Kioptrix: 2014

15 Apr 2019 | Walkthroughs

VulnHub URL: https://www.vulnhub.com/entry/kioptrix-2014-5,62/

Hostname: kioptrix2014

IP Address: 10.183.0.205

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.205.

NOTE: I had to remove and re-add the network adapter on the VM to get DHCP to work properly.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/kioptrix2014# nmap -Pn -sT -sV -A -oA kioptrix2014 -p 1-65535 10.183.0.205
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-17 14:01 EDT
Nmap scan report for kioptrix2014.homenet.dom (10.183.0.205)
Host is up (0.0036s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE VERSION

        22/tcp   closed ssh
    

        80/tcp   open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
    

        8080/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
    
MAC Address: 00:0C:29:8D:66:A6 (VMware)
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): FreeBSD 9.X|10.X|7.X|8.X|6.X (93%), AVtech embedded (91%), Linux 2.6.X (90%)
OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10 cpe:/o:linux:linux_kernel:2.6 cpe:/o:freebsd:freebsd:7 cpe:/o:freebsd:freebsd:8 cpe:/o:freebsd:freebsd:6.2 cpe:/a:nas4free:nas4free cpe:/o:freebsd:freebsd:10.2
Aggressive OS guesses: FreeBSD 9.0-RELEASE - 10.3-RELEASE (93%), AVtech Room Alert 26W environmental monitor (91%), Linux 2.6.18 - 2.6.22 (90%), FreeBSD 7.0-RELEASE - 9.0-RELEASE (88%), FreeBSD 7.0-RELEASE (87%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (87%), FreeBSD 9.3-RELEASE (86%), FreeBSD 8.1-RELEASE (86%), FreeBSD 8.0-RELEASE (85%), FreeBSD 9.1-RELEASE or 10.1-RELEASE (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


TRACEROUTE
HOP RTT     ADDRESS
1   3.65 ms kioptrix2014.homenet.dom (10.183.0.205)


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 140.30 seconds

HackLAB: Vulnix

15 Apr 2019 | Walkthroughs

vulnhub nfs nfspy finger sudo

VulnHub URL: https://www.vulnhub.com/entry/hacklab-vulnix,48/

Hostname: vulnix

IP Address: 10.183.0.191

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.191.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/vulnix# nmap -Pn -sT -sV -sC -A -oA vulnix -p 1-65535 10.183.0.191
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-24 23:33 EDT
Nmap scan report for vulnix.homenet.dom (10.183.0.191)
Host is up (0.0029s latency).
Not shown: 65518 closed ports
PORT      STATE SERVICE    VERSION

        22/tcp    open  ssh        
        OpenSSH 5.9p1
         Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
    
| ssh-hostkey:
|   1024 10:cd:9e:a0:e4:e0:30:24:3e:bd:67:5f:75:4a:33:bf (DSA)
|   2048 bc:f9:24:07:2f:cb:76:80:0d:27:a6:48:52:0a:24:3a (RSA)
|_  256 4d:bb:4a:c1:18:e8:da:d1:82:6f:58:52:9c:ee:34:5f (ECDSA)

        25/tcp    open  smtp       Postfix smtpd
    
|_smtp-commands: vulnix, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.

        79/tcp    open  finger     Linux fingerd
    
|_finger: No one logged on.\x0D  

        110/tcp   open  pop3       Dovecot pop3d
    
|_pop3-capabilities: CAPA STLS SASL PIPELINING UIDL TOP RESP-CODES
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.

        111/tcp   open  rpcbind    2-4 (RPC #100000)
    
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      48766/udp  mountd
|   100005  1,2,3      52406/tcp  mountd
|   100021  1,3,4      40343/udp  nlockmgr
|   100021  1,3,4      59897/tcp  nlockmgr
|   100024  1          39331/tcp  status
|   100024  1          52861/udp  status
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl

        143/tcp   open  imap       Dovecot imapd
    
|_imap-capabilities: OK IDLE IMAP4rev1 SASL-IR more have post-login LOGIN-REFERRALS capabilities Pre-login listed STARTTLS ID LITERAL+ ENABLE LOGINDISABLEDA0001
|_ssl-date: 2019-04-25T03:34:55+00:00; +6s from scanner time.

        512/tcp   open  exec?
    

        513/tcp   open  login?
    

        514/tcp   open  tcpwrapped
    

        993/tcp   open  ssl/imaps?
    
|_ssl-date: 2019-04-25T03:34:54+00:00; +6s from scanner time.

