IP

Offsec - MyCMSMS - Nov 4th 2023

1337 Sheets
1337 Sheets
·
Offsec - MyCMSMS - Nov 4th 2023

Given Target: [LAB_IP]

rustscan [LAB_IP]

PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 80/tcp open http syn-ack 3306/tcp open mysql syn-ack 33060/tcp open mysqlx syn-ack

nmap -sC -sV -p22,80,3306,33060 -v -T4 [LAB_IP] -oN services.nmap

PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0) | ssh-hostkey: | 2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA) | 256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA) |_ 256 95:1f:32:95:78:08:50:45:cd:8c:7c:71:4a:d4:6c:1c (ED25519) 80/tcp open http Apache httpd 2.4.38 ((Debian)) |_http-generator: CMS Made Simple - Copyright (C) 2004-2020. All rights reserved. |_http-favicon: Unknown favicon MD5: 551E34ACF2930BF083670FA203420993 |_http-title: Home - My CMS |http-server-header: Apache/2.4.38 (Debian) | http-methods: | Supported Methods: GET HEAD POST OPTIONS 3306/tcp open mysql MySQL 8.0.19 |ssl-date: TLS randomness does not represent time | mysql-info: | Protocol: 10 | Version: 8.0.19 | Thread ID: 45 | Capabilities flags: 65535 | Some Capabilities: Speaks41ProtocolNew, Support41Auth, ConnectWithDatabase, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, SupportsTransactions, InteractiveClient, LongPassword, IgnoreSpaceBeforeParenthesis, FoundRows, SupportsLoadDataLocal, SupportsCompression, LongColumnFlag, ODBCClient, SwitchToSSLAfterHandshake, IgnoreSigpipes, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments | Status: Autocommit | Salt: ?yacCn\x1A,l\x19EK\x04Nfuh \x1B\x1D | Auth Plugin Name: mysql_native_password | ssl-cert: Subject: commonName=MySQL_Server_8.0.19_Auto_Generated_Server_Certificate | Issuer: commonName=MySQL_Server_8.0.19_Auto_Generated_CA_Certificate | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-03-25T09:30:14 | Not valid after: 2030-03-23T09:30:14 | MD5: ab68:52c7:9ef3:3568:e534:a8f6:0670:3571 |SHA-1: 62d2:bb7c:d123:e6d4:7231:773c:0916:b2c8:05dd:3f48 33060/tcp open mysqlx? | fingerprint-strings: | DNSStatusRequestTCP, LDAPSearchReq, NotesRPC, SSLSessionReq, TLSSessionReq, X11Probe, afp: | Invalid message" | HY000

dirb http://[LAB_IP]

---- Scanning URL: http://[LAB_IP]/ ---- ==> DIRECTORY: http://[LAB_IP]/admin/ ==> DIRECTORY: http://[LAB_IP]/assets/