Posts for: #Easy

PG: Wombo

#offsec  #proving-grounds  #easy  #linux  #redis  #redis-rce 
ターゲット // Wombo
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.105.69

Enumeration

Nmap

▶ Nmap output
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.4p1 Debian 10+deb9u7
80/tcp    open  http     nginx 1.10.3
6379/tcp  open  redis    Redis key-value store 5.0.9
8080/tcp  open  http-proxy
27017/tcp open  mongod?

Multiple services, but Redis on 6379 with no authentication is the obvious target. Port 8080 runs NodeBB – a rabbit hole.

[]

PG: ClamAV

#offsec  #proving-grounds  #easy  #linux  #clamav  #sendmail  #snmp  #smtp 
ターゲット // ClamAV
PlatformOffSec Proving Grounds
OSLinux
DifficultyEasy
IP192.168.57.42

Recon

Nmap

▶ Full nmap output (TCP)
PORT      STATE SERVICE     VERSION
22/tcp    open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
25/tcp    open  smtp        Sendmail 8.13.4/8.13.4/Debian-3sarge3
80/tcp    open  http        Apache httpd 1.3.33 ((Debian GNU/Linux))
139/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
199/tcp   open  smux        Linux SNMP multiplexer
445/tcp   open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
60000/tcp open  ssh         OpenSSH 3.8.1p1 Debian 8.sarge.6 (protocol 2.0)
▶ Full nmap output (UDP)
PORT     STATE         SERVICE      VERSION
137/udp  open          netbios-ns   Samba nmbd netbios-ns (workgroup: WORKGROUP)
161/udp  open          snmp         SNMPv1 server (public)
[ 警告 ]
Don’t forget to enumerate UDP. This box has SNMP v1 on UDP 161 which reveals critical information.

Enumeration

Port 25 - SMTP (Sendmail)

Sendmail 8.13.4 is ancient. Searchsploit reveals multiple exploits, and importantly – one that involves ClamAV (hint from the box name):

[]