Date
Mar 19, 2025 → Mar 19, 2025
Tag
Nmap
Brute Force
Privilege Escalation Techniques
192.168.190.28
Nmap
─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:43 EDT
Nmap scan report for 192.168.190.28
Host is up (0.050s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
35000/tcp filtered heathview
Nmap done: 1 IP address (1 host up) scanned in 16.55 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-19 07:44 EDT
Warning: 192.168.190.28 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.190.28
Host is up (0.054s latency).
All 65535 scanned ports on 192.168.190.28 are in ignored states.
Not shown: 65388 open|filtered udp ports (no-response), 147 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 145.04 seconds
22
brute force

could not found it
80

scanning
and found it

try admin:admin and login success


try to upload the reverse shell file, but it is not allowed

but we can upload other file, and i try to rename it to *.php, but it is not work

we switch the path of media and can see the content of the path


we only need to change the content of static 1 then will be use it.

we use reverse shell then get it

Privilege Escalation

we found it is running on port 25 which is ESMTP Exim
we try to running
exim -bp
but permission denied, try try access email directory- /var/spool/exim4/
- /var/log/exim4/ ( can try our luck if any email content in log)
- /var/mail/
- /var/spool/mail/

got root password
