Difference between revisions of "DerpNStink: 1 ~ VulnHub - Walkthrough"
(→Entry Point #1 - Port 80 (HTTP)) |
(→Appendix A: Vulnerability Detail and Mitigation) |
||
Line 166: | Line 166: | ||
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
− | |+ style="color:#e76700;text-align:left;" | | + | |+ style="color:#e76700;text-align:left;" | xxxx |
|- | |- | ||
|style="width:120px;" |Rating | |style="width:120px;" |Rating | ||
Line 182: | Line 182: | ||
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
− | |+ style="color:#e76700;text-align:left;" | | + | |+ style="color:#e76700;text-align:left;" | xxxx |
|- | |- | ||
|style="width:120px;" |Rating | |style="width:120px;" |Rating | ||
Line 198: | Line 198: | ||
{| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | {| class="wikitable" style="background-color:#cccccc;color:black;font-size:0.9em;width:80%;" | ||
− | |+ style="color:#e76700;text-align:left;" | | + | |+ style="color:#e76700;text-align:left;" | xxxx |
|- | |- | ||
|style="width:120px;" |Rating | |style="width:120px;" |Rating | ||
Line 204: | Line 204: | ||
|- | |- | ||
|Description | |Description | ||
− | | | + | | |
|- | |- | ||
|Impact | |Impact | ||
− | | | + | | |
|- | |- | ||
|Remediation | |Remediation | ||
|Set unix file permissions for /etc/shadow to "600" and change ownership to root:root | |Set unix file permissions for /etc/shadow to "600" and change ownership to root:root | ||
|} | |} |
Revision as of 07:59, 4 May 2018
Contents
Objective
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
Entry Point #1 - Port 80 (HTTP)
root@kali:~# nikto -h 192.168.56.105 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 80
+ Start Time: 2018-03-26 05:22:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7537 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-03-26 05:22:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
root@kali:~# curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/
/temporary/ tells me to "try harder!"
/php/ returns 403 Forbidden
Digging dipper with "dirb"
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# dirb http://192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -R
...
---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/
+ http://192.168.56.101/index.html (CODE:200|SIZE:1298)
==> DIRECTORY: http://192.168.56.101/javascript/
==> DIRECTORY: http://192.168.56.101/js/
==> DIRECTORY: http://192.168.56.101/php/
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:53)
+ http://192.168.56.101/server-status (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.56.101/temporary/
==> DIRECTORY: http://192.168.56.101/weblog/
---- Entering directory: http://192.168.56.101/css/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/javascript/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/js/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/php/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/php/info.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.101/php/phpmyadmin/
---- Entering directory: http://192.168.56.101/temporary/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/temporary/index.html (CODE:200|SIZE:12)
---- Entering directory: http://192.168.56.101/weblog/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/weblog/index.php (CODE:200|SIZE:14903)
==> DIRECTORY: http://192.168.56.101/weblog/wp-admin/
==> DIRECTORY: http://192.168.56.101/weblog/wp-content/
==> DIRECTORY: http://192.168.56.101/weblog/wp-includes/
+ http://192.168.56.101/weblog/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.101/php/phpmyadmin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-admin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-content/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-includes/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
....
Recommendations
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | |
Impact | |
Remediation | Set unix file permissions for /etc/shadow to "600" and change ownership to root:root |