Difference between revisions of "Mr-Robot: 1 ~ VulnHub - Walkthrough"
m (→Discovery) |
m |
||
| Line 28: | Line 28: | ||
... | ... | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| − | + | Let's take a look that port 80 | |
| − | === Entry Point # | + | <syntaxhighlight lang=shell-session highlight="" line> |
| + | root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# nikto -h 192.168.56.107 | ||
| + | - Nikto v2.1.6 | ||
| + | --------------------------------------------------------------------------- | ||
| + | + Target IP: 192.168.56.107 | ||
| + | + Target Hostname: 192.168.56.107 | ||
| + | + Target Port: 80 | ||
| + | + Start Time: 2018-05-13 15:46:30 (GMT-4) | ||
| + | --------------------------------------------------------------------------- | ||
| + | + Server: Apache | ||
| + | + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS | ||
| + | + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type | ||
| + | + Retrieved x-powered-by header: PHP/5.5.29 | ||
| + | + No CGI Directories found (use '-C all' to force check all possible dirs) | ||
| + | + Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad | ||
| + | + Uncommon header 'tcn' found, with contents: list | ||
| + | + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php | ||
| + | + OSVDB-3092: /admin/: This might be interesting... | ||
| + | + OSVDB-3092: /readme: This might be interesting... | ||
| + | + Uncommon header 'link' found, with contents: <http://192.168.56.107/?p=23>; rel=shortlink | ||
| + | + OSVDB-5089: /admin/system.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution. | ||
| + | + OSVDB-5090: /admin/exec.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution. | ||
| + | + /wp-links-opml.php: This WordPress script reveals the installed version. | ||
| + | + OSVDB-3092: /license.txt: License file found may identify site software. | ||
| + | + /admin/index.html: Admin login page/section found. | ||
| + | + Cookie wordpress_test_cookie created without the httponly flag | ||
| + | + /wp-login/: Admin login page/section found. | ||
| + | + /wordpress/: A Wordpress installation was found. | ||
| + | + /wp-admin/wp-login.php: Wordpress login found | ||
| + | + /blog/wp-login.php: Wordpress login found | ||
| + | + /wp-login.php: Wordpress login found | ||
| + | + 7536 requests: 1 error(s) and 20 item(s) reported on remote host | ||
| + | + End Time: 2018-05-13 15:50:06 (GMT-4) (216 seconds) | ||
| + | --------------------------------------------------------------------------- | ||
| + | + 1 host(s) tested | ||
| + | </syntaxhighlight> | ||
| + | === Entry Point #1 - Port 80 (HTTP) === | ||
Revision as of 05:33, 15 May 2018
Contents
Objective
Find three hidden flags. Acquire 'root' access
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.108
Starting Nmap 7.60 ( https://nmap.org ) at 2018-05-14 22:45 EDT
Nmap scan report for 192.168.56.108
Host is up (0.0011s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd
443/tcp open ssl/http Apache httpd
MAC Address: 08:00:27:B4:E3:34 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 - 4.8
...Let's take a look that port 80
root@kali:/mnt/VM_Transfer/Pentesting/Mr. Robot# nikto -h 192.168.56.107
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.107
+ Target Hostname: 192.168.56.107
+ Target Port: 80
+ Start Time: 2018-05-13 15:46:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Retrieved x-powered-by header: PHP/5.5.29
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server leaks inodes via ETags, header found with file /robots.txt, fields: 0x29 0x52467010ef8ad
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.php
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /readme: This might be interesting...
+ Uncommon header 'link' found, with contents: <http://192.168.56.107/?p=23>; rel=shortlink
+ OSVDB-5089: /admin/system.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
+ OSVDB-5090: /admin/exec.php3?cmd=cat%20/etc/passwd: DotBr 0.1 allows remote command execution.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /admin/index.html: Admin login page/section found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ /wp-login/: Admin login page/section found.
+ /wordpress/: A Wordpress installation was found.
+ /wp-admin/wp-login.php: Wordpress login found
+ /blog/wp-login.php: Wordpress login found
+ /wp-login.php: Wordpress login found
+ 7536 requests: 1 error(s) and 20 item(s) reported on remote host
+ End Time: 2018-05-13 15:50:06 (GMT-4) (216 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedEntry Point #1 - Port 80 (HTTP)
Recommendations
Appendix A: Vulnerability Detail and Mitigation
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |
| Rating | High |
| Description | xxxxxx |
| Impact | xxxxx |
| Remediation | xxxxx |