Enumerate

Looking for targets on subnet. Found

[LAB_IP]

##Nmap

Adding -O for OS detection in the field

sudo nmap -sT -sV -sC -O --open -p- [LAB_IP] -oN sumo.scan

Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-15 13:06 GMT

Nmap scan report for [LAB_IP]

Host is up (0.045s latency).

Not shown: 64132 closed tcp ports (conn-refused), 1401 filtered tcp ports (no-response)

Some closed ports may be reported as filtered due to --defeat-rst-ratelimit

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

|   1024 [HASH_REDACTED] (DSA)

|   2048 [HASH_REDACTED] (RSA)

|_  256 [HASH_REDACTED] (ECDSA)

80/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))

|_http-title: Site doesn't have a title (text/html).

|_http-server-header: Apache/2.2.22 (Ubuntu)

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

TCP/IP fingerprint:

OS:SCAN(V=7.93%E=4%D=6/15%OT=22%CT=1%CU=32838%PV=Y%DS=4%DC=I%G=Y%TM=648B0CE

OS:D%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=Z%II=I%TS=8)OPS(O1=M

OS:551ST11NW5%O2=M551ST11NW5%O3=M551NNT11NW5%O4=M551ST11NW5%O5=M551ST11NW5%

OS:O6=M551ST11)WIN(W1=3890%W2=3890%W3=3890%W4=3890%W5=3890%W6=3890)ECN(R=Y%

OS:DF=Y%T=40%W=3908%O=M551NNSNW5%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=

OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)

OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=EE

OS:DD%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 38.19 seconds

##Http

Due to not wanting to miss anything I'll run autorecon on targets at the start.

gobuster dir -u http://[LAB_IP]:80 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================

Gobuster v3.5

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://[LAB_IP]:80

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.5

[+] Timeout:                 10s

===============================================================

2023/06/15 13:10:11 Starting gobuster in directory enumeration mode

===============================================================

/index                (Status: 200) [Size: 177]

/server-status        (Status: 403) [Size: 295]

Progress: 137038 / 220561 (62.13%)^C

Takes forever. I thought go was fast.

dirb http://[LAB_IP]                                                                            13:15:28

DIRB v2.22

By The Dark Raver

START_TIME: Thu Jun 15 13:15:52 2023

URL_BASE: http://[LAB_IP]/

WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

GENERATED WORDS: 4612

---- Scanning URL: http://[LAB_IP]/ ----

• http://[LAB_IP]/cgi-bin/ (CODE:403|SIZE:290)

• http://[LAB_IP]/index (CODE:200|SIZE:177)

• http://[LAB_IP]/index.html (CODE:200|SIZE:177)

• http://[LAB_IP]/server-status (CODE:403|SIZE:295)

END_TIME: Thu Jun 15 13:19:51 2023

DOWNLOADED: 4612 - FOUND: 4

requires double commands to further search the directories. I need recursive scanning

dirbuster                                                                                             13:17:50

Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Starting OWASP DirBuster 1.0-RC1

Starting dir/file list based brute forcing

Dir found: / - 200

Dir found: /cgi-bin/ - 403

Dir found: /icons/ - 403

Dir found: /doc/ - 403

Dir found: /cgi-bin/test/ - 200

Dir found: /icons/small/ - 403

Way easier + GUI + thread changes

It seems autorecon + dirbuster is the best most thorough method in case I get super mentally low on resources.

view-source:http://[LAB_IP]/cgi-bin/test/

CGI Default !

So it looks like shellshock

https://www.youtube.com/watch?v=aKShnpOXqn0

Confirm with nikto

nikto -h [LAB_IP]

-h = Host

nikto -h [LAB_IP]                                                                               13:26:09

• Nikto v2.5.0

• Target IP:          [LAB_IP]

• Target Hostname:    [LAB_IP]

• Target Port:        80

• Start Time:         2023-06-15 13:33:23 (GMT0)

• Server: Apache/2.2.22 (Ubuntu)

• /: Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 17:55:10 2020. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418

• /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

• /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/

• /index: Uncommon header 'tcn' found, with contents: list.

• /index: Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. The following alternatives for 'index' were found: index.html. See: http://www.wisec.it/sectou.php?id=4698ebdc59d15,https://exchange.xforce.ibmcloud.com/vulnerabilities/8275

• Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.

• OPTIONS: Allowed HTTP Methods: OPTIONS, GET, HEAD, POST .

• /cgi-bin/test: Uncommon header '93e4r0-cve-2014-6278' found, with contents: true.

• /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271