This was an insane difficulty box and had many tricky steps to fully compromise it. Good learning path for:
- UDP Service Enumeration
- SNMP to obtain IPv6 Address
- ICMP Data Exfiltration
systemd-runCommand
Recon
Nmap
Let’s begin with an initial port scan:
$ nmap -Pn --open -p- -T4 -sC -sV 10.10.10.92PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2a:90:a6:b1:e6:33:85:07:15:b2:ee:a7:b9:46:77:52 (RSA)
| 256 d0:d7:00:7c:3b:b0:a6:32:b2:29:17:8d:69:a6:84:3f (ECDSA)
|_ 256 3f:1c:77:93:5c:c0:6c:ea:26:f4:bb:6c:59:e9:7c:b0 (ED25519)
3366/tcp open caldav Radicale calendar and contacts server (Python BaseHTTPServer)
| http-auth:
| HTTP/1.0 401 Unauthorized\x0D
|_ Basic realm=Test
|_http-server-header: SimpleHTTP/0.6 Python/2.7.15rc1
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let’s also run a port scan against the UDP ports as well:
$ nmap -Pn --open -sU -F 10.10.10.92PORT STATE SERVICE
161/udp open snmp
