Difference between revisions of "DerpNStink: 1 ~ VulnHub - Walkthrough"
(→Entry Point #1 - Port 80 (HTTP)) |
(→Entry Point #1 - Port 80 (HTTP)) |
||
Line 70: | Line 70: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
− | / | + | Let's take a look at the source of http://192.168.56.101/ |
+ | |||
+ | Two things popped up | ||
<syntaxhighlight lang="shell-session" highlight="3,4" line> | <syntaxhighlight lang="shell-session" highlight="3,4" line> | ||
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -s http://192.168.56.101 |grep flag | root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -s http://192.168.56.101 |grep flag | ||
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) --> | <--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) --> | ||
+ | </syntaxhighlight> | ||
+ | And | ||
+ | <syntaxhighlight lang="shell-session" highlight="3,4" line> | ||
+ | <script type="text/info" src="/webnotes/info.txt"></script> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 21:55, 4 May 2018
Contents
Objective
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
...
Entry Point #1 - Port 80 (HTTP)
root@kali:~# nikto -h 192.168.56.105 -p 80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.56.105
+ Target Hostname: 192.168.56.105
+ Target Port: 80
+ Start Time: 2018-03-26 05:22:22 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x512 0x55dcb6aaa2f50
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/temporary/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.22
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7537 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2018-03-26 05:22:34 (GMT-4) (12 seconds)
---------------------------------------------------------------------------
root@kali:~# curl http://192.168.56.101/robots.txt
User-agent: *
Disallow: /php/
Disallow: /temporary/
Let's take a look at the source of http://192.168.56.101/
Two things popped up
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -s http://192.168.56.101 |grep flag
<--flag1(52E37291AEDF6A46D7D0BB8A6312F4F9F1AA4975C248C3F0E008CBA09D6E9166) -->
And
<script type="text/info" src="/webnotes/info.txt"></script>
/temporary/ tells me to "try harder!"
/php/ returns 403 Forbidden
Digging deeper with "dirb"
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# dirb http://192.168.56.101 -w /usr/share/dirbuster/wordlists/directory-list-1.0.txt -R
...
---- Scanning URL: http://192.168.56.101/ ----
==> DIRECTORY: http://192.168.56.101/css/
+ http://192.168.56.101/index.html (CODE:200|SIZE:1298)
==> DIRECTORY: http://192.168.56.101/javascript/
==> DIRECTORY: http://192.168.56.101/js/
==> DIRECTORY: http://192.168.56.101/php/
+ http://192.168.56.101/robots.txt (CODE:200|SIZE:53)
+ http://192.168.56.101/server-status (CODE:403|SIZE:294)
==> DIRECTORY: http://192.168.56.101/temporary/
==> DIRECTORY: http://192.168.56.101/weblog/
---- Entering directory: http://192.168.56.101/css/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/javascript/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/js/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/php/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/php/info.php (CODE:200|SIZE:0)
==> DIRECTORY: http://192.168.56.101/php/phpmyadmin/
---- Entering directory: http://192.168.56.101/temporary/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/temporary/index.html (CODE:200|SIZE:12)
---- Entering directory: http://192.168.56.101/weblog/ ----
(?) Do you want to scan this directory (y/n)? y + http://192.168.56.101/weblog/index.php (CODE:200|SIZE:14903)
==> DIRECTORY: http://192.168.56.101/weblog/wp-admin/
==> DIRECTORY: http://192.168.56.101/weblog/wp-content/
==> DIRECTORY: http://192.168.56.101/weblog/wp-includes/
+ http://192.168.56.101/weblog/xmlrpc.php (CODE:405|SIZE:42)
---- Entering directory: http://192.168.56.101/php/phpmyadmin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-admin/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-content/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
---- Entering directory: http://192.168.56.101/weblog/wp-includes/ ----
(?) Do you want to scan this directory (y/n)? n
Skipping directory.
....
Let's check out that WordPress install
root@kali:/mnt/VM_Transfer/Pentesting/DerpNStink# curl -L http://192.168.56.101/weblog
curl: (6) Could not resolve host: derpnstink.local
Ok! Let's update /etc/hosts
Recommendations
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | xxxxxx |
Impact | xxxxxx |
Remediation | xxxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxxx |
Remediation | xxxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxxx |
Remediation | xxxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxxx |
Remediation | xxxxxx |