hackfest2016 : Quaoar

15 Apr 2019 | Walkthroughs

VulnHub URL: https://www.vulnhub.com/entry/hackfest2016-quaoar,180/

Hostname: quaoar

IP Address: 10.183.0.219

Date started: April 14, 2019 7:36 PM

Date completed: April 15, 2019 9:59 AM

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.219.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/hackfest2016/quaoar# nmap -Pn -sT -A -p 1-65535 -oA quaoar 10.183.0.219
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-14 20:44 EDT
Nmap scan report for Quaoar.homenet.dom (10.183.0.219)
Host is up (0.0025s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION

        22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
    
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)

        53/tcp  open  domain      ISC BIND 9.8.1-P1
    
| dns-nsid: 
|_  bind.version: 9.8.1-P1

        80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
    
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).

        110/tcp open  pop3        Dovecot pop3d
    
|_pop3-capabilities: PIPELINING TOP SASL CAPA STLS UIDL RESP-CODES
|_ssl-date: 2019-04-15T00:44:46+00:00; 0s from scanner time.

        139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
    

        143/tcp open  imap        Dovecot imapd
    
|_imap-capabilities: more ENABLE IDLE SASL-IR ID LITERAL+ LOGIN-REFERRALS post-login have LOGINDISABLEDA0001 Pre-login OK capabilities IMAP4rev1 STARTTLS listed
|_ssl-date: 2019-04-15T00:44:45+00:00; 0s from scanner time.

        445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
    

        993/tcp open  ssl/imaps?
    
|_ssl-date: 2019-04-15T00:44:45+00:00; 0s from scanner time.

        995/tcp open  ssl/pop3s?
    
|_ssl-date: 2019-04-15T00:44:45+00:00; 0s from scanner time.
MAC Address: 08:00:27:5A:46:1B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:
|_clock-skew: mean: 40m00s, deviation: 1h37m59s, median: 0s
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: Quaoar
|   NetBIOS computer name: 
|   Domain name: homenet.dom
|   FQDN: Quaoar.homenet.dom
|_  System time: 2019-04-14T20:44:46-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)


TRACEROUTE
HOP RTT     ADDRESS
1   2.50 ms Quaoar.homenet.dom (10.183.0.219)


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.90 seconds

hackfest2016 : Orcus

15 Apr 2019 | Walkthroughs

vulnhub hackfest2016 phpmyadmin zenphoto lfi elfinder nfs suid

VulnHub URL: https://www.vulnhub.com/entry/hackfest2016-orcus,182/

Hostname: orcus

IP Address: 10.183.0.220

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.220.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/hackfest2016/orcus# nmap -Pn -sT -sV -A -p 1-65535 -oA orcus 10.183.0.220
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-16 11:24 EDT
Nmap scan report for Orcus.homenet.dom (10.183.0.220)
Host is up (0.0033s latency).
Not shown: 65519 closed ports
PORT      STATE SERVICE     VERSION

        22/tcp    open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
    
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)

        53/tcp    open  domain      ISC BIND 9.10.3-P4 (Ubuntu Linux)
    
| dns-nsid:
|_  bind.version: 9.10.3-P4-Ubuntu

        80/tcp    open  http        Apache httpd 2.4.18 ((Ubuntu))
    
| http-robots.txt: 30 disallowed entries (15 shown)
| /exponent.js.php /exponent.js2.php /exponent.php
| /exponent_bootstrap.php /exponent_constants.php /exponent_php_setup.php
| /exponent_version.php /getswversion.php /login.php /overrides.php
| /popup.php /selector.php /site_rss.php /source_selector.php
|_/thumb.php
|_http-server-header: Apache/2.4.18 (Ubuntu) 
|_http-title: Site doesn't have a title (text/html).

