Stapler
Nmap Scan
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.186.148
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-25 22:05 EDT
Nmap scan report for 192.168.186.148
Host is up (0.053s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.45.199
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open tcpwrapped
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 8
| Capabilities flags: 63487
| Some Capabilities: LongPassword, Speaks41ProtocolNew, ODBCClient, DontAllowDatabaseTableColumn, Support41Auth, Speaks41ProtocolOld, LongColumnFlag, SupportsTransactions, IgnoreSigpipes, FoundRows, IgnoreSpaceBeforeParenthesis, InteractiveClient, ConnectWithDatabase, SupportsCompression, SupportsLoadDataLocal, SupportsAuthPlugins, SupportsMultipleStatments, SupportsMultipleResults
| Status: Autocommit
| Salt: *s\x15s/|mp3xY\x060\x1A Hx\x12-y
|_ Auth Plugin Name: mysql_native_password
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2024-06-26T03:05:39+01:00
| smb2-time:
| date: 2024-06-26T02:05:39
|_ start_date: N/A
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -19m59s, deviation: 34m37s, median: 0s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.07 secondsInitial Access
Port 12380
Port 21
Port 139
However, this does not really give much info.
We can take a look at the other share folder that we have access to.
But this does not have any information that we could use
We do know there is a user called elly that is using the ftp service based on the file content that we found earlier.
So, we could see if elly is using a weak password.
Weak password for elly
So, it turns out elly is indeed using a weak password and we are able to access her account using ftp.
When we see the list down all the files that she can see, we will see this:
There are some files that catches our interests such as passwd and shadow.
However, we are only able to download passwd but not shadow.
This is the content in the passwd file.
We will then filter for those who have /bin/bash and output into usernames.txt.
Weak password for SHaylett
We are able to find the credential for 1 of the users (SHayslett).
After which, we are able to login as SHayslett.
Privilege Escalation
Leaked Password
During the linpeas scan, we can see that peter may have root rights when using sudo.
We also can see that the password for peter is as shown belo
We can login in as peter.
When we try to sudo -l, we can see that we able to run any command as root.
Finally, we are able to get root access.
Last updated