# Vulnversity

```
  ___                        
 ( _ ) _ __ ___   __ _ _ __  
 / _ \| '_ ` _ \ / _` | '_ \ 
| (_) | | | | | | (_| | |_) |
 \___/|_| |_| |_|\__,_| .__/ 
                      |_|    

[+] Scanning 10.10.137.87 [65535 ports]


[+] Enumerating 10.10.137.87 [21,22,139,445,3128,3333]

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 06:08 CDT
Nmap scan report for 10.10.137.87
Host is up (0.13s latency).

PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 3.0.3
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5a:4f:fc:b8:c8:76:1c:b5:85:1c:ac:b2:86:41:1c:5a (RSA)
|   256 ac:9d:ec:44:61:0c:28:85:00:88:e9:68:e9:d0:cb:3d (ECDSA)
|_  256 30:50:cb:70:5a:86:57:22:cb:52:d9:36:34:dc:a5:58 (ED25519)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
3128/tcp open  http-proxy  Squid http proxy 3.5.12
|_http-server-header: squid/3.5.12
|_http-title: ERROR: The requested URL could not be retrieved
3333/tcp open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Vuln University
Service Info: Host: VULNUNIVERSITY; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb2-time: 
|   date: 2024-05-03T11:08:53
|_  start_date: N/A
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: VULNUNIVERSITY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: vulnuniversity
|   NetBIOS computer name: VULNUNIVERSITY\x00
|   Domain name: \x00
|   FQDN: vulnuniversity
|_  System time: 2024-05-03T07:08:53-04:00
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds

[+] Enumerating 10.10.137.87 for vulnerabilities [21,22,139,445,3128,3333]

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-03 06:08 CDT
Pre-scan script results:
|_broadcast-avahi-dos: ERROR: Script execution failed (use -d to debug)
Nmap scan report for 10.10.137.87
Host is up (0.13s latency).

PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3128/tcp open  squid-http
3333/tcp open  dec-notes

Host script results:
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-vuln-ms10-061: false
|_smb-vuln-ms10-054: false

Nmap done: 1 IP address (1 host up) scanned in 40.69 seconds

[+] Completed!
```

<figure><img src="/files/xA0Y9gXV3rUnHdW4vyi7" alt=""><figcaption></figcaption></figure>

```

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.137.87:3333/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 133ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 137ms]
# Copyright 2007 James Fisher [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 137ms]
#                       [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 138ms]
#                       [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 138ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 139ms]
# Priority ordered case sensative list, where entries were found  [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 144ms]
#                       [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 144ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 144ms]
# on atleast 2 different hosts [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 144ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 619ms]
images                  [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 1618ms]
                        [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 1618ms]
#                       [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 2623ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 4635ms]
css                     [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 127ms]
js                      [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 123ms]
fonts                   [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 131ms]
internal                [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 130ms]
                        [Status: 200, Size: 33014, Words: 8161, Lines: 653, Duration: 154ms]
server-status           [Status: 403, Size: 302, Words: 22, Lines: 12, Duration: 128ms]
:: Progress: [220560/220560] :: Job [1/1] :: 315 req/sec :: Duration: [0:12:39] :: Errors: 0 ::

```

<figure><img src="/files/ThoQCXizDVv4bUSb8yld" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UegJMvkPBIH1XxXAmWKy" alt=""><figcaption></figcaption></figure>

```
        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.100.43:3333/internal/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 136ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 136ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 152ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 152ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 153ms]
#                       [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 309ms]
uploads                 [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 133ms]
# Copyright 2007 James Fisher [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 2320ms]
# on atleast 2 different hosts [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 2322ms]
#                       [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 2322ms]
                        [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 3312ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 3357ms]
# Priority ordered case sensative list, where entries were found  [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 3393ms]
css                     [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 129ms]
#                       [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 5323ms]
#                       [Status: 200, Size: 525, Words: 62, Lines: 27, Duration: 5323ms]

```

<figure><img src="/files/5O1JeVlWpymRPsJGIhVs" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/v3pn1QyoWNb0Rrfd89UM" alt=""><figcaption></figcaption></figure>

{% embed url="<https://gtfobins.github.io/gtfobins/systemctl/>" %}

<figure><img src="/files/LWlwiK0do6Vvf7UqgWKb" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/linux-privilege-escalation/suid/vulnversity.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.