# Nmap 7.94SVN scan initiated Sun Jun 30 04:33:57 2024 as: nmap -Pn -sCV --open -p- -min-rate 10000 -oN Nmap/Initial-exfiltrated -vvv exfiltrated
Nmap scan report for exfiltrated (192.168.223.163)
Host is up, received user-set (0.095s latency).
Scanned at 2024-06-30 04:33:58 EDT for 17s
Not shown: 65325 closed tcp ports (reset), 208 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
| 256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
| 256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to <http://exfiltrated.offsec/>
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Sun Jun 30 04:34:15 2024 -- 1 IP address (1 host up) scanned in 17.26 seconds
The machine ahs two ports open (classic linux CTF-like machine).
lets do some enumeration on these two ports
# Dirsearch started Sun Jun 30 04:38:44 2024 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u <http://exfiltrated> -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
302 0B <http://exfiltrated/0> -> REDIRECTS TO: <http://exfiltrated.offsec/0>
302 0B <http://exfiltrated/1> -> REDIRECTS TO: <http://exfiltrated.offsec/1>
302 0B <http://exfiltrated/>! -> REDIRECTS TO: <http://exfiltrated.offsec/>!
302 0B <http://exfiltrated/2> -> REDIRECTS TO: <http://exfiltrated.offsec/2>
302 0B <http://exfiltrated/3> -> REDIRECTS TO: <http://exfiltrated.offsec/3>
302 0B <http://exfiltrated/4> -> REDIRECTS TO: <http://exfiltrated.offsec/4>
302 0B <http://exfiltrated/5> -> REDIRECTS TO: <http://exfiltrated.offsec/5>
302 0B <http://exfiltrated/6> -> REDIRECTS TO: <http://exfiltrated.offsec/6>
302 0B <http://exfiltrated/7> -> REDIRECTS TO: <http://exfiltrated.offsec/7>
302 0B <http://exfiltrated/8> -> REDIRECTS TO: <http://exfiltrated.offsec/8>
302 0B <http://exfiltrated/9> -> REDIRECTS TO: <http://exfiltrated.offsec/9>
302 0B <http://exfiltrated/A> -> REDIRECTS TO: <http://exfiltrated.offsec/A>
302 0B <http://exfiltrated/@> -> REDIRECTS TO: <http://exfiltrated.offsec/@>
302 0B <http://exfiltrated/B> -> REDIRECTS TO: <http://exfiltrated.offsec/B>
302 0B <http://exfiltrated/C> -> REDIRECTS TO: <http://exfiltrated.offsec/C>
302 0B <http://exfiltrated/D> -> REDIRECTS TO: <http://exfiltrated.offsec/D>
302 0B <http://exfiltrated/E> -> REDIRECTS TO: <http://exfiltrated.offsec/E>
302 0B <http://exfiltrated/H> -> REDIRECTS TO: <http://exfiltrated.offsec/H>
302 0B <http://exfiltrated/G> -> REDIRECTS TO: <http://exfiltrated.offsec/G>
302 0B <http://exfiltrated/I> -> REDIRECTS TO: <http://exfiltrated.offsec/I>
302 0B <http://exfiltrated/F> -> REDIRECTS TO: <http://exfiltrated.offsec/F>
302 0B <http://exfiltrated/J> -> REDIRECTS TO: <http://exfiltrated.offsec/J>
302 0B <http://exfiltrated/L> -> REDIRECTS TO: <http://exfiltrated.offsec/L>
302 0B <http://exfiltrated/MANIFEST.MF> -> REDIRECTS TO: <http://exfiltrated.offsec/MANIFEST.MF>
302 0B <http://exfiltrated/M> -> REDIRECTS TO: <http://exfiltrated.offsec/M>
302 0B <http://exfiltrated/N> -> REDIRECTS TO: <http://exfiltrated.offsec/N>
302 0B <http://exfiltrated/O> -> REDIRECTS TO: <http://exfiltrated.offsec/O>
302 0B <http://exfiltrated/P> -> REDIRECTS TO: <http://exfiltrated.offsec/P>
302 0B <http://exfiltrated/R> -> REDIRECTS TO: <http://exfiltrated.offsec/R>
302 0B <http://exfiltrated/S> -> REDIRECTS TO: <http://exfiltrated.offsec/S>
302 0B <http://exfiltrated/Thumbs.db> -> REDIRECTS TO: <http://exfiltrated.offsec/Thumbs.db>
302 0B <http://exfiltrated/T> -> REDIRECTS TO: <http://exfiltrated.offsec/T>
302 0B <http://exfiltrated/U> -> REDIRECTS TO: <http://exfiltrated.offsec/U>
302 0B <http://exfiltrated/V> -> REDIRECTS TO: <http://exfiltrated.offsec/V>
302 0B <http://exfiltrated/W> -> REDIRECTS TO: <http://exfiltrated.offsec/W>
