Twiggy
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.219.62
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 11:10 +08
Nmap scan report for 192.168.219.62
Host is up (0.17s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
4505/tcp open unknown
4506/tcp open unknown
8000/tcp open http-altDid a detailed nmap scan as well:
$ sudo nmap -p 22,53,80,4505,4506,8000 -sC -sV --min-rate 3000 192.168.219.62
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 11:11 +08
Nmap scan report for 192.168.219.62
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 447d1a569b68aef53bf6381773165d75 (RSA)
| 256 1c789d838152f4b01d8e3203cba61893 (ECDSA)
|_ 256 08c912d97b9898c8b3997a19822ea3ea (ED25519)
53/tcp open domain NLnet Labs NSD
80/tcp open http nginx 1.16.1
|_http-title: Home | Mezzanine
|_http-server-header: nginx/1.16.1
4505/tcp open zmtp ZeroMQ ZMTP 2.0
4506/tcp open zmtp ZeroMQ ZMTP 2.0
8000/tcp open http nginx 1.16.1
|_http-title: Site doesn't have a title (application/json).
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.16.1Salt API -> RCE
Port 8000 looked the most interesting since it was only returning JSON data. Visiting it just shows a few 'clients':
When we view the headers, we can see that this is using a program called Salt API:
There are some exploits for Salt here:
The last one looks like the most reliable, and it works:
Rooted!
Last updated