Tuesday, 12 July 2016

Knock-Knock: 1.1 TBU

Hello,

 ____  __.                     __              ____  __.                     __      ____ 
|    |/ _| ____   ____   ____ |  | __         |    |/ _| ____   ____   ____ |  | __ /_   |
|      <  /    \ /  _ \_/ ___\|  |/ /  ______ |      <  /    \ /  _ \_/ ___\|  |/ /  |   |
|    |  \|   |  (  <_> )  \___|    <  /_____/ |    |  \|   |  (  <_> )  \___|    <   |   |
|____|__ \___|  /\____/ \___  >__|_ \         |____|__ \___|  /\____/ \___  >__|_ \  |___|
        \/    \/            \/     \/                 \/    \/            \/     \/

Scanning with aggressive mode all ports.
PORT     STATE SERVICE VERSION
1337/tcp open  waste?
Modest result. So, let's connect to the port using netcat
root@kali:~# nc -nv 192.168.56.203 1337
(UNKNOWN) [192.168.56.203] 1337 (?) open
[63236, 29542, 57152]
Interesting... We have got sequence [63236, 29542, 57152]. Probably it is sequence to port knocking. Let's find out.
root@kali:~# nmap -r -p63236,29542,57152 192.168.56.203

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-12 05:03 EDT
Nmap scan report for 192.168.56.203
Host is up (0.00019s latency).
PORT      STATE    SERVICE
29542/tcp filtered unknown
57152/tcp filtered unknown
63236/tcp filtered unknown
[..]

root@kali:~# nmap --top-port 10 192.168.56.203

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-12 05:03 EDT
Nmap scan report for 192.168.56.203
Host is up (0.00020s latency).
PORT     STATE    SERVICE
21/tcp   filtered ftp
22/tcp   open     ssh
23/tcp   filtered telnet
25/tcp   filtered smtp
80/tcp   open     http
110/tcp  filtered pop3
139/tcp  filtered netbios-ssn
443/tcp  filtered https
445/tcp  filtered microsoft-ds
3389/tcp filtered ms-wbt-server
So good! Let's browse the web application



































Hmm, we should look harder. I examined a source code and there is nothing interesting.  I downloaded the picture and using strings I found something useful
[...]
Login Credentials
abfnW
sax2Cw9Ow
Thats good news for us, we know some credentials but we don't know where we can use they.
Dirb didn't find any path
---- Scanning URL: http://192.168.56.203/ ----
                                                                                                                                                                              
-----------------
END_TIME: Tue Jul 12 05:09:42 2016
DOWNLOADED: 4612 - FOUND: 0
Grrr, but wait! The target has 22 SSH open port! Let's use our retrieved credentials to log in.
Hmm, unfortunately it is not valid credentials for SSH... Maybe we should decode these credentials?
I used Caesar decoder with ROT-13 and I have got from abfnW - nosaj.
This string is reversed Jason, let's try now - without success again.
I performed passwords list and I have add all possibility of decoding sax2Cw9Ow. BINGO!
We know that valid credentials are jason:jB9jP2knf





Great! 

at