You’ll find this vm here : https://www.vulnhub.com/entry/callme-1,615/
VulnHub - Callme
Port Scan
- Nmap found three open ports:
22
,111
and2323
- For now let’s focus on port
2323
Finding correct username
- The server asking for username & password<
- After the login attempt with a random credentials, the message “user does not exist” appeared
- This will help us to identify the valid usernames
I tried common username like admin, and the message “user does not exist” not appeared.
So, admin
is a valid username
Creating brute force script
- After a few minutes the password found
Each time we successfully log in to the system, it returns a random number in words.
Let’s understand what it means
Tcpdump to understand
sudo tcpdump -XX -i eth0 src TARGET_IP
We understand that every time we successfully connect to the server, it tries to connect to the port of our system that it had previously sent in a number with words. For example, if the server sends ONE THOUSAND FOUR HUNDRED TWELVE
it tries to connect to our system to port 1412
Creating login & listener script
- After running the script we have the shell
SSH Login, avoid wine shell
Searching fox’s password
1 |
|
- strings command not found so we need to download recallserver.exe locally
- We found the possible password for user fox, the possible password is
tutankamenFERILLI
Privileges Escalation
- Writing a user to /etc/passwd locally
echo 'alien:$1$dccSREO8$l8xVLythU9r4WQ1/4R1tq/:0:0::/root:/bin/bash' >> /etc/passwd
- In the target system
1 |
|