$ nmap -p- --min-rate 4000 192.168.202.59
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:57 +08
Nmap scan report for 192.168.202.59
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp closed domain
80/tcp open http
5000/tcp open upnp
11211/tcp open memcache
Memcache was open, of all things. I did a detailed nmap scan as well:
$ sudo nmap -p 80,5000,11211 -sC -sV --min-rate 4000 192.168.202.59
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:58 +08
Nmap scan report for 192.168.202.59
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
|_http-generator: Gatsby 2.22.15
|_http-server-header: nginx/1.10.3
|_http-title: Gatsby + Netlify CMS Starter
5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.5.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.5.3
|_http-title: Hello, world!
11211/tcp open memcached Memcached 1.4.33 (uptime 150 seconds)
Interesting.
Web + Memcache Enum
Port 80 looked rather static:
There was no public exploit for this software either, so let's move on. Port 5000 looked way more promising:
We can login, and there's no additional functionality with this website. Viewing the requests, we can see that the login just assigned us a token:
Moving to Memcache, we can dump it using memcdump. We instantly get loads of tokens:
I made a copy of all these files within my home directory, and began decrypting it using openssl. From the python script and based on the documentation for des, the key would be 87629ae8 and the IV is all null bytes.
Since the key is interpreted as a bytes type object, we need to convert it to hex, which would give 3837363239616538.
