Difficulty: Easy

OS: Linux

Introduction:

So the first machine and write-up that’s going to be published for the OUCSS GitHub and website so I may get it good.

Hey - I’m m0j0r1s1n and I’m going to walk you through how I attack this “easy” machine from the HTB guided series. I will be using a mix between my trusted Ubuntu Hacktop and a newly created Debian VM on a Windows 11 OS with VMware. Also some brainpower, art and a bit of fun will hopefully I get root!! So what am I waiting for here goes. Hope you enjoy (:

Enumeration and Methodology.

I start with rustscan for speed and then I will dive deeper with nmap if needed. I am given an IP of 10.10.11.243 to start.

m0j0@r1s1n: ~/HTB/writeups/broker m0j0_development ⚡
$ rustscan 10.10.11.243 --ulimit 5000                                                                                                      [19:18:01]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
Faster Nmap scanning with Rust.
________________________________________
: <https://discord.gg/GFrQsGy>           :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/m0j0/.config/rustscan/config.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.11.243:22
Open 10.10.11.243:80
Open 10.10.11.243:1883
Open 10.10.11.243:5672
Open 10.10.11.243:8161
Open 10.10.11.243:39623
Open 10.10.11.243:61613
Open 10.10.11.243:61614
Open 10.10.11.243:61616
[~] Starting Nmap
[>] The Nmap command to be run is nmap -vvv -p 22,80,1883,5672,8161,39623,61613,61614,61616 10.10.11.243

Starting Nmap 7.80 ( <https://nmap.org> ) at 2023-12-17 19:18 GMT
Initiating Ping Scan at 19:18
Scanning 10.10.11.243 [2 ports]
Completed Ping Scan at 19:18, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:18
Completed Parallel DNS resolution of 1 host. at 19:18, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:18
Scanning 10.10.11.243 [9 ports]
Discovered open port 80/tcp on 10.10.11.243
Discovered open port 22/tcp on 10.10.11.243
Discovered open port 61616/tcp on 10.10.11.243
Discovered open port 8161/tcp on 10.10.11.243
Discovered open port 61613/tcp on 10.10.11.243
Discovered open port 61614/tcp on 10.10.11.243
Discovered open port 1883/tcp on 10.10.11.243
Discovered open port 39623/tcp on 10.10.11.243
Discovered open port 5672/tcp on 10.10.11.243
Completed Connect Scan at 19:18, 0.02s elapsed (9 total ports)
Nmap scan report for 10.10.11.243
Host is up, received syn-ack (0.021s latency).
Scanned at 2023-12-17 19:18:33 GMT for 1s

PORT      STATE SERVICE     REASON
22/tcp    open  ssh         syn-ack
80/tcp    open  http        syn-ack
1883/tcp  open  mqtt        syn-ack
5672/tcp  open  amqp        syn-ack
8161/tcp  open  patrol-snmp syn-ack
39623/tcp open  unknown     syn-ack
61613/tcp open  unknown     syn-ack
61614/tcp open  unknown     syn-ack
61616/tcp open  unknown     syn-ack

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Rustscan has thrown up a lot of ports to dig into. I will run my nmap scan, one that I used always before rustscan was released. The flags used for my nmap scan get a good description from ChatGPT which should be in your toolbox if it isn’t by now.

This won’t always be the case but for most cases on HTB it works.