you can download it here: https://www.vulnhub.com/entry/sputnik-1,301/

use nmap to do a thorough port scanning.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
root@kali:~# nmap -p 1-65535 -T4 -v -A 192.168.227.164
Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-10 04:53 EDT
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating NSE at 04:53
Completed NSE at 04:53, 0.00s elapsed
Initiating ARP Ping Scan at 04:53
Scanning 192.168.227.164 [1 port]
Completed ARP Ping Scan at 04:53, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:53
Completed Parallel DNS resolution of 1 host. at 04:53, 0.15s elapsed
Initiating SYN Stealth Scan at 04:53
Scanning 192.168.227.164 [65535 ports]
Discovered open port 55555/tcp on 192.168.227.164
Discovered open port 8089/tcp on 192.168.227.164
Discovered open port 8191/tcp on 192.168.227.164
Discovered open port 61337/tcp on 192.168.227.164
Completed SYN Stealth Scan at 04:53, 3.11s elapsed (65535 total ports)
Initiating Service scan at 04:53
Scanning 4 services on 192.168.227.164
Completed Service scan at 04:54, 48.67s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 192.168.227.164
NSE: Script scanning 192.168.227.164.
Initiating NSE at 04:54
Completed NSE at 04:54, 7.51s elapsed
Initiating NSE at 04:54
Completed NSE at 04:54, 0.09s elapsed
Nmap scan report for 192.168.227.164
Host is up (0.00056s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
8089/tcp open ssl/http Splunkd httpd
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-03-29T11:03:21
| Not valid after: 2022-03-28T11:03:21
| MD5: 4bb4 e4bf 17eb 45ff 00b6 fb9f 5470 b15c
|_SHA-1: f8ee 5802 a921 3730 fbac 70dd 0baa 2d4a 94cf 64bc
8191/tcp open limnerpressure?
| fingerprint-strings:
| FourOhFourRequest, GetRequest:
| HTTP/1.0 200 OK
| Connection: close
| Content-Type: text/plain
| Content-Length: 85
|_ looks like you are trying to access MongoDB over HTTP on the native driver port.
55555/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-git:
| 192.168.227.164:55555/.git/
| Git repository found!
|_ Repository description: Unnamed repository; edit this file 'description' to name the...
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Flappy Bird Game
61337/tcp open http Splunkd httpd
|_http-favicon: Unknown favicon MD5: E60C968E8FF3CC2F4FB869588E83AFC6
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was http://192.168.227.164:61337/en-US/account/login?return_to=%2Fen-US%2F
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8191-TCP:V=7.70%I=7%D=6/10%Time=5CFE1A84%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,A9,"HTTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-
SF:Type:\x20text/plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like
SF:\x20you\x20are\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20
SF:on\x20the\x20native\x20driver\x20port\.\r\n")%r(FourOhFourRequest,A9,"H
SF:TTP/1\.0\x20200\x20OK\r\nConnection:\x20close\r\nContent-Type:\x20text/
SF:plain\r\nContent-Length:\x2085\r\n\r\nIt\x20looks\x20like\x20you\x20are
SF:\x20trying\x20to\x20access\x20MongoDB\x20over\x20HTTP\x20on\x20the\x20n
SF:ative\x20driver\x20port\.\r\n");
MAC Address: 00:0C:29:D4:E5:C9 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Uptime guess: 18.497 days (since Wed May 22 16:58:03 2019)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE
HOP RTT ADDRESS
1 0.56 ms 192.168.227.164

NSE: Script Post-scanning.
Initiating NSE at 04:54
Completed NSE at 04:54, 0.00s elapsed
Initiating NSE at 04:54
Completed NSE at 04:54, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.04 seconds
Raw packets sent: 65558 (2.885MB) | Rcvd: 65550 (2.623MB)

check http service(port 61337, 55555, 8089)

http://192.168.227.164:55555/ is a flappy bird game

http://192.168.227.164:61337/ is a splunkd service login page

http://192.168.227.164:8089/ is a splunkd service front page

found this: http://192.168.227.164:55555/.git/

use githack to download the whole git directory.

git logs to view history and git checkout id to revert to history version, but there is a version broken:

1

this secret looks quite suspicious, but can recover, but I managed to found its original github page: https://github.com/ameerpornillos/flappy/commit/07fda135aae22fa7869b3de9e450ff7cacfbc717

2

looks like a set of credential here, try to login to splunk and succeeded.

now is easy, just use the exploit here: https://github.com/TBGSecurity/splunk_shells and follow the steps here: https://www.n00py.io/2018/10/popping-shells-on-splunk/:

paste here as a backup:

3

splunk_shells-1.2.tar.gz

get a shell:

4

check sudoers file, using the password found previously

5ok, just run “sudo /bin/ed” then type “!/bin/bash” and get the root shell.

6