OSCP
Total OSCP GuidePayloads All The Things
  • Welcome!
    • ⬆️Privilege Escalation
      • 🪟Windows
        • 📋Windows Privesc Checklist
        • 🚪Backdoor & RDP Access
        • Service Binary Hijacking
        • SeBackupPrivilege
        • SeRestorePrivilege
        • SeDebugPrivilege
        • SeEnableDelegationPrivilege
        • SeTakeOwnershipPrivilege
        • SeManageVolumePrivilege
        • SeLoadDriverPrivilege
        • DnsAdmins
        • Hyper-V Administrators
        • Server Operators
        • GPO
        • Mimikatz
        • Weak Permissions
        • Vulnerable Services
        • DLL Injection
        • Citrix Breakout
        • UAC
        • Credential Hunting
        • 🔎Windows Post Enumeration
        • 🥔Potatoes
      • 🐧Linux
        • 📋Linux Privesc Checklist
        • ✳️Sudo Tar Wildcard
        • nfs privesc
        • ↻ logrotate
        • Capabilities
        • Password Authentication Abuse
    • 🖥️Active Directory
      • 🔎AD Post Enumeration/Exploitation
        • 🔎Powerview
        • 🐶Bloodhound
      • 🔧AD Tools
      • 👾AD Exploitation
        • Post Exploitation
        • PowerShell
        • 🔥Asreproasting
        • 🔥Kerberoasting
        • 🔁DCSync
        • 🥇Golden Ticket Attacks
        • 🥈Silver Ticket Attack
        • PetitPotam
        • 🏃SMB Relaying
        • 📜Certificate Authority (CA)
        • Pass the Password or Pass the Hash
        • ➡️Lateral Movement
          • Child-to-Parent CIFS
          • ExtraSids
    • 🔎Enumeration
      • 📋Enumeration Checklist
      • SNMP Enumeration
      • IRC Enumeration
      • FTP Enumeration
      • SMTP Enumeration
      • TFTP Enumeration
      • RPC Enumeration
      • Postgres Enumeration
      • Ldap Enumeration
      • RPC Enumeration
      • Strategy
      • RDP Session Hijacking
      • Bullet Proof Strategy Methodology
    • 🕵️‍♂️Exploitation
      • Client Side Attacks
        • ODT Macro (Libreoffice)
        • Microsoft Office Macros
      • 🐚Shells & Payloads
      • 🔐Password Attacks
    • 🕸️Web Applications
      • SSRF
      • 📋Web Application Checklist
      • 💉SQL Injection
      • </> Command Injections
      • 🏞️Path Traversal & File Inclusion
      • 📤File Upload Attacks
      • 🔓IDOR(Insecure Direct Object References)
      • ❌XSS (Cross-Site Scripting)
      • 👽XXE(XML External Entity)
      • 🦪Log4Shell
      • 💻Abusing APIs
      • 📖Custom Wordlist
      • 📛Bypassing WAF
    • 🔀Pivoting
    • 📁File Transfer
    • Buffer Overflow
    • Miscellaneous
    • Ⓜ️Metasploit
    • 🚶 Walkthroughs
      • Hack The Box
        • Absolute HTB
        • Active HTB
        • Arctic HTB
        • Bank Robber HTB
        • Bashed HTB
        • BLUE HTB
        • Cerberus HTB
        • Devel HTB
        • Escape HTB
        • Forest HTB
        • Granny HTB
        • Headless HTB
        • Jerry HTB
        • Kioptrix
        • Lame HTB
        • Legacy HTB
        • Netmon HTB
        • Nibbles HTB
        • Node HTB
        • Optimum HTB
        • Pandora HTB
        • Sense Htb
        • Soccer HTB
        • Stream IO
        • Support HTB
        • Updown HTB
      • PG Practice
        • Access 2
          • 80
          • Exploit
        • Apex
          • 80
          • 445
          • 3306
          • Exploit
        • Astronaut
          • 80
          • Exploit
        • Auth By
          • 21
          • 242
          • 3145
        • Billyboss
          • 21
          • 8081
        • Boolean
          • 80
          • 33017
          • Exploit
        • Bullybox
          • 80
          • Exploit
        • Clue
          • 445
          • 3000
          • 8021
          • Exploit
        • Cockpit
          • 80
          • 9090
          • Exploit
        • DVR 4
          • 22
          • 8080
        • Extplorer
          • 80
          • Exploit
        • Fanatastic
          • 3000
          • Exploit
        • Fired
          • 9090
          • 9091
