Plum
00 min
2025-3-20
Date
Mar 19, 2025 → Mar 19, 2025
Tag
Nmap
Brute Force
Privilege Escalation Techniques

192.168.190.28

Nmap

─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:43 EDT Nmap scan report for 192.168.190.28 Host is up (0.050s latency). Not shown: 65532 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 35000/tcp filtered heathview
Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds
└─# nmap -sU -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:44 EDT Warning: 192.168.190.28 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.190.28 Host is up (0.054s latency). All 65535 scanned ports on 192.168.190.28 are in ignored states. Not shown: 65388 open|filtered udp ports (no-response), 147 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 145.04 seconds

22

brute force
notion image
could not found it

80

notion image
scanning
and found it
notion image
try admin:admin and login success
notion image
notion image
try to upload the reverse shell file, but it is not allowed
notion image
but we can upload other file, and i try to rename it to *.php, but it is not work
notion image
we switch the path of media and can see the content of the path
notion image
notion image
we only need to change the content of static 1 then will be use it.
notion image
we use reverse shell then get it
notion image

Privilege Escalation

notion image
we found it is running on port 25 which is ESMTP Exim
we try to running exim -bp but permission denied, try try access email directory
  • /var/spool/exim4/
  • /var/log/exim4/ ( can try our luck if any email content in log)
  • /var/mail/
  • /var/spool/mail/
notion image
got root password
notion image
 
上一篇
HB
下一篇
AZ-900