Upload exploit suggester to local12/30/2023 ![]() ![]() Therefor we keep in mind that we could potentially find an exploit for Samba but for now we keep enumerating further. There are a lot of exploits available for Samba but most of them are only working with a specific version of the service. When we search for any available exploits we have the problem that we do not know the exact version of the service. Once again we use Nmap with option -sV to gather service and version information but this time on port 139. Nmap service and version scan on port 139 profile but after downloading and inspecting both files we see that they do not contain any useful information. As figure 8 shows Nikto finds two hidden directories. Since desperate times call for desperate measures we use Nikto to scan the web server for any vulnerabilities. Since we have a web service without any available exploits and no valid directories we are left with near to zero new information. Even when we use Gobuster to search for any valid directories on the web server we have no luck. When we try to browse the web server we are not able to find any valid sites as shown in figure 7. We try to find any exploits for that service but without luck. Nmap service and version scan on port 80Īs figure 6 shows Nmap recognizes the service on port 80 as PHP cli server version 5.5 or newer. Unfortunately all exploits perform a denial of service attack and none can be used to gain a low privileged shell on the target system. And indeed there are multiple exploits to abuse dnsmasq below version 2.78. We use that information to see if there are any known vulnerabilities for that service. The service and version scan of Nmap on port 53 tells us that the target is using dnsmasq 2.75. But for now we wont make use of that and instead we continue with enumerating the next port. For this version it is possible to use a script for username enumeration. The service and version information on port 22 shows that the target is using OpenSSH version 7.2p2. Besides the usernames john and elly we add harry because the name was mentioned inside the ftp banner. Since we found two names inside the note we create a file to store all potential usernames. Leave it in your FTP account once your are done, John.” “Elly, make sure you update the payload information. Inside the note file we find the following message: After the successful login we see that there is a file called note which we copy to our local machine. Figure 3 shows that we are able to access the ftp service as user anonymous while using a blank password. The next thing that we have to check when dealing with ftp enumeration is wether or not anonymous login is allowed. Which is why we assume that the vsftpd version of the target is not vulnerable. When we use Metasploit to test the exploit we won’t get any valid response. ![]() When using Searchsploit to look for any available exploits for vsftpd we find a backdoor exploit for version 2.3.4. When using Nmap to detect any service and version information ( -sV) on port 21 we see that the target is using a vsftp-deamon on version 2.0.8 or newer. ![]() Results of Nmap scanĪs figure 1 shows the system is offering multiple services which is why we enumerate each one in detail step by step. As usual we start with a Nmap scan to detect open ports of the target system. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |