Difference between revisions of "DerpNStink: 1 ~ VulnHub - Walkthrough"
(→Entry Point #1 - Port 80 (HTTP)) |
|||
| Line 40: | Line 40: | ||
=== Entry Point #1 - Port 80 (HTTP) === | === Entry Point #1 - Port 80 (HTTP) === | ||
| + | <syntaxhighlight lang="shell-session" highlight="6-8" line> | ||
| + | root@kali:~# nikto -h 192.168.56.105 -p 80 | ||
| + | - Nikto v2.1.6 | ||
| + | --------------------------------------------------------------------------- | ||
| + | + Target IP: 192.168.56.105 | ||
| + | + Target Hostname: 192.168.56.105 | ||
| + | + Target Port: 80 | ||
| + | + Start Time: 2018-03-26 05:22:22 (GMT-4) | ||
| + | --------------------------------------------------------------------------- | ||
| + | + Server: Apache/2.4.7 (Ubuntu) | ||
| + | + Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50 | ||
| + | + The anti-clickjacking X-Frame-Options header is not present. | ||
| + | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | ||
| + | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | ||
| + | + No CGI Directories found (use '-C all' to force check all possible dirs) | ||
| + | + Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200) | ||
| + | + "robots.txt" contains 2 entries which should be manually viewed. | ||
| + | + Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current. | ||
| + | + Allowed HTTP Methods: OPTIONS, GET, HEAD, POST | ||
| + | + Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22 | ||
| + | + OSVDB-3233: /icons/README: Apache default file found. | ||
| + | + 7537 requests: 0 error(s) and 10 item(s) reported on remote host | ||
| + | + End Time: 2018-03-26 05:22:34 (GMT-4) (12 seconds) | ||
| + | --------------------------------------------------------------------------- | ||
| + | </syntaxhighlight> | ||
| + | <syntaxhighlight lang="shell-session" highlight="6-8" line> | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | <syntaxhighlight lang="shell-session" highlight="6-8" line> | ||
| + | |||
| + | </syntaxhighlight> | ||
== Recommendations == | == Recommendations == | ||
Revision as of 22:23, 2 May 2018
Contents
Objective
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
Entry Point #1 - Port 80 (HTTP)
root@kali:~# nikto -h 192.168.56.105 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 80
+ Start Time: 2018-03-26 05:22:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7537 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-03-26 05:22:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------Recommendations
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |
| Rating | High |
| Description | Unix file permissions for /etc/shadow are incorrect. |
| Impact | Allow any user with a shell to access this file and extract password hashes which can be further passed to a password cracking utility to extract user credentials. |
| Remediation | Set unix file permissions for /etc/shadow to "600" and change ownership to root:root |