Bruteforce

Stapler 1 (Brute Force)

Stapler is a boot2root with multiple paths to shell and root, written by g0tmi1k. I found the simple brute force path the most obvious on the first play through but I think I will visit this one again. Discovery & Enumeration root@kali:~# mkcd VulnHub/Stapler root@kali:~/VulnHub/Stapler# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 4 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.137 08:00:27:f2:ed:b4 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Stapler# echo 10.1.11.137 > ip root@kali:~/VulnHub/Stapler# nmap -A -p- -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-29 15:36 BST Nmap scan report for red.initech.vulnlab.fbcnt.in (10.1.11.137) Host is up (0.00022s latency). Not shown: 65523 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: Can't parse PASV response: "Permission denied." 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA) |_ 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA) 53/tcp open domain dnsmasq 2.75 | dns-nsid: | id.server: patriot.fbcnt.in |_ bind.version: dnsmasq-2.75 80/tcp open http |_http-title: 404 Not Found 123/tcp closed ntp 137/tcp closed netbios-ns 138/tcp closed netbios-dgm 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: RED) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 | mysql-info: | Protocol: 53 | Version: .7.12-0ubuntu1 | Thread ID: 27 | Capabilities flags: 63487 | Some Capabilities: LongPassword, IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, SupportsTransactions, Support41Auth, FoundRows, Speaks41ProtocolOld, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, ODBCClient, SupportsCompression, IgnoreSigpipes, DontAllowDatabaseTableColumn, LongColumnFlag | Status: Autocommit Kv\x12\x19`"dx\s\x01ptM" 12380/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Tim, we need to-do better next year for Initech Host script results: |_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.9-Ubuntu) | Computer name: red | NetBIOS computer name: RED | Domain name: | FQDN: red |_ System time: 2016-06-29T16:38:10+01:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.22 ms red.initech.vulnlab.fbcnt.in (10.1.11.137) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 106.26 seconds Anonymous FTP, etc A lot running on this box, working top-to-bottom anonymous ftp immediately caught my attention so I started there. ...

June 29, 2016 · 6 min

Gibson 0.2

Gibson is a boot2root created by Knightmare with a heavy 1988 Hackers theme; one of my favourite movies! Discovery & Enumeration The usual netdiscover and nmap to get an idea of what we are dealing with… root@kali:~# mkcd VulnHub/Gibson root@kali:~/VulnHub/Gibson# netdiscover -pr 10.1.11.0/24 Currently scanning: (passive) | Screen View: Unique Hosts 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.11.143 08:00:27:2c:de:ec 1 60 Cadmus Computer Systems root@kali:~/VulnHub/Gibson# echo 10.1.11.143 > ip root@kali:~/VulnHub/Gibson# nmap -A -T5 $(cat ip) Starting Nmap 7.12 ( https://nmap.org ) at 2016-06-28 20:53 BST Nmap scan report for gibson.vulnlab.fbcnt.in (10.1.11.143) Host is up (0.00030s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 fb:f6:d1:57:64:fa:38:66:2d:66:40:12:a4:2f:75:b4 (DSA) | 2048 32:13:58:ae:32:b0:5d:b9:2a:9c:87:9c:ae:79:3b:2e (RSA) |_ 256 3f:dc:7d:94:2f:86:f1:83:41:db:8c:74:52:f0:49:43 (ECDSA) 80/tcp open http Apache httpd 2.4.7 | http-ls: Volume / | SIZE TIME FILENAME | 273 2016-05-07 13:03 davinci.html |_ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Index of / MAC Address: 08:00:27:2C:DE:EC (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.4 Network Distance: 1 hop Service Info: Host: gibson.example.co.uk; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.30 ms gibson.vulnlab.fbcnt.in (10.1.11.143) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds SSH and a somewhat baron web server, not a lot but something to work with. ...

June 28, 2016 · 9 min