spaces_I3I73FFqB6GvT8N5Mt1N_uploads_yrXdmdhIZ8CFUZNZYinW_sync_slide.webp

Kshitij Raj Portfolio

1. Port Scanning

┌──(ezio㉿kali)-[~/vulnhub/sync]
└─$ rustscan -a 10.10.96.245 -- -sC -sV
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \\ |  `| |
| .-. \\| {_} |.-._} } | |  .-._} }\\     }/  /\\  \\| |\\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <http://discord.skerritt.blog>           :
: <https://github.com/RustScan/RustScan> :
 --------------------------------------
😵 <https://admin.tryhackme.com>

[~] The config file is expected to be at "/home/ezio/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 10.10.96.245:21
Open 10.10.96.245:22
Open 10.10.96.245:80
Open 10.10.96.245:873
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -sC -sV" on ip 10.10.96.245
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( <https://nmap.org> ) at 2023-10-06 02:45 IST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:45
Completed NSE at 02:45, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:45
Completed NSE at 02:45, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:45
Completed NSE at 02:45, 0.00s elapsed
Initiating Ping Scan at 02:45
Scanning 10.10.96.245 [2 ports]
Completed Ping Scan at 02:45, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 02:45
Completed Parallel DNS resolution of 1 host. at 02:45, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 02:45
Scanning 10.10.96.245 [4 ports]
Discovered open port 22/tcp on 10.10.96.245
Discovered open port 21/tcp on 10.10.96.245
Discovered open port 80/tcp on 10.10.96.245
Discovered open port 873/tcp on 10.10.96.245
Completed Connect Scan at 02:45, 0.14s elapsed (4 total ports)
Initiating Service scan at 02:45
Scanning 4 services on 10.10.96.245
Completed Service scan at 02:45, 6.31s elapsed (4 services on 1 host)
NSE: Script scanning 10.10.96.245.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:45
Completed NSE at 02:45, 4.97s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:45
Completed NSE at 02:46, 1.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:46
Completed NSE at 02:46, 0.00s elapsed
Nmap scan report for 10.10.96.245
Host is up, received syn-ack (0.14s latency).
Scanned at 2023-10-06 02:45:47 IST for 13s

PORT    STATE SERVICE REASON  VERSION
21/tcp  open  ftp     syn-ack vsftpd 3.0.5
22/tcp  open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a0:f9:57:86:e6:5f:e6:cd:88:05:ff:dd:fe:58:fa:05 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ3EV+7XoEuWjB2AFpF6l/VJ9pjuqgWFxnr70V7SidPm5WyVax1Nj/VUJCs1LclRs622T3Ka4DI1pAfARAbPYKk=
|   256 1c:c5:aa:54:9e:e1:56:e9:5c:07:94:5b:e1:fe:91:cc (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINvfs7e4StG7KctN4Mc2zCkK6nBknnwmnwpICTWtKsto
80/tcp  open  http    syn-ack Apache httpd 2.4.52 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.52 (Ubuntu)
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Login
873/tcp open  rsync   syn-ack (protocol version 31)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 02:46
Completed NSE at 02:46, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 02:46
Completed NSE at 02:46, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 02:46
Completed NSE at 02:46, 0.01s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 12.86 seconds

find 4 ports open

2. Enumeration

Found a login page at port 80

Screenshot 2023-10-06 at 02.47.00.png

we don’t have anonymous access to the ftp

Here we have some interesting port here 873

873 - Pentesting Rsync

let’s try to enumerate that

──(ezio㉿kali)-[~/vulnhub/sync]
└─$ nc -vn 10.10.96.245 873
(UNKNOWN) [10.10.96.245] 873 (rsync) open
@RSYNCD: 31.0 sha512 sha256 sha1 md5 md4
@RSYNCD: 31.0
#list
httpd          	web backup
@RSYNCD: EXIT

found these lets deep look more inside this