lunar
00 min
2025-3-27
Date
Mar 23, 2025 → Mar 23, 2025
Tag
Nmap
Web Exploitation
Privilege Escalation Techniques

192.168.140.216

Nmap

└─# nmap -sT -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:11 EDT Nmap scan report for 192.168.140.216 Host is up (0.062s latency). Not shown: 65526 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 111/tcp open rpcbind 2049/tcp open nfs 34239/tcp open unknown 42211/tcp open unknown 47845/tcp open unknown 49837/tcp open unknown 50641/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.92 seconds
└─# nmap -sU -p- --min-rate 5000 $ip Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:11 EDT Warning: 192.168.140.216 giving up on port because retransmission cap hit (10). Nmap scan report for 192.168.140.216 Host is up (0.071s latency). Not shown: 65381 open|filtered udp ports (no-response), 148 closed udp ports (port-unreach) PORT STATE SERVICE 111/udp open rpcbind 2049/udp open nfs 35943/udp open unknown 39538/udp open unknown 47522/udp open unknown 60884/udp open unknown
Nmap done: 1 IP address (1 host up) scanned in 145.23 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-23 03:13 EDT Nmap scan report for 192.168.140.216 Host is up (0.065s latency). Not shown: 65517 closed tcp ports (reset), 10 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA) | 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA) |_ 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |http-title: Lunar Studio 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 3 2049/udp nfs | 100003 3,4 2049/tcp nfs | 100005 1,2,3 39538/udp mountd | 100005 1,2,3 45271/tcp mountd | 100021 1,3,4 34853/tcp nlockmgr | 100021 1,3,4 39816/udp nlockmgr | 100227 3 2049/tcp nfs_acl | 100227 3 2049/udp nfs_acl 2049/tcp open nfs 3-4 (RPC #100003) 34853/tcp open nlockmgr 1-4 (RPC #100021) 37339/tcp open mountd 1-3 (RPC #100005) 40115/tcp open mountd 1-3 (RPC #100005) 45271/tcp open mountd 1-3 (RPC #100005) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.65 seconds

2049

notion image
Access was denied
 

80

notion image
notion image
download and we can see their password identify logic in php file login.php
notion image
[email protected] is username and we need to bypass strcmp via add [] in password
notion image
notion image
After we login, we can see the php file dashboard we are accessing, so we check dashboard if there are any suspicious content.
notion image
If the ext is not set, it defaults to .php. However, if ext is specified, that file will be included in the current page.
notion image
we use Remote Code Execution in php access.log so that we can use reverse shell now
notion image
and then we found liam’s ssh key in /opt, so we can log in as liam
notion image
we use linpeas.sh to see any information we can used
notion image
notion image
notion image
we use first one, since we already check nfs only allow for localhost, so we add our IP to hosts to be localhost.
notion image
and then since this path is no_root_squash, so that we can use this to PE, first we write a C program to PE the bash or something you want
and then compile it
notion image
add the setuid bit (chmod +s) to the file and execute it on the target machine
notion image
got it
上一篇
HB
下一篇
AZ-900