        • Flu
          • 8090
          • Exploit
        • Hawat
          • 17445
          • 30455
          • 50080
          • Exploit
        • Heist
          • 80
          • Exploit
        • Hepet
          • 25
          • 143
          • 20001
          • 79 Finger
          • 8000 Or 443
          • Exploit
        • Hetemit
          • 80
          • 18000
          • 50000
          • Exploit
        • Hokkaido
          • 445
          • 1433
        • Hunit
          • 8080
          • 12445
          • 18030
          • Exploit
        • Hutch
          • 80
          • 389
          • 445
        • La Vita
          • 80
        • Levram
          • 8000
        • Marketing
          • 80
          • Exploit
        • Medjed
          • 445
          • 8000
          • 30021
          • 33033
          • 44330
          • 45332
          • Med Jed
        • Mzeeav
          • 80
        • Nagoya
        • Nickel
          • 22
          • 80
          • 8089
          • 33333
        • Nukem
          • 80
          • Exploit
        • Ochima
          • 8338
        • Payday
          • 80
          • RPC
        • Pc
          • 8000
          • 65432
          • Exploit
        • Peppo
          • 22
          • 113
          • 8080
          • Exploit
        • Post Fish
          • 22
          • 80
          • 143
          • Exploit
        • Pyloader
          • 9666
          • Exploit
        • Quacker Jack
          • 80
          • 445
          • 8081
          • Exploit
        • Readys
          • 80
          • 6379
          • Exploit
        • Resourced
        • Roquefort
          • 3000
          • Exploit
        • Scrutiny
          • 80
        • Shenzi
          • 80
          • 445
          • 3306
          • Exploit
        • Slort
          • 8080
          • Exploit
        • Sorcerer
          • 80
          • 7742
          • 8080
          • Exploit
        • Squid
          • 445
          • 3128
          • 8080
          • Exploit
        • Sybaris
          • 21
          • 6379
          • Exploit
        • Walla
          • 23
          • 25
          • 8091
          • Exploit
        • Wombo
          • 80
          • 6379
          • 8080
          • Exploit
        • Xposedapi
          • 13337
        • Zen Photo
          • 23
          • 80
          • 3306
          • Exploit
        • Zipper
          • 80
        • Access
        • Algernon
        • Bratarina
        • Clam AV
        • Craft
        • Exfiltrated
        • Heist
        • Helpdesk
        • Hokkaido
        • Internal
        • Jacko
        • Kevin
        • Nibbles
        • Pebbles
        • Pelican
        • Snookums
        • Twiggy
        • Vault
      • Try Hack Me
        • All Signs Point 2 Pwnage
          • 21
          • 80
          • 445
        • Attacktive Directory
          • 445
          • Kerberos
        • Blueprint
          • 445
          • 8080
          • Exploit
        • Hack Park
          • 80
        • Relevent
          • 80
          • 443
          • 445
          • 49663
          • Exploit
        • Weasel
          • 445
          • 8888
          • Exploit
        • Wreath
          • MS 01
            • 22
            • 443
            • 10000
          • Ms 02
            • 80
          • Ms 03
            • 80
            • Exploit
        • Year Of The Owl
          • 80
          • 161
          • 445
          • 5985
          • Exploit
      • Vuln Lab
        • Baby
        • Baby 2
        • Bamboo
        • Breach
        • Bruno
        • Data
        • Delegate
        • Dump
        • Escape
        • Feedback
        • Forgotten
        • Hybrid
        • Job 2
        • Lock
        • Media
        • Reflection
        • Retro
        • Sendai
        • Slonik
        • Sync
        • Tengu
        • Trusted
Powered by GitBook
On this page
  • Host:
  • Nmap