        995/tcp   open  ssl/pop3s?
    
|_ssl-date: 2019-04-25T03:34:54+00:00; +6s from scanner time.

        2049/tcp  open  nfs_acl    2-3 (RPC #100227)
    

        39331/tcp open  status     1 (RPC #100024)
    

        46571/tcp open  mountd     1-3 (RPC #100005)
    

        51367/tcp open  mountd     1-3 (RPC #100005)
    

        52406/tcp open  mountd     1-3 (RPC #100005)
    

        59897/tcp open  nlockmgr   1-4 (RPC #100021)
    
MAC Address: 00:0C:29:FC:C6:E7 (VMware)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10  
Network Distance: 1 hop
Service Info: Host:  vulnix; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 5s, deviation: 0s, median: 5s

TRACEROUTE
HOP RTT     ADDRESS
1   2.93 ms vulnix.homenet.dom (10.183.0.191)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 233.93 seconds

hackfest2016 : Sedna

15 Apr 2019 | Walkthroughs

vulnhub hackfest2016 builderengine kernel exploit overlayfs chkrootkit tomcat

VulnHub URL: https://www.vulnhub.com/entry/hackfest2016-sedna,181/

Hostname: sedna

IP Address: 10.183.0.185

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.185.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/hackfest2016/sedna# nmap -Pn -sT -sV -A -p 1-65535 -oA sedna 10.183.0.185
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-15 13:55 EDT
Nmap scan report for Sedna.homenet.dom (10.183.0.185)
Host is up (0.0049s latency).
Not shown: 65523 closed ports
PORT      STATE SERVICE     VERSION

        22/tcp    open  ssh         OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0)
    
| ssh-hostkey:
|   1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA)
|   2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA)
|   256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA)
|_  256 ca:36:3c:32:e6:24:f9:b7:b4:d4:1d:fc:c0:da:10:96 (ED25519)

        53/tcp    open  domain      ISC BIND 9.9.5-3 (Ubuntu Linux)
    
| dns-nsid:
|_  bind.version: 9.9.5-3-Ubuntu

        80/tcp    open  http        Apache httpd 2.4.7 ((Ubuntu))
    
| http-robots.txt: 1 disallowed entry
|_Hackers
|_http-server-header: Apache/2.4.7 (Ubuntu)  
|_http-title: Site doesn't have a title (text/html).

        110/tcp   open  pop3        Dovecot pop3d
    
|_pop3-capabilities: SASL STLS UIDL PIPELINING CAPA RESP-CODES TOP AUTH-RESP-CODE
|_ssl-date: TLS randomness does not represent time

        111/tcp   open  rpcbind     2-4 (RPC #100000)
    
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          44953/udp  status
|_  100024  1          60597/tcp  status

        139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    

        143/tcp   open  imap        Dovecot imapd (Ubuntu)
    
|_imap-capabilities: listed SASL-IR IDLE OK post-login ENABLE capabilities Pre-login have LITERAL+ ID more LOGINDISABLEDA0001 LOGIN-REFERRALS STARTTLS
 IMAP4rev1
|_ssl-date: TLS randomness does not represent time

        445/tcp   open  netbios-ssn Samba smbd 4.1.6-Ubuntu (workgroup: WORKGROUP)
    

        993/tcp   open  ssl/imaps?
    
|_ssl-date: TLS randomness does not represent time

        995/tcp   open  ssl/pop3s?
    
|_ssl-date: TLS randomness does not represent time

            8080/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
        
| http-methods:
|_  Potentially risky methods: PUT DELETE
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat

            60597/tcp open  status      1 (RPC #100024)  
        
MAC Address: 08:00:27:1D:C3:C2 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: SEDNA; OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: SEDNA, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Unix (Samba 4.1.6-Ubuntu)
|   Computer name: sedna
|   NetBIOS computer name: SEDNA\x00
|   Domain name: homenet.dom
|   FQDN: sedna.homenet.dom
|_  System time: 2019-04-15T13:55:59-04:00   
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-04-15 13:55:59
|_  start_date: N/A


TRACEROUTE
HOP RTT     ADDRESS
1   4.94 ms Sedna.homenet.dom (10.183.0.185) 


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 163.94 seconds

seekorswim My Security Blog

Kioptrix: 2014

Information Gathering/Recon

Service Enumeration/Scanning

HackLAB: Vulnix

Information Gathering/Recon

Service Enumeration/Scanning

hackfest2016 : Sedna

Information Gathering/Recon

Service Enumeration/Scanning