Home ยป Tags

PHP Shell

Expose

THM | Expose | Easy

This post is a walkthrough of the Try Hack Me room Expose Intro This challenge is an initial test to evaluate your capabilities in red teaming skills. You will find all the necessary tools to complete the challenge, like Nmap, sqlmap, wordlists, PHP shell, and many more in the AttackBox. Exposing unnecessary services in a machine can be dangerous. Can you capture the flags and pwn the machine? NMAP Scan sudo nmap -sVC -T4 -p- -vv -oA nmap/all-tcp-ports 10.10.191.114 [sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 19:41 IST NSE: Loaded 156 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:41 Completed NSE at 19:41, 0.00s elapsed Initiating Ping Scan at 19:41 Scanning 10.10.191.114 [4 ports] Completed Ping Scan at 19:41, 0.02s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:41 Completed Parallel DNS resolution of 1 host. at 19:41, 0.01s elapsed Initiating SYN Stealth Scan at 19:41 Scanning 10.10.191.114 [65535 ports] Discovered open port 21/tcp on 10.10.191.114 Discovered open port 22/tcp on 10.10.191.114 Discovered open port 53/tcp on 10.10.191.114 Discovered open port 1883/tcp on 10.10.191.114 Discovered open port 1337/tcp on 10.10.191.114 Completed SYN Stealth Scan at 19:41, 12.23s elapsed (65535 total ports) Initiating Service scan at 19:41 Scanning 5 services on 10.10.191.114 Completed Service scan at 19:41, 11.11s elapsed (5 services on 1 host) NSE: Script scanning 10.10.191.114. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:41 NSE: [ftp-bounce 10.10.191.114:21] PORT response: 500 Illegal PORT command. Completed NSE at 19:42, 10.16s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.09s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.01s elapsed Nmap scan report for 10.10.191.114 Host is up, received reset ttl 63 (0.051s latency). Scanned at 2023-09-05 19:41:30 IST for 34s Not shown: 65530 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ttl 63 vsftpd 2.0.8 or later |_ftp-anon: Anonymous FTP login allowed (FTP code 230) | ftp-syst: | STAT: | FTP server status: | Connected to ::ffff:10.11.0.200 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 300 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 3 | vsFTPd 3.0.3 - secure, fast, stable |_End of status 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 bc:ad:ba:9e:00:c2:bb:94:46:71:6d:eb:9c:6c:8b:de (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDW3b7bXXFhyAEJBjKekBQTRTlKLsL11XjqxcEdYnJZPA9MKD/M2rl8eTW4cBV+p8ktcZulk2BYUWfJpVMxkjLtUBZ5mvI9K89v0Uv01On5dVZitRBJMDMRCLRrlcMvbN5Nr/wizTL970/kxlpL6ya26lkHnXeoclrWj5F5LLZFo/510ZNE1TW9Cwb5+IrzhcdykB7iab3gPWi0Vr3WjelifDCyiOoItMgptg9gILJEoetkZfkR5Zs4ICqYgYoRc32BynnGGTp3mtbOO279RJ3U2y2NTcXtMG4GJl2yEmJAnsoq2y6mosXivbbwAvBZTZbMjXQqBtfkonJr2A/7ieXpwpcqU6eFVs17MjMeJJAE/vegRxj7nDBBobTqF4U/HrNu8nR9pYrrj92XsCu/iv+WxesKJrVIDAdiQDDY9ma6g+1BVThkCZb/Mwe8Z49zgCPcuVef/mpCpE2r0g5UiqXey+agJXsY+oNkDmkDBdd2r5KSh4b48lE3l1bRqjjt490= | 256 3c:0c:11:2f:96:05:ad:08:c6:dd:6e:20:08:b6:71:25 