Skip to main content

29 VM SecTalks BNE0x03 - Simple

Walkthru:

A . https://blog.geoda-security.com/2016/08/bne0x03-simple-walkthrough.html [37292.c]
B. https://scriptkidd1e.wordpress.com/sectalks-bne0x03-simple-vulnhubs-vm-walkthrough/ [36746.c,37088.c]


Notes:

root@kali:~/reports/192.168.117.3# cat 192.168.117.3.nmap
# Nmap 7.70 scan initiated Fri Jul 20 19:19:00 2018 as: nmap -sV -O -oN ../reports/192.168.117.3/192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00066s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 20 19:19:25 2018 -- 1 IP address (1 host up) scanned in 24.91 seconds

root@kali:~/reports/192.168.117.3# cat udp_192.168.117.3.nmap
# Nmap 7.70 scan initiated Fri Jul 20 19:19:25 2018 as: nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN ../reports/192.168.117.3/udp_192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00048s latency).
Not shown: 199 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 192.168.117.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 20 19:24:56 2018 -- 1 IP address (1 host up) scanned in 330.83 seconds

00000000000000000000000000

-----------------

GENERATED WORDS: 4612

+ http://192.168.117.3/favicon.ico (CODE:200|SIZE:1150)
+ http://192.168.117.3/index.php (CODE:200|SIZE:2487)
+ http://192.168.117.3/server-status (CODE:403|SIZE:293)
==> DIRECTORY: http://192.168.117.3/skins/
==> DIRECTORY: http://192.168.117.3/uploads/

---- Entering directory: http://192.168.117.3/core/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.117.3/docs/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

shows....PHP 4.1.0 version
cutenews..2.0.3

---- Entering directory: http://192.168.117.3/skins/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.117.3/uploads/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
    (Use mode '-w' if you want to scan it anyway)

00000000000000000000000000

ND_TIME: Fri Jul 20 20:09:43 2018
DOWNLOADED: 4612 - FOUND: 3
root@kali:~/reports/192.168.117.3# cat nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.117.3
+ Target Hostname:    192.168.117.3
+ Target Port:        80
+ Start Time:         2018-07-20 19:36:22 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Cookie CUTENEWS_SESSION created without the httponly flag
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x47e 0x4ec3e1d077c80
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3268: /docs/: Directory indexing found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7536 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2018-07-20 19:36:40 (GMT-5) (18 seconds)

00000000000000000000000000
use following to  get shell
https://www.exploit-db.com/exploits/37474/
00000000000000000000000000
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

00000000000000000000000000
use following to  get shell
https://www.exploit-db.com/exploits/37474/
00000000000000000000000000
tried following but no luck on priv esclation 
https://www.exploit-db.com/exploits/44302/
00000000000000000000000000
use following to  get shell
37292.c --> https://blog.geoda-security.com/2016/08/bne0x03-simple-walkthrough.html
36746, 37088.c --> https://scriptkidd1e.wordpress.com/sectalks-bne0x03-simple-vulnhubs-vm-walkthrough/
00000000000000000000000000

Comments

Post a Comment

Popular posts from this blog

VM 9 : PHP Include And Post Exploitation

Walkthrough 1.        https://medium.com/@Kan1shka9/pentesterlab-php-include-and-post-exploitation-walkthrough-8a85bcfa7b1d 2.        Ine [] 3.        http://megwhite.com.au/pentester-lab-bootcamp-walkthrough-php-include-post-exploitation/ 4.        http://fallensnow-jack.blogspot.com/2014/07/pentester-lab-php-lfi-post-exploitation.html Notes: root@kali:~# nmap 10.0.0.12 Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-30 12:23 EDT Nmap scan report for 10.0.0.12 Host is up (0.00035s latency). Not shown: 999 filtered ports PORT    STATE SERVICE 80/tcp open   http MAC Address: 08:00:27:1F:12:24 (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 5.31 seconds root@kali:~# Enumerating port 80 Run dirb root@kali:~# dirb http://10.0.0.12/ ----------------- DIRB v2.22 By The Dark Raver...
1 comment
Read more

VM 5: Vulnix :

Walkthru: A. https://mrh4sh.github.io/vulnix-solution [SMTP and Finger enumeration, creating linux user with specific UID, root squashing, ssh pwd cracking using medusa & hydra, logging using ssh keys, updating /usr/sbin/exportfs] B. http://overflowsecurity.com/hacklab-vulnix/ [ same as above. create ssh keys for root and copied to victim to login as root w/o recovering pwd] C. https://www.rebootuser.com/?p=988[ local bash shell from nfs] B. https://www.vulnhub.com/?q=vulnix&sort=date-des&type=vm [list of solutions] D. https://www.rebootuser.com/?p=988 [User Enumeration #1 – SMTP, Finger; Entry Point including hydra, Putty(using rlogin service), nfs (showmount,mount) ] Notes: - As you can see the root user is the only account which is logged on the remote  host.Now that we have a specific username we can use it in order to obtain more information about this user with the command  finger root@host . -  Another effective use of the finger...
Post a Comment
Read more

Penetration Testing Framework 0.57

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack. http://www.vulnerabilityassessment.co.uk/
Post a Comment
Read more