Date
Mar 19, 2025 → Mar 19, 2025
Tag
Nmap
Brute Force
Privilege Escalation Techniques
192.168.190.28
Nmap
─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:43 EDT
Nmap scan report for 192.168.190.28
Host is up (0.050s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
35000/tcp filtered heathview
Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:44 EDT
Warning: 192.168.190.28 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.190.28
Host is up (0.054s latency).
All 65535 scanned ports on 192.168.190.28 are in ignored states.
Not shown: 65388 open|filtered udp ports (no-response), 147 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 145.04 seconds
22
brute force
could not found it
80
scanning
and found it
try admin:admin and login success
try to upload the reverse shell file, but it is not allowed
but we can upload other file, and i try to rename it to *.php, but it is not work
we switch the path of media and can see the content of the path
we only need to change the content of static 1 then will be use it.
we use reverse shell then get it
Privilege Escalation
we found it is running on port 25 which is ESMTP Exim
we try to running
exim -bp but permission denied, try try access email directory- /var/spool/exim4/
- /var/log/exim4/ ( can try our luck if any email content in log)
- /var/mail/
- /var/spool/mail/
got root password