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNe4/l3KTGE7PJc7QH6ImgyMbg82kppYvZJByUaE2opJQ/XV93WScr6SzhcXqG/WrXvHfz4LtHzCxeujJTPyMys= | 256 66:4c:8e:11:31:8c:fb:3a:e1:69:38:ae:d5:d1:5f:5c (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2LEEUfDOIGeJBrF3AEOuhqYEnTj+n4/FcYGlAMV92f 53/tcp open domain syn-ack ttl 63 ISC BIND 9.16.1 (Ubuntu Linux) | dns-nsid: |_ bind.version: 9.16.1-Ubuntu 1337/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: EXPOSED |_http-server-header: Apache/2.4.41 (Ubuntu) 1883/tcp open mosquitto version 1.6.9 syn-ack ttl 63 | mqtt-subscribe: | Topics and their most recent payloads: | $SYS/broker/load/publish/received/5min: 0.00 | $SYS/broker/load/publish/dropped/1min: 0.00 | $SYS/broker/messages/stored: 53 | $SYS/broker/load/bytes/sent/15min: 136.90 | $SYS/broker/heap/maximum: 54584 | $SYS/broker/publish/messages/dropped: 0 | $SYS/broker/load/bytes/received/1min: 63.04 | $SYS/broker/load/connections/5min: 0.39 | $SYS/broker/bytes/sent: 2066 | $SYS/broker/load/publish/received/1min: 0.00 | $SYS/broker/store/messages/count: 53 | $SYS/broker/clients/connected: 1 | $SYS/broker/publish/bytes/received: 0 | $SYS/broker/load/publish/sent/5min: 10.21 | $SYS/broker/load/publish/dropped/15min: 0.00 | $SYS/broker/bytes/received: 69 | $SYS/broker/load/connections/15min: 0.13 | $SYS/broker/load/sockets/5min: 0.39 | $SYS/broker/clients/inactive: 0 | $SYS/broker/clients/disconnected: 0 | $SYS/broker/load/publish/dropped/5min: 0.00 | $SYS/broker/load/bytes/sent/5min: 405.72 | $SYS/broker/load/publish/sent/15min: 3.45 | $SYS/broker/clients/expired: 0 | $SYS/broker/shared_subscriptions/count: 0 | $SYS/broker/clients/maximum: 1 | $SYS/broker/load/messages/sent/1min: 50.25 | $SYS/broker/version: mosquitto version 1.6.9 | $SYS/broker/load/bytes/sent/1min: 1887.68 | $SYS/broker/uptime: 44 seconds | $SYS/broker/load/messages/sent/5min: 10.80 | $SYS/broker/subscriptions/count: 2 | $SYS/broker/store/messages/bytes: 191 | $SYS/broker/retained messages/count: 53 | $SYS/broker/load/bytes/received/5min: 13.55 | $SYS/broker/load/publish/sent/1min: 47.51 | $SYS/broker/heap/current: 54184 | $SYS/broker/clients/active: 1 | $SYS/broker/load/sockets/15min: 0.13 | $SYS/broker/clients/total: 1 | $SYS/broker/publish/messages/sent: 52 | $SYS/broker/load/publish/received/15min: 0.00 | $SYS/broker/load/messages/sent/15min: 3.64 | $SYS/broker/publish/messages/received: 0 | $SYS/broker/publish/bytes/sent: 177 | $SYS/broker/load/bytes/received/15min: 4.57 | $SYS/broker/messages/sent: 55 | $SYS/broker/load/messages/received/1min: 2.74 | $SYS/broker/messages/received: 3 | $SYS/broker/load/sockets/1min: 1.67 | $SYS/broker/load/messages/received/5min: 0.59 | $SYS/broker/load/messages/received/15min: 0.20 |_ $SYS/broker/load/connections/1min: 1.83 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 19:42 Completed NSE at 19:42, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 34.42 seconds Ports Of Interest Port 21 - FTP (vsftpd 2.0.8 or later) Port 22 - SSH Port 80 - Http Port 1883: mosquito ...

September 6, 2023 at 21:10 GMT ยท 10 min