Was this helpful?

  1. Welcome!
  2. 🚶 Walkthroughs
  3. PG Practice
  4. Post Fish

Exploit

Host:

192.168.161.137

Nmap

PORT    STATE SERVICE  REASON         VERSION
22/tcp  open  ssh      syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDH6PH1/ST7TUJ4Mp/l4c7G+TM07YbX7YIsnHzq1TRpvtiBh8MQuFkL1SWW9+za+h6ZraqoZ0ewwkH+0la436t9Q+2H/Nh4CntJOrRbpLJKg4hChjgCHd5KiLCOKHhXPs/FA3mm0Zkzw1tVJLPR6RTbIkkbQiV2Zk3u8oamV5srWIJeYUY5O2XXmTnKENfrPXeHup1+3wBOkTO4Mu17wBSw6yvXyj+lleKjQ6Hnje7KozW5q4U6ijd3LmvHE34UHq/qUbCUbiwY06N2Mj0NQiZqWW8z48eTzGsuh6u1SfGIDnCCq3sWm37Y5LIUvqAFyIEJZVsC/UyrJDPBE+YIODNbN2QLD9JeBr8P4n1rkMaXbsHGywFtutdSrBZwYuRuB2W0GjIEWD/J7lxKIJ9UxRq0UxWWkZ8s3SNqUq2enfPwQt399nigtUerccskdyUD0oRKqVnhZCjEYfX3qOnlAqejr3Lpm8nA31pp6lrKNAmQEjdSO8Jxk04OR2JBxcfVNfs=
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI0EdIHR7NOReMM0G7C8zxbLgwB3ump+nb2D3Pe3tXqp/6jNJ/GbU2e4Ab44njMKHJbm/PzrtYzojMjGDuBlQCg=
|   256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDCc0saExmeDXtqm5FS+D5RnDke8aJEvFq3DJIr0KZML
25/tcp  open  smtp     syn-ack ttl 61 Postfix smtpd
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2021-01-26T10:26:37
| Not valid after:  2031-01-24T10:26:37
| MD5:   5376:0d7f:8cb1:2db9:fedd:1809:463e:94c2
| SHA-1: 63ab:a073:44fd:01a2:489f:c9a0:8f50:de80:f33c:6895
| -----BEGIN CERTIFICATE-----
| MIIC0DCCAbigAwIBAgIUGEC4bDhH06jafLyt+oBBOT7SWm0wDQYJKoZIhvcNAQEL
| BQAwETEPMA0GA1UEAwwGdWJ1bnR1MB4XDTIxMDEyNjEwMjYzN1oXDTMxMDEyNDEw
| MjYzN1owETEPMA0GA1UEAwwGdWJ1bnR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
| MIIBCgKCAQEAxj4r7x6ucND17Gv8yE+fKOLLfePFwLvxtMSGSb/VLPMgZ42G3L5C
| pZF7+T9fGgYTMFSeJl1O/6vW8qeby8/ikCCYbO/bXRdlCPh2ROQe2O+ZfY097MyV
| 512iUWH9NWbs8lI/QnH+AIxywPhyOsGmTc+lTht2Edc4fPJaBQdjDiQyalypcm0K
| 7EOr3Q1VJmAoWietBfoaPJ7EEXLJNQEOokSP6tnOoSvV4iCyVT5RaZXsAOi4bbtR
| 4/HyZfLYqqs6fLlvlXcFF325UKYnUfSKqrYGxBZbY7RrNgAoo0rA/PfrBf7DhZQx
| FNyUFDNI/4AycpEK/qC3lFO+rL46n1hZHQIDAQABoyAwHjAJBgNVHRMEAjAAMBEG
| A1UdEQQKMAiCBnVidW50dTANBgkqhkiG9w0BAQsFAAOCAQEAskRHHDOoKAUHl4AM
| qANWP0c9kqC73Gw2hxUVRtqpyl0LR3mbNfBw48G+VssMtqjP4sy35ZbhSPL7tUYu
| bcr7fe/tkewwuaxEkJ/7D8xGMFADC56vxKG4f52aMjjeT69mu0Y46arsFKQKhUe9
| i4WZ7PE6tE6N39K3TnbjsXTwRfrCCxx6cNYBNZ9fiVmDCRg+gZGCc4YKWZtu8yZL
| PHlBkmp23p9zgSOyU0+UIsA22icofHY9/U5KeSgUMwiVsfUSTVd6ZxkBdo8GE6IX
| b8FMFX+BiAUtmFYxqpGMWkq8JAiXK0f302nUorXrrOrLHJfUQ9efbOMMvsUuGrrS
| lH7cyA==
|_-----END CERTIFICATE-----
|_smtp-commands: postfish.off, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp  open  http     syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
110/tcp open  pop3     syn-ack ttl 61 Dovecot pop3d
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
|_ssl-date: TLS randomness does not represent time
|_pop3-capabilities: RESP-CODES USER CAPA STLS PIPELINING SASL(PLAIN) TOP UIDL AUTH-RESP-CODE
143/tcp open  imap     syn-ack ttl 61 Dovecot imapd (Ubuntu)
|_imap-capabilities: LITERAL+ SASL-IR IDLE ID more capabilities STARTTLS have IMAP4rev1 OK AUTH=PLAINA0001 listed Pre-login LOGIN-REFERRALS ENABLE post-login
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
993/tcp open  ssl/imap syn-ack ttl 61 Dovecot imapd (Ubuntu)
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu
| Issuer: commonName=ubuntu
more IMAP4rev1 have AUTH=PLAINA0001 OK Pre-login LOGIN-REFERRALS ENABLE post-login
995/tcp open  ssl/pop3 syn-ack ttl 61 Dovecot pop3d
|_pop3-capabilities: RESP-CODES SASL(PLAIN) TOP AUTH-RESP-CODE USER CAPA UIDL PIPELINING
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=ubuntu
| Subject Alternative Name: DNS:ubuntu

UDP?

  • Initial access by using cewl on the website and bruteforcing the usernames with the usernames itself using hydra.

  • Using linpeas got to know readable file at /etc/postfix/disclaimer and edit it to give a reverse shell.

  • Sent a mail to get reverse shell and got in as filter. Filter can run mail as sudo so got access to root from filter through mail command.

Previous143NextPyloader

Last updated 8 months ago

Was this helpful?