nmap -Pn -sS 10.10.173.216 -p- --min-rate=10000
Nmap scan report for 10.10.173.216
Host is up (0.71s latency).
Not shown: 51387 closed tcp ports (reset), 14147 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 62.19 seconds
sudo nmap -Pn -sVC 10.10.173.216 -p 80
Nmap scan report for 10.10.173.216
Host is up (0.43s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-title: Login
|_Requested resource was login.php
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.71 seconds
curl http://10.10.53.82 -L
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link href="./css/style.css" rel="stylesheet">
</head>
<body>
<br>
<form align="center" action="" method="post" name="Login_Form">
<table width="400" border="0" align="center" cellpadding="5" cellspacing="1" class="Table">
<tr>
<td colspan="2" align="left" valign="top"><h3>Login</h3></td>
</tr>
<tr>
<td align="right" valign="top">Username</td>
<td><input name="Username" type="text" class="Input"></td>
</tr>
<tr>
<td align="right">Password</td>
<td><input name="Password" type="password" class="Input"></td>
</tr>
<tr>
<td> </td>
<td><input name="Submit" type="submit" value="Login" class="Button3"></td>
</tr>
</table>
</form>
</body>
</html>
😢 I checked SQLi and I couldn't bypass. Also not admin/admin credential.
I did another fuzz and found /cloud dir.
😢 I bypassed with extentions but I couldn't get shell bloked by 500 error.I stucked and checked writeups.
😄 The same parameters have OS commands, so I got www-data shell.
同じパラメータにOSコマンドあるのでシェルはる。
😄 Key.
ダウンロードしてキーパスに読ませたがマスターキーがいるっぽし。
I downloaded it and keepass2 it, but it seems to need a master key.
keepass2john dataset.kdbx > dataset.hash
john -w=/usr/share/wordlists/rockyou.txt dataset.hash
アスタリスクをコピペでよめる
いつもの豆
Usual beans
オーナーが自分グループルート。めぼしいエクスプロイトがないのでファイルを確認してみる。
Owner is sysadmin group root. There are no exploits effective, so I checked the file.
どうやら、アップロードされたファイルはバックアップ保存されて、消されるらしい。
確かにアップロードした画像ファイルがすぐに404になるのはこのためか。
Apparently, uploaded files are backed up, saved, and then erased.Surely this is why uploaded image files are immediately and 404'?
1分程度できえている。backup.inc.phpでシェル返せばルートシェル帰ってくるはず。
It will lose in about 1 minute.Just return the shell in backup.inc.php
Pwncatが使いこなせない。 Nemui... 😴 ねむいのにビールものみたい。ねむい。