search

linuxHetemit

hashtag
Enumeration:

hashtag
Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Hetemit]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.206.117
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-08 11:30 EST
Nmap scan report for 192.168.206.117                                                  
Host is up, received echo-reply ttl 61 (0.17s latency).                               
Scanned at 2025-11-08 11:30:59 EST for 88s                                            
Not shown: 65528 filtered tcp ports (no-response)                                     
PORT      STATE SERVICE     REASON         VERSION                                    
21/tcp    open  ftp         syn-ack ttl 61 vsftpd 3.0.3                                                                                                                     
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                
|_Can''t get directory listing: TIMEOUT                                                                                                                                      
| ftp-syst:                                                                                                                                                                 
|   STAT:                                                                                                                                                                   
| FTP server status:                                                                  
|      Connected to 192.168.45.174                                                    
|      Logged in as ftp                                                                                                                                                     
|      TYPE: ASCII                                                                    
|      No session bandwidth limit                                                     
|      Session timeout in seconds is 300                                              
|      Control connection is plain text                                               
|      Data connections will be plain text                                                                                                                                  
|      At session startup, client count was 2                                         
|      vsFTPd 3.0.3 - secure, fast, stable                                            
|_End of status                                                                       
22/tcp    open  ssh         syn-ack ttl 61 OpenSSH 8.0 (protocol 2.0)         
| ssh-hostkey:                                                                        
|   3072 b1:e2:9d:f1:f8:10:db:a5:aa:5a:22:94:e8:92:61:65 (RSA)                        
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH2Cap49zuKy70lHzXsOn9iOap0h1Dnwk14D6PNKugueOqGpYoffwCGCA0wF4cI3+MRjuHz4xGznmtTIP3vOBZINZvT5PsNcvu6ef0SDfDOMFbzsEirhpQuoBYvgmEuJ4u1V
MiwNaYQ0jw9t+nsR2MAIym/wdKt+ghYm4qlB3WvLMV41uCu0F7OQadRX8GWrLWLucjSQ1f80tkV7mc7ZfuTm8YdsAOkNQufHkVE+Alk0NpHdqLh/6FHxmEqYwP0jX6HS/lg+MfczIbIQ91v7+ljvo3qgdSZPqqulUtQuj/Rb/gmI
fItzFZIxTzLQ6FuKKmoTMXaR/tXf93+91z+kBdDaZe/5eu6fLCdGuFyioB97LdZGJq8uFbM0BpNeBYc0i/DOFwxWBhO8/zzv1uaTUKuS1B+bny1iUTiQoJj6GVRQmvgk/2Km5SanF3Cp4PSSJMQ112Umjg1T61ah/i//KXAyZ25x
OznolBw/aoCc9cremrkycUp7dmuATBNCgHFS0=                                                
|   256 74:dd:fa:f2:51:dd:74:38:2b:b2:ec:82:e5:91:82:28 (ECDSA)                       
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPTMpDGmoKZ96W+Ivvw7sQmnD1U41OY34oAzJ5Z1/AP/iVj+TpKO6lCKPxDq+9nbJJU4dtQx8X+KjQqUtpYIUhw=
|   256 48:bc:9d:eb:bd:4d:ac:b3:0b:5d:67:da:56:54:2b:a0 (ED25519)                     
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUnTSrfkvL2AJJsozjPtXIWf/6Z7UB9WptTiOOX93m4    
80/tcp    open  http        syn-ack ttl 61 Apache httpd 2.4.37 ((centos))             
|_http-server-header: Apache/2.4.37 (centos)                                          
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5                              
| http-methods:                                                                                                                                                             
|   Supported Methods: GET POST OPTIONS HEAD TRACE                                    
|_  Potentially risky methods: TRACE                                                  
139/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 4
445/tcp   open  netbios-ssn syn-ack ttl 61 Samba smbd 4
18000/tcp open  biimenu?    syn-ack ttl 61
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
<snipped>
50000/tcp open  http        syn-ack ttl 61 Werkzeug httpd 1.0.1 (Python 3.6.8)
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/1.0.1 Python/3.6.8
<snipped>
Service Info: OS: Unix

<snipped>

A lot of open ports, and a lot of rabbit holes.

For ftp, I could not list the files inside of it. As for smb we have a share that we do not have read or write access to it.

hashtag
HTTP (80):

Nothing just the apache welcoming page.

hashtag
HTTP (18000):

Again I tried directory fuzzing, also registered an account but could not login, also tried sql injection nothing came to success.

hashtag
HTTP (50000):

We have some sort of an api with two endpoints listed in this curly braces.

Try the first one:

We only get an email address.

Lets see the verbs we can use on this endpoint:

Lets try POST, and from the response from the previous request we got an email address so lets try passing something to a guessing parameter like email hence the name:

It seems like a hash, specifically sha256.

Lets try to hash the same value ourselves through sha256sum command:

The outputs are identical which emphasize that it is accepting any value and pass it to a hash function and print the output.

Move on to the second endpoint:

This time it seems that this is a parameter we can use with verify:

If we passed a string without quotes we will get a response with 500:

hashtag
Exploitation:

Lets try some simple math equations to confirm if we are dealing with the python interpreter or some python functions (We should encode the plus sign to the server-side program does not interpret it as a space instead of the plus):

Import os and use the system function:

Ping our target:

Here we have blind command injection.

Get a reverse shell:

hashtag
Post-Exploitation:

Run sudo -l:

We can not do anything with those commands at the moment, because they are just allowing us to poweroff or reboot our machine.

Also the script that is running the application we exploited:

Here we can see that our input is passed to the eval function without any proper validation.

I uploaded linpeas and ran it:

As referred by linpeas we have write permissions over that python program, lets read that file:

This service file starts the application we exploited on port 50000.

Since we have write permissions lets overwrite it with our own malicious one with nano:

Here we changed the execstart variable to execute our command instead, and the user to root.

But we can not restart that service because we do not have root or sudo privileges to use a tool like systemctl that could help us restart the service.

Instead we will use reboot command with sudo as shown above with sudo -l:

Before we execute the command above I started another netcat listener:

After we wait for like a minute so the computer restarted:

We got a shell as root.

Lets get the flags:

PreviousNibblesNextZenPhoto

Last updated