DevContainer: 1

Last updated 4 years ago

Was this helpful?

DevContainer: 1

Easy machine from .

Enumeration:

1) Target IP: 10.0.2.15. Nmap all port scan: nmap -p- -T5 -Pn -v 10.0.2.15

PORT   STATE SERVICE
80/tcp open  http

2) Target scan of port 80: nmap -sV -sC -v -p 80 10.0.2.15

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Freelancer - Start Bootstrap Theme

+ Server: Apache/2.4.38 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3233: /icons/README: Apache default file found.

4) Trying web directory scan, only this reveals some info.

gobuster dir -u http://10.0.2.15/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================
/img                  (Status: 301) [Size: 304] [--> http://10.0.2.15/img/]
/mail                 (Status: 301) [Size: 305] [--> http://10.0.2.15/mail/]
/upload               (Status: 301) [Size: 307] [--> http://10.0.2.15/upload/]
/css                  (Status: 301) [Size: 304] [--> http://10.0.2.15/css/]   
/license              (Status: 200) [Size: 11336]                             
/js                   (Status: 301) [Size: 303] [--> http://10.0.2.15/js/]    
/fonts                (Status: 301) [Size: 306] [--> http://10.0.2.15/fonts/] 
/less                 (Status: 301) [Size: 305] [--> http://10.0.2.15/less/]  
/server-status        (Status: 403) [Size: 274]

5) /mail, /img these are forbidden and can not access. But the /upoad directory works here. This also revelas allowed file types.

To test, I have uploaded a general image. This operation is showing it uploaded in /upload.php . So the web is running on php.

Exploitation:

8) Linpeas scan shows that, writable file available

machine is not giving any output. need to find out whats wrong

Last updated 4 years ago

Was this helpful?

Easy machine from .

Enumeration:

1) Target IP: 10.0.2.15. Nmap all port scan: nmap -p- -T5 -Pn -v 10.0.2.15

PORT   STATE SERVICE
80/tcp open  http

2) Target scan of port 80: nmap -sV -sC -v -p 80 10.0.2.15

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
| http-methods: 
|_  Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Freelancer - Start Bootstrap Theme

3) scanning web: nikto -h

+ Server: Apache/2.4.38 (Debian)
+ Server may leak inodes via ETags, header found with file /, inode: 6a7f, size: 5af24a0184072, mtime: gzip
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST 
+ OSVDB-3233: /icons/README: Apache default file found.

4) Trying web directory scan, only this reveals some info.

gobuster dir -u http://10.0.2.15/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

===============================================================
/img                  (Status: 301) [Size: 304] [--> http://10.0.2.15/img/]
/mail                 (Status: 301) [Size: 305] [--> http://10.0.2.15/mail/]
/upload               (Status: 301) [Size: 307] [--> http://10.0.2.15/upload/]
/css                  (Status: 301) [Size: 304] [--> http://10.0.2.15/css/]   
/license              (Status: 200) [Size: 11336]                             
/js                   (Status: 301) [Size: 303] [--> http://10.0.2.15/js/]    
/fonts                (Status: 301) [Size: 306] [--> http://10.0.2.15/fonts/] 
/less                 (Status: 301) [Size: 305] [--> http://10.0.2.15/less/]  
/server-status        (Status: 403) [Size: 274]

5) /mail, /img these are forbidden and can not access. But the /upoad directory works here. This also revelas allowed file types.

To test, I have uploaded a general image. This operation is showing it uploaded in /upload.php . So the web is running on php.

Exploitation:

6) This blog post shows some technique to bypass filtering:

7) Uploaded this shell and immediately get a reverse shell: . I had to modify the IP and Port of this script.

8) Linpeas scan shows that, writable file available

machine is not giving any output. need to find out whats wrong