-sC : Default Script
-sV : Version Scan
-A : Aggressive Scan
-p- : Scan all ports TCP/UDP
-oN : Output of text
The first thing I did while reading Nmap is to enter the /robots.txt directory where we find various information. Let’s browse each of these directories.
Here as information, we have that tftp is running on port 1337, although we don’t see it with Nmap.
In this directory instead as information, we have that inside tftp we have the RSA key. And we aver USER information too , seems to be sv5
In the last we cannot found nothing. The first step I want to take is to enter port 1337 via tftp. So let’s go!
As we have seen before, we know that inside ‘is the RSA key we extract the files with the get command.
We see that there is nothing inside, but a very good clue, it tells us to use cewl to extract the words within the site. On the default directory /index.html
-d : Depth to spider to, default 2.
-m : Minimum word length, default 3.
Cewl is a powerful tool for extract data and info from a website, this is my command: cewl -d 10 -m 3 http://192.168.1.125/index.html -w pass.txt
with the command wc -l pass.txt we see how many words the tool extracted us from the target site. Let’s go now with bruteforce on ssh.
And finally we found the password !! We enter in ssh and take the first flag !!!
This is the command : hydra -l sv5 -P pass.txt ssh://192.168.1.125 -t 4
#Horizontal Privilege Escalation:
Ok I used sudo -l to see if there is any vulnerability in sudo, and we found it, now you can go and see the use of vi, on this link: https://gtfobins.github.io/
First create any file in the /tmp folder like I do
Now just follow what GTFObins tells you in the sudo section
Press enter and we are ROOT!
I hope I helped you guys. Good luck.