DevContainer: 1
Easy machine from vulnhub.
Enumeration:
1) Target IP: 10.0.2.15. Nmap all port scan: nmap -p- -T5 -Pn -v 10.0.2.15
PORT STATE SERVICE
80/tcp open http2) Target scan of port 80: nmap -sV -sC -v -p 80 10.0.2.15
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.38 ((Debian))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Freelancer - Start Bootstrap Theme3) scanning web: nikto -h http://10.0.2.15/
+ Server: Apache/2.4.38 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3233: /icons/README: Apache default file found.4) Trying web directory scan, only this reveals some info.
gobuster dir -u http://10.0.2.15/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
/img (Status: 301) [Size: 304] [--> http://10.0.2.15/img/]
/mail (Status: 301) [Size: 305] [--> http://10.0.2.15/mail/]
/upload (Status: 301) [Size: 307] [--> http://10.0.2.15/upload/]
/css (Status: 301) [Size: 304] [--> http://10.0.2.15/css/]
/license (Status: 200) [Size: 11336]
/js (Status: 301) [Size: 303] [--> http://10.0.2.15/js/]
/fonts (Status: 301) [Size: 306] [--> http://10.0.2.15/fonts/]
/less (Status: 301) [Size: 305] [--> http://10.0.2.15/less/]
/server-status (Status: 403) [Size: 274] 5) /mail, /img these are forbidden and can not access. But the /upoad directory works here. This also revelas allowed file types.
To test, I have uploaded a general image. This operation is showing it uploaded in /upload.php . So the web is running on php.
Exploitation:
6) This blog post shows some technique to bypass filtering: File upload
7) Uploaded this shell and immediately get a reverse shell: pentestMonkey . I had to modify the IP and Port of this script.
8) Linpeas scan shows that, writable file available
Last updated
Was this helpful?