# Nmap 7.80 scan initiated Sat Sep 28 23:30:25 2019 as: nmap -sV -sC -O -A -oN O-Detailed -p 22,21,80,25565 10.10.10.37
Nmap scan report for 10.10.10.37
Host is up (0.23s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.5a
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d6:2b:99:b4:d5:e7:53:ce:2b:fc:b5:d7:9d:79:fb:a2 (RSA)
| 256 5d:7f:38:95:70:c9:be:ac:67:a0:1e:86:e7:97:84:03 (ECDSA)
|_ 256 09:d5:c2:04:95:1a:90:ef:87:56:25:97:df:83:70:67 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-generator: WordPress 4.8
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: BlockyCraft – Under Construction!
25565/tcp open minecraft Minecraft 1.11.2 (Protocol: 127, Message: A Minecraft Server, Users: 0/20)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.4 (92%), Linux 4.8 (92%), Linux 3.16 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 240.30 ms 10.10.14.1
2 240.22 ms 10.10.10.37
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Sep 28 23:30:49 2019 -- 1 IP address (1 host up) scanned in 25.06 seconds
Web-server on port 80 with default Wordpress installation running, nothing interesting, ran gobuster.
We got credentials for the mysql server root:8YsqfCTnvxAUeduzjNSXe22. These credentials did get me into the phpmyadmin interface of the server and help me fetch username notch from the wp_users list.
I tried cracking the password the user, however it was not part of the rockyou.txt wordlist so I let it be and continued with the username and passwords I had, to bruteforce my way into the SSH server.
$ ssh root@10.10.10.37
root@10.10.10.37's password:
Permission denied, please try again.
root@10.10.10.37's password:
# Password combination didn't work for root, however it did
# work for notch
$ ssh notch@10.10.10.37
notch@10.10.10.37's password:
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-62-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
7 packages can be updated.
7 updates are security updates.
Last login: Mon Sep 30 07:40:07 2019 from 10.10.14.10
notch@Blocky:~$ id
uid=1000(notch) gid=1000(notch) groups=1000(notch),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
notch@Blocky:~$
I noticed that we had the password for the account as well as we were part of the sudo group so I went ahead and checked the permissions we had in sudoers.
notch@Blocky:~$ sudo -l
Matching Defaults entries for notch on Blocky:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User notch may run the following commands on Blocky:
(ALL : ALL) ALL
So we are essentially root, we can run ALL commands, as ALL users, on ALL hosts. This is game over.
Dense enumeration is the key while exploiting machines, I had nearly missed the trying the user notch with the password of root. Keeping a track of usernames and passwords is important while pen-testing.