302 0B <http://exfiltrated/X> -> REDIRECTS TO: <http://exfiltrated.offsec/X>
302 0B <http://exfiltrated/_> -> REDIRECTS TO: <http://exfiltrated.offsec/_>
302 0B <http://exfiltrated/>] -> REDIRECTS TO: <http://exfiltrated.offsec/%5D>
302 0B <http://exfiltrated/>[ -> REDIRECTS TO: <http://exfiltrated.offsec/%5B>
302 0B <http://exfiltrated/a> -> REDIRECTS TO: <http://exfiltrated.offsec/a>
302 0B <http://exfiltrated/access-log.1> -> REDIRECTS TO: <http://exfiltrated.offsec/access-log.1>
302 0B <http://exfiltrated/access_log.1> -> REDIRECTS TO: <http://exfiltrated.offsec/access_log.1>
302 0B <http://exfiltrated/access.1> -> REDIRECTS TO: <http://exfiltrated.offsec/access.1>
302 0B <http://exfiltrated/b> -> REDIRECTS TO: <http://exfiltrated.offsec/b>
302 0B <http://exfiltrated/c> -> REDIRECTS TO: <http://exfiltrated.offsec/c>
302 0B <http://exfiltrated/d> -> REDIRECTS TO: <http://exfiltrated.offsec/d>
302 0B <http://exfiltrated/e> -> REDIRECTS TO: <http://exfiltrated.offsec/e>
302 0B <http://exfiltrated/f> -> REDIRECTS TO: <http://exfiltrated.offsec/f>
200 851B <http://exfiltrated/favicon.ico>
302 0B <http://exfiltrated/g> -> REDIRECTS TO: <http://exfiltrated.offsec/g>
302 0B <http://exfiltrated/h> -> REDIRECTS TO: <http://exfiltrated.offsec/h>
302 0B <http://exfiltrated/i> -> REDIRECTS TO: <http://exfiltrated.offsec/i>
302 0B <http://exfiltrated/j> -> REDIRECTS TO: <http://exfiltrated.offsec/j>
302 0B <http://exfiltrated/k> -> REDIRECTS TO: <http://exfiltrated.offsec/k>
302 0B <http://exfiltrated/l> -> REDIRECTS TO: <http://exfiltrated.offsec/l>
302 0B <http://exfiltrated/m> -> REDIRECTS TO: <http://exfiltrated.offsec/m>
302 0B <http://exfiltrated/manifest.mf> -> REDIRECTS TO: <http://exfiltrated.offsec/manifest.mf>
302 0B <http://exfiltrated/master.passwd> -> REDIRECTS TO: <http://exfiltrated.offsec/master.passwd>
302 0B <http://exfiltrated/n> -> REDIRECTS TO: <http://exfiltrated.offsec/n>
302 0B <http://exfiltrated/o> -> REDIRECTS TO: <http://exfiltrated.offsec/o>
302 0B <http://exfiltrated/p> -> REDIRECTS TO: <http://exfiltrated.offsec/p>
302 0B <http://exfiltrated/q> -> REDIRECTS TO: <http://exfiltrated.offsec/q>
302 0B <http://exfiltrated/r> -> REDIRECTS TO: <http://exfiltrated.offsec/r>
200 94B <http://exfiltrated/robots.txt>
302 0B <http://exfiltrated/s> -> REDIRECTS TO: <http://exfiltrated.offsec/s>
403 276B <http://exfiltrated/server-status>
200 212B <http://exfiltrated/sitemap.xml>
302 0B <http://exfiltrated/t> -> REDIRECTS TO: <http://exfiltrated.offsec/t>
302 0B <http://exfiltrated/tar.bz2> -> REDIRECTS TO: <http://exfiltrated.offsec/tar.bz2>
302 0B <http://exfiltrated/tar.gz> -> REDIRECTS TO: <http://exfiltrated.offsec/tar.gz>
302 0B <http://exfiltrated/u> -> REDIRECTS TO: <http://exfiltrated.offsec/u>
403 276B <http://exfiltrated/updates>
302 0B <http://exfiltrated/v> -> REDIRECTS TO: <http://exfiltrated.offsec/v>
302 0B <http://exfiltrated/w> -> REDIRECTS TO: <http://exfiltrated.offsec/w>
302 0B <http://exfiltrated/web.xml> -> REDIRECTS TO: <http://exfiltrated.offsec/web.xml>
302 0B <http://exfiltrated/webpack.manifest.json> -> REDIRECTS TO: <http://exfiltrated.offsec/webpack.manifest.json>
302 0B <http://exfiltrated/x> -> REDIRECTS TO: <http://exfiltrated.offsec/x>
302 0B <http://exfiltrated/y> -> REDIRECTS TO: <http://exfiltrated.offsec/y>
302 0B <http://exfiltrated/z> -> REDIRECTS TO: <http://exfiltrated.offsec/z>
HTTP port 80 brings this output using Dirsearch command used:
sudo dirsearch -u <http://exfiltrated> -w /path/to/wordlist
Using ssh-audit on the host exfiltrated.offsec gives this output
# general
(gen) banner: SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2
(gen) software: OpenSSH 8.2p1
