search

Pelican

hashtag
Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 --open -Pn -oN nmap 192.168.160.98
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-30 16:22 +08
Nmap scan report for 192.168.160.98
Host is up (0.0086s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp   open  ipp         CUPS 2.2
|_http-title: Forbidden - CUPS v2.2.10
| http-methods: 
|_  Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
2181/tcp  open  zookeeper   Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp  open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 a8:e1:60:68:be:f5:8e:70:70:54:b4:27:ee:9a:7e:7f (RSA)
|   256 bb:99:9a:45:3f:35:0b:b3:49:e6:cf:11:49:87:8d:94 (ECDSA)
|_  256 f2:eb:fc:45:d7:e9:80:77:66:a3:93:53:de:00:57:9c (ED25519)
8080/tcp  open  http        Jetty 1.0
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(1.0)
8081/tcp  open  http        nginx 1.14.2
|_http-title: Did not follow redirect to http://192.168.160.98:8080/exhibitor/v1/ui/index.html
|_http-server-header: nginx/1.14.2
34631/tcp open  java-rmi    Java RMI
Service Info: Host: PELICAN; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: pelican
|   NetBIOS computer name: PELICAN\x00
|   Domain name: \x00
|   FQDN: pelican
|_  System time: 2024-05-30T04:22:20-04:00
| smb2-time: 
|   date: 2024-05-30T08:22:17
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.31 seconds

hashtag
Initial Access

hashtag
CVE-2019-5029

LogoExhibitor Web UI 1.7.1 - Remote Code ExecutionExploit Databasechevron-right

By following the exploit, we need to first put our payload in java.env script.

Next, we will commit -> then commit all at once. After a while, we will get the reverse shell as charles.

hashtag
Privilege Escalation

hashtag
Sudo (gcore)

When we use sudo -l, we can see that the user can run gcore.

Logogcore | GTFOBinsgtfobins.github.iochevron-right

Based on what gcore does it, basically dumps out the process. So, we can use it to dump of the process of password-store which is being run by root.

After dumping out, we can see the password inside the dump file

We can then use it to su to be root to get the flag.

PreviousExfiltratedNextAstronaut

Last updated