10 May 2021

Pentesting Fun Stuff

following the cyber security path…

Digitalworld.local: TORMENT


nmap scan for open ports + services

The output of the full nmap scan is very large, so only useful pieces of it.

Starting with FTP first.

Some intersting findings here:

For the id_rsa I need a password, so first checking out the irc channel.

I use hexirc to connect to the irc server, but it says I need a password.
From a few google searches I get 2 different findings:
1. the default password is set empty (source: https://www.systutorials.com/docs/linux/man/5-ngircd.conf/)
2. the default password is set to wealllikedebian (source: https://git.in-ulm.de/cbiedl/ngircd/raw/master/debian/ngircd.conf)

This password seems to work and I enter the channel games

0 users and no information.

Joining channel tormentedprinter

A password. But I still lack a username.
Continuing the enumeration.

The webserver didn’t gave much info.
Another public facing service nmap did find was CUPS (Common UNIX Printing System).

When directing my browser to this service and looking at the Printers tab, I get a list of usernames.

Creating a list

For the enumeration of the smtp server, I use a python script (https://github.com/tommelo/smtpenum)

Then combining these names with the found password and see if I can log in with ssh.

That’s off. Normally this file is only writable for root. The rest is read-only.
This can be used to our adventage, but there is another piece of the puzzle I need to check.

Right. So this is also not very good to have, because anyone can drop a php file with a malicious payload in the root folder of the webserver. Now to combine these two findings.
First changing the apache config file and adding a new default user. User qiu in this case, because I already have access to user patrick.

Now to transfer a php reverse shell to the remote machine using the know ssh credentials.

Setting up a listener and rebooting the remote machine.

After rebooting access the shell.php file with the webbrowser.
And we have a reverse shell to user qiu.

If the python binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

And for the final part.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.