largefere.blogg.se

Sent 20 bytes received 379 bytes 798.00 bytes/secĮxcellent, it wasn’t lying, ALL the conf files indeed. Now we will list the contained files rob:Metamorphosis/ $ rsync -av -list-only rsync://$TARGET/Conf It seems we can, there is no AUTHREQD response. Ok, we find a shared folder, Conf, let’s now see if we can enumerate the contents rob:Metamorphosis/ $ nc -vn $TARGET 873

On port 873 we find RSYNC, let’s try to enumerate it rob:Metamorphosis/ $ nc -vn $TARGET 873 NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* Try "help" to get a list of possible commands. Rob:Metamorphosis/ $ smbclient -U "" -N //$TARGET/IPC$ Tree connect failed: NT_STATUS_ACCESS_DENIED No user shares there but perhaps we can find something on the hidden shares rob:Metamorphosis/ $ smbclient -U "" -N //$TARGET/print$ IPC$ IPC IPC Service (incognito server (Samba, Ubuntu)) Nmap done: 1 IP address (1 host up) scanned in 12.97 secondsīefore enumerating the web site on port 80 let’s quickly check out the other services, starting with SMB, in case there are useful creds or clues to be found rob:Metamorphosis/ $ smbclient -L $TARGET -U "" -N Read data files from: /usr/bin/./share/nmap |_ Message signing enabled but not required |_ message_signing: disabled (dangerous, but default) | nbstat: NetBIOS name: INCOGNITO, NetBIOS user:, NetBIOS MAC: (unknown) |_clock-skew: mean: 2s, deviation: 0s, median: 2s Service Info: Host: INCOGNITO OS: Linux CPE: cpe:/o:linux:linux_kernel |_http-title: Apache2 Ubuntu Default Page: It worksġ39/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)Ĥ45/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP) |_http-server-header: Apache/2.4.29 (Ubuntu) |_ Supported Methods: GET HEAD POST OPTIONS at 21:13, 0.03s elapsedĬompleted Connect Scan at 21:13, 0.01s elapsed (5 total ports)Ĭompleted Service scan at 21:13, 11.42s elapsed (5 services on 1 host)Ģ2/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux protocol 2.0) at 21:13Ĭompleted Parallel DNS resolution of 1 host. Initiating Parallel DNS resolution of 1 host. Starting masscan 1.3.2 ( ) at 20:07:37 GMTĪnd then nmap to identify the services on those ports, we can leave out the UDP:137 port as this is just the UDP complement to TCP:139 rob:Metamorphosis/ $ nmap -A -v -T4 -p22,80,139,445,873 $TARGETĬompleted Ping Scan at 21:13, 0.01s elapsed (1 total hosts)