        110/tcp   open  pop3        Dovecot pop3d
    
|_pop3-capabilities: CAPA PIPELINING UIDL AUTH-RESP-CODE SASL RESP-CODES STLS TOP
|_ssl-date: TLS randomness does not represent time

        111/tcp   open  rpcbind     2-4 (RPC #100000)
    
| rpcinfo:
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100003  2,3,4       2049/tcp  nfs
|   100003  2,3,4       2049/udp  nfs
|   100005  1,2,3      46869/udp  mountd
|   100005  1,2,3      52432/tcp  mountd
|   100021  1,3,4      42413/tcp  nlockmgr   
|   100021  1,3,4      48272/udp  nlockmgr   
|   100227  2,3         2049/tcp  nfs_acl
|_  100227  2,3         2049/udp  nfs_acl

            139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
        

            143/tcp   open  imap        Dovecot imapd
        
|_imap-capabilities: STARTTLS more OK Pre-login IDLE have LOGINDISABLEDA0001 listed LITERAL+ ENABLE post-login capabilities ID IMAP4rev1 LOGIN-REFERRALS SASL-IR
|_ssl-date: TLS randomness does not represent time

            443/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
        
| ssh-hostkey:
|   2048 3a:48:6e:8e:3f:32:26:f8:b6:a1:c6:b1:70:73:37:75 (RSA)
|   256 04:55:e6:48:50:d6:93:d7:12:80:a0:68:bc:97:fa:33 (ECDSA)
|_  256 c9:a9:c9:0d:df:7c:fc:a7:da:87:ef:d3:38:c3:f2:a6 (ED25519)

            445/tcp   open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
        

            993/tcp   open  ssl/imaps?
        
|_ssl-date: TLS randomness does not represent time

            995/tcp   open  ssl/pop3s?
        
|_ssl-date: TLS randomness does not represent time

            2049/tcp  open  nfs_acl     2-3 (RPC #100227)
        

            42413/tcp open  nlockmgr    1-4 (RPC #100021)
        

            44598/tcp open  mountd      1-3 (RPC #100005)
        

            46296/tcp open  mountd      1-3 (RPC #100005)
        

                52432/tcp open  mountd      1-3 (RPC #100005)
            
MAC Address: 08:00:27:96:F8:7B (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: Host: ORCUS; OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: ORCUS, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: orcus
|   NetBIOS computer name: ORCUS\x00
|   Domain name: homenet.dom
|   FQDN: orcus.homenet.dom
|_  System time: 2019-04-16T11:25:14-04:00   
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-04-16 11:25:14
|_  start_date: N/A


TRACEROUTE
HOP RTT     ADDRESS
1   3.33 ms Orcus.homenet.dom (10.183.0.220) 


OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 249.71 seconds

FristiLeaks: 1.3

15 Apr 2019 | Walkthroughs

vulnhub image upload bypass cron python codecs sudo

VulnHub URL: https://www.vulnhub.com/entry/fristileaks-13,133/

Hostname: localhost

IP Address: 10.183.0.208

Information Gathering/Recon

The IP address is obtained via DHCP at boot. In my case, the IP is 10.183.0.208.

Service Enumeration/Scanning

root@kali:~/Walkthroughs/fristileaks13# nmap -Pn -sT -sV -A -oA fristileaks13 -p 1-65535 10.183.0.208
Starting Nmap 7.70 ( https://nmap.org ) at 2019-04-18 10:27 EDT
Nmap scan report for 10.183.0.208
Host is up (0.18s latency).
Not shown: 65534 filtered ports
PORT   STATE SERVICE VERSION

        80/tcp open  http    Apache httpd 2.2.15 ((CentOS) DAV/2 PHP/5.3.3)
    
| http-methods:
|_  Potentially risky methods: TRACE
| http-robots.txt: 3 disallowed entries
|_/cola /sisi /beer
|_http-server-header: Apache/2.2.15 (CentOS) DAV/2 PHP/5.3.3
    
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:A5:A6:76 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X|3.X
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
OS details: Linux 2.6.32 - 3.10, Linux 2.6.32 - 3.13
Network Distance: 1 hop

TRACEROUTE
HOP RTT       ADDRESS
1   183.42 ms 10.183.0.208

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1493.27 seconds

seekorswim My Security Blog

hackfest2016 : Quaoar

Information Gathering/Recon

Service Enumeration/Scanning

hackfest2016 : Orcus

Information Gathering/Recon

Service Enumeration/Scanning

FristiLeaks: 1.3

Information Gathering/Recon

Service Enumeration/Scanning