192.168.68.134:22 - SSH - User 'ftp' found [+] 192.168.68.134:22 - SSH - User 'games' found [+] 192.168.68.134:22 - SSH - User 'gnats' found [+] 192.168.68.134:22 - SSH - User 'irc' found [+] 192.168.68.134:22 - SSH - User 'list' found [+] 192.168.68.134:22 - SSH - User 'lp' found [+] 192.168.68.134:22 - SSH - User 'mail' found [+] 192.168.68.134:22 - SSH - User 'man' found [+] 192.168.68.134:22 - SSH - User 'messagebus' found [+] 192.168.68.134:22 - SSH - User 'news' found [+] 192.168.68.134:22 - SSH - User 'nobody' found [+] 192.168.68.134:22 - SSH - User 'proxy' found [+] 192.168.68.134:22 - SSH - User 'root' found [+] 192.168.68.134:22 - SSH - User 'sshd' found [+] 192.168.68.134:22 - SSH - User 'sync' found [+] 192.168.68.134:22 - SSH - User 'sys' found [+] 192.168.68.134:22 - SSH - User 'syslog' found [+] 192.168.68.134:22 - SSH - User 'uucp' found [+] 192.168.68.134:22 - SSH - User 'www-data' found [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
msf5 > use auxiliary/scanner/smb/smb_enumshares msf5 auxiliary(scanner/smb/smb_enumshares) > set rhosts 192.168.68.134 rhosts => 192.168.68.134 msf5 auxiliary(scanner/smb/smb_enumshares) > run [+] 192.168.68.134:139 - print$ - (DISK) Printer Drivers [+] 192.168.68.134:139 - IPC$ - (IPC) IPC Service (ubuntu-16 server (Samba [+] 192.168.68.134:139 - Ubuntu)) [*] 192.168.68.134: - Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
nada