(gen) compatibility: OpenSSH 7.4+, Dropbear SSH 2018.76+
(gen) compression: enabled ([email protected])
# security
(cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups
(cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers
(cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response
# key exchange algorithms
(kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76
`- [info] default key exchange since OpenSSH 6.4
(kex) [email protected] -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62
`- [info] default key exchange since OpenSSH 6.4
(kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4
`- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see <https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477>).
(kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
(kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3
(kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength
`- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73
# host-key algorithms
(key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2
(key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2
(key) ssh-rsa (3072-bit) -- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 2.5.0, Dropbear SSH 0.28
`- [info] deprecated in OpenSSH 8.8: <https://www.openssh.com/txt/release-8.8>
(key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [warn] using weak random number generator could reveal the key
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62
(key) ssh-ed25519 -- [info] available since OpenSSH 6.5
# encryption algorithms (ciphers)
(enc) [email protected] -- [warn] vulnerable to the Terrapin attack (CVE-2023-48795), allowing message prefix truncation
`- [info] available since OpenSSH 6.5
`- [info] default cipher since OpenSSH 6.9
(enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) aes192-ctr -- [info] available since OpenSSH 3.7
(enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52
(enc) [email protected] -- [info] available since OpenSSH 6.2
(enc) [email protected] -- [info] available since OpenSSH 6.2
# message authentication code algorithms
(mac) [email protected] -- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [info] available since OpenSSH 6.2
(mac) [email protected] -- [fail] using broken SHA-1 hash algorithm
`- [info] available since OpenSSH 6.2
(mac) [email protected] -- [warn] using encrypt-and-MAC mode
`- [warn] using small 64-bit tag size
`- [info] available since OpenSSH 4.7
(mac) [email protected] -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 6.2
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha2-512 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
(mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm
`- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
# fingerprints
(fin) ssh-ed25519: SHA256:D9EwlP6OBofTctv3nJ2YrEmwQrTfB9lLe4l8CqvcVDI
(fin) ssh-rsa: SHA256:eXf5mei0Jm28De+wAV77A6hTeRUuqP1obO/8eeP4Lh8
# algorithm recommendations (for OpenSSH 8.2)
(rec) -ecdh-sha2-nistp256 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp384 -- kex algorithm to remove
(rec) -ecdh-sha2-nistp521 -- kex algorithm to remove
(rec) -ecdsa-sha2-nistp256 -- key algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) -ssh-rsa -- key algorithm to remove
(rec) [email protected] -- enc algorithm to remove
(rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
(rec) -hmac-sha2-512 -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
(rec) [email protected] -- mac algorithm to remove
# additional info
(nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html>
Piece of advice, If you see ssh version 8 and above then this isnt your attack vector.
now lets do some manual enumeration
