Offsec - Solstice - Jun 26th 2023
Target: [LAB_IP]
Recon
Nmap
kali 🏡 OSCP Solstice
→ nmap -p- -sV -sC --open -T4 [LAB_IP] -oN solstice_nmap.txt 11:02:25
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-26 11:02 GMT
Stats: 0:00:00 elapsed; 0 hosts completed (0 up), 1 undergoing Ping Scan
Ping Scan Timing: About 100.00% done; ETC: 11:02 (0:00:00 remaining)
Nmap scan report for [LAB_IP]
Host is up (0.051s latency).
Not shown: 63727 closed tcp ports (conn-refused), 1799 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.6
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: [LAB_IP]:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 [HASH_REDACTED] (RSA)
| 256 [HASH_REDACTED] (ECDSA)
|_ 256 [HASH_REDACTED] (ED25519)
25/tcp open smtp Exim smtpd
| smtp-commands: solstice Hello nmap.scanme.org [[LAB_IP]], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
2121/tcp open ftp pyftpdlib 1.5.6
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drws------ 2 www-data www-data 4096 Jun 18 2020 pub
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: [LAB_IP]:2121
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
62524/tcp open tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 76.04 seconds
Handfull of services up.
FTP (Alternative)
→ ftp [LAB_IP] 2121 13:10:09
Connected to [LAB_IP].
220 pyftpdlib 1.5.6 ready.
Name ([LAB_IP]:kali): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering extended passive mode (|||43479|).
125 Data connection already open. Transfer starting.
drws------ 2 www-data www-data 4096 Jun 18 2020 pub
226 Transfer complete.
ftp> get pub
local: pub remote: pub
229 Entering extended passive mode (|||56083|).
550 Is a directory.
ftp> cd pub
250 "/pub" is the current directory.
ftp> ls
229 Entering extended passive mode (|||38019|).
125 Data connection already open. Transfer starting.
226 Transfer complete.
Web
###manual
On web home page
Currently configuring the database, try later.
Proudly powered by phpIPAM 1.4
Database not configured. Database port at 8593
We are still setting up the library! Try later on!
Because book list has a file reference then I'll try to reference other local files.
http://[LAB_IP]:8593/index.php?book=../../../../../etc/passwd
Main Page Book List
We are still setting up the library! Try later on!