search
YOUTUBE

Seppuku

This is a free linux, proving grounds machine, you can also download it from vulhub.

hashtag
Nmap enumeration

nmap -sV -sC -T4 -p- -oN ~/Desktop/labs/playground/seppuku/nmap 192.168.177.90
Nmap scan report for 192.168.177.90
Host is up (0.18s latency).
Not shown: 65259 closed tcp ports (conn-refused), 268 filtered tcp ports (no-response)
PORT     STATE SERVICE       VERSION
21/tcp   open  ftp           vsftpd 3.0.3
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:55:a8:e4:0f:28:bc:b2:a6:7d:41:76:bb:9f:71:f4 (RSA)
|   256 16:fa:29:e4:e0:8a:2e:7d:37:d2:6f:42:b2:dc:e9:22 (ECDSA)
|_  256 bb:74:e8:97:fa:30:8d:da:f9:5c:99:f0:d9:24:8a:d5 (ED25519)
80/tcp   open  http          nginx 1.14.2
|_http-title: 401 Authorization Required
|_http-server-header: nginx/1.14.2
139/tcp  open  netbios-ssn   Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  p��tUU        Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
7080/tcp open  ssl/empoweri0 LiteSpeed
|_http-server-header: LiteSpeed
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
| ssl-cert: Subject: commonName=seppuku/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-05-13T06:51:35
|_Not valid after:  2022-08-11T06:51:35
|_http-title: Did not follow redirect to https://192.168.177.90:7080/
7601/tcp open  http          Apache httpd 2.4.38 ((Debian))
|_http-title: Seppuku
|_http-server-header: Apache/2.4.38 (Debian)
8088/tcp open  http          LiteSpeed httpd
|_http-server-header: LiteSpeed
|_http-title: Seppuku
Service Info: Host: SEPPUKU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m14s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.9.5-Debian)
|   Computer name: seppuku
|   NetBIOS computer name: SEPPUKU\x00
|   Domain name: \x00
|   FQDN: seppuku
|_  System time: 2024-01-21T14:36:27-05:00
| smb2-time: 
|   date: 2024-01-21T19:36:29
|_  start_date: N/A
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

hashtag
smb enumeration

smb is present on ports 139,445

we found users on the system

hashtag
http enumeration

. port 80 requires a login, butrueforce is dead end . it has no sub-directories

port 8088 it has sub-directories but don't work, rabbit-hole

sub-dircetories they don't work

port 7601

sub-directory enumeration on port 7601

found a static page, on /ckeditor

founds some files in keys directory

These two file are ssh keys to but to what users.

another static page /production

/secret

We have received a password list , we are going o use it to brute-force the ssh and see if we might gave i login. trying the private key obtained

We have access to tanto

go to unrestricted terminal

enter into /home/seppuku find the local.txt, but we also see a .passwd file

we have a found a password but [12345685213456!@!@A] but its for which user

the password we found was for samurai change to unrestricted shell

with hydra we also found the password of seppuku

logging in

hashtag
privilege escalation

when we run sudo -l on user samurai we see he ca run some files

we are going to create the .cgi_bin file in tanto because it doesn't exist their

and also we are going to create a bin file which might help has to get a root shell

root user

PreviousLinuxNextDC-1

Last updated