• Vosman


Updated: Jul 30, 2021



# Nmap 7.91 scan initiated Sat May 29 10:06:38 2021 as: nmap -sCV -vv -oA nmap/nmap_scriptkiddieScript
Nmap scan report for
Host is up, received echo-reply ttl 63 (0.017s latency).
Scanned at 2021-05-29 10:06:38 BST for 7s
Not shown: 998 closed ports
Reason: 998 resets
22/tcp   open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/YB1g/YHwZNvTzj8lysM+SzX6dZzRbfF24y3ywkhai4pViGEwUklIPkEvuLSGH97NJ4y8r9uUXzyoq3iuVJ/vGXiFlPCrg+QDp7UnwANBmDqbVLucKdor+JkWHJJ1h3ftpEHgol54tj+6J7ftmaOR29Iwg+FKtcyNG6PY434cfA0Pwshw6kKgFa+HWljNl+41H3WVua4QItPmrh+CrSoaA5kCe0FAP3c2uHcv2JyDjgCQxmN1GoLtlAsEznHlHI1wycNZGcHDnqxEmovPTN4qisOKEbYfy2mu1Eqq3Phv8UfybV8c60wUqGtClj3YOO1apDZKEe8eZZqy5eXU8mIO+uXcp5zxJ/Wrgng7WTguXGzQJiBHSFq52fHFvIYSuJOYEusLWkGhiyvITYLWZgnNL+qAVxZtP80ZTq+lm4cJHJZKl0OYsmqO0LjlMOMTPFyA+W2IOgAmnM+miSmSZ6n6pnSA+LE2Pj01egIhHw5+duAYxUHYOnKLVak1WWk/C68=
|   256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJA31QhiIbYQMUwn/n3+qcrLiiJpYIia8HdgtwkI8JkCDm2n+j6dB3u5I17IOPXE7n5iPiW9tPF3Nb0aXmVJmlo=
|   256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWjCdxetuUPIPnEGrowvR7qRAR7nuhUbfFraZFmbIr4
5000/tcp open  http    syn-ack ttl 63 Werkzeug httpd 0.16.1 (Python 3.8.5)
| http-methods: 
|_  Supported Methods: POST HEAD OPTIONS GET
|_http-server-header: Werkzeug/0.16.1 Python/3.8.5
|_http-title: k1d'5 h4ck3r t00l5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 29 10:06:45 2021 -- 1 IP address (1 host up) scanned in 7.53 seconds

OK two ports open:

22: SSH tells us it's an Ubuntu box

5000: Unusual port but NMAP says it's running a web server

A further full TCP port scan didn't find anything.

Let's go see what's at port 5000.

Web Server on port 5000

OK looks simple enough but there are no links to anywhere else. Let's give it a quick directory enumeration.


gobuster dir -u -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt

Turned up nothing.

Right, looks like it's just one web application page. There has to be a way in through this page somewhere. Let's go dig into the application.

Web Investigation

Three input functions perform some server side commands based on user input:


The nmap option does work but I can't do much with that as the input field won't take anything other than the required IP formated string. I tried to manipulate the input in BurpSuite but nothing seems to work


The payloads option is more interesting as it takes a file upload. It has three options Windows, Linux and Android. When supplying input it generates a meterpreter payload so this must be using msfvemon or msfpayload to generate it on the back end. Will need to investigate this further.


The sploits options appears to search the searchsploit database on the back end. I've had a play with the inputs but it only seems to search the database and I can't see a way to break out. I'll have a look at this in BurpSuite and see if there's something more interesting here.

Exploiting The Host

Ok so the nmap field is pretty boring so I think the next two areas are the more likely way into this box.

Poking at the Searchsploit Input Field

Let's take a look at the sploits option and see if there's anything there we can do.

First let's capture a request in BurpSuite:

Ok, this brings back a lot of entries from the searchsploit database but it seems to match what I have on my system so it looks like it is an actual real version of the database. This indicates to me that Metasploit is installed on this box for real which could be interesting.

I tried to play around with the input parameters but nothing very interesting happened. Some changes and some error messages but nothing that would indicate a way on to the box, so I need to rethink this approach.

Let's have a look at the response header:

We can see it's running Werkzeug/0.16.1 webserver. Let's take a look and see if there's any vulnerabilities for this.

Searching the searchsploit database on my host I see there is a Python script that can execute code on the server if the server has its debug console enabled.

Let's take a look at the exploit code:

#!/usr/bin/env python
import requests
import sys
import re
import urllib

# usage : python exploit.py 192.168.56