Vulnversity

Learn about active recon, web app attacks and privilege escalation.

Reconnaissance

  1. scan ports
  2. nmap -sV <ip>
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))

Locating directories using Gobuster

using fast discovery tool gobuster, locate a directory and upload a shell

  1. scan for directories
  2. gobuster dir -u <ip>:<port> -w <path to wordlist>
    • -e print full urls
    • -u target url
    • -w path to wordlist
    • -U and -P username and password for basic auth
    • -p proxy for requests
    • -c cookie for simulating auth
/images (Status: 301)
/css (Status: 301)
/js (Status: 301)
/internal (Status: 301)

Compromise the Webserver

  1. fuzz form to find blocked file extensions, based on what server is running, e.g. php
  2. use burp suite with wordlist containing extensions
  3. .phtml is not being blocked
  4. get .phtml reverse shell
  5. run netcat as listener nc -lvnp 1234

Privilege Escalation

  1. get e.g. linpeas onto target
  2. scan for possibilities
  3. use gtfo bins
Last modified 2023.11.02