Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.245
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
So, we have FTP (TCP 21), SSH (TCP 22) and HTTP (TCP 80) that are the major ports that we need to look at right now. Looking at autorecon's FTP output, we can tell that anonymous login is not a viable option. Let's check the HTTP side. It looks like there is an HTTP statistics page and method of grabbing a packet capture. This should be interesting. Let's download the Packet Capture and see what we can find.
Following the HTTP stream we find a data directory, which is not surprising since the "snapshot" page was /data/1. This may be an IDOR (Insecure Direct Object Reference) vector! The 1 is the <id> of the requestor. Let's navigate to /data/0 and see what changes in the PCAP. I'm using 0 because the original PCAP was located at data/1. Sure enough, if we look at the FTP stream, we instantly find a username and password.
Now we can log into FTP!
Well, that's one way to get the user flag! Just for kicks, let's see if we can ssh to the target using the same password. Short answer: Yup! Good middle step, again in case we need to step away.
└─$ cat user.txt
Now we use the usual methods (python http.server and wget) to move LinEnum.sh to the target, chmod +x it, and run it with the -t flag (we do thorough tests). Oh look! POSIX capabilities!
This is VERY easy to exploit. Run:
When the Python "shell" comes up, just use OS and system to call /bin/bash using:
root@cap:~# cat /root/root.txt
This is why SUID, SGID, and POSIX capabilities are so incredibly dangerous. Another box burned. Celebrate!