======================================== | OS information on 192.168.198.90 |
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 192.168.198.90 from smbclient: [+] Got OS info for 192.168.198.90 from srvinfo: SEPPUKU Wk Sv PrQ Unx NT SNT Samba 4.9.5-Debian platform_id : 500 os version : 6.1 server type : 0x809a03
----
More http
7080/tcp open ssl/http LiteSpeed httpd
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after: 2022-08-11T06:51:35
|_http-title: 404 Not Found
|_http-server-header: LiteSpeed
| tls-alpn:
| h2
| spdy/3
| spdy/2
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
7601/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)
123456
12345
password
password1
123456789
12345678
1234567890
abc123
computer
tigger
1234
qwerty
money
carmen
mickey
secret
summer
internet
a1b2c3
123
service
canada
hello
ranger
shadow
baseball
donald
harley
hockey
letmein
maggie
mike
mustang
snoopy
buster
dragon
jordan
michael
michelle
mindy
patrick
123abc
andrew
bear
calvin
changeme
diamond
withme
withyou
matthew
miller
tiger
trustno1
alex
apple
avalon
brandy
chelsea
coffee
falcon
freedom
gandalf
green
helpme
linda
magic
merlin
newyork
soccer
thomas
wizard
asdfgh
bandit
batman
boris
butthead
dorothy
eeyoree
fishing
Football
george
happy
iloveyou
jennifer
jonathan
love
marina
master
missy
monday
monkey
natasha
All these are prob useless except for the password list.
intercepted the traffic with burp found pass
In our home directory, we find a “.passwd” file containing a hopefully valid password to an unknown account. If we list the users on this box by examining the “/etc/passwd” file, we can pare down our targets to “root,” “samurai” and “tanto.” From there, we can try logging in as these users with this new password.
We get a hit with the “samurai” user, though we aren’t lucky enough to get another easy password handed to us. The output from sudo -l looks promising, but we find the “/home/tanto/.cgi_bin/bin” file does not seem to exist. When we reach a dead-end, we take a step back and take inventory of what we have. We remember we have a private key from our enumeration phase, so let’s put it to work.
After configuring permissions on the private key file, we can log in as the “tanto” user without knowing their password. We’ll spend a minute looking around for obvious vulnerabilities, but our real intention is to create the file that the “seppuku” user can then run with superuser privileges.
We are in the restricted shell rbash; many normal shell functions such as output redirection are unavailable. We can escape this limitation by spawning bash by using Python, which lets us finish our work in creating a script that, when run with sudo, will drop into a root bash shell.