29 VM SecTalks BNE0x03 - Simple

Walkthru:

A . https://blog.geoda-security.com/2016/08/bne0x03-simple-walkthrough.html [37292.c]

B. https://scriptkidd1e.wordpress.com/sectalks-bne0x03-simple-vulnhubs-vm-walkthrough/ [36746.c,37088.c]

Notes:

root@kali:~/reports/192.168.117.3# cat 192.168.117.3.nmap
# Nmap 7.70 scan initiated Fri Jul 20 19:19:00 2018 as: nmap -sV -O -oN ../reports/192.168.117.3/192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00066s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 20 19:19:25 2018 -- 1 IP address (1 host up) scanned in 24.91 seconds

root@kali:~/reports/192.168.117.3# cat udp_192.168.117.3.nmap
# Nmap 7.70 scan initiated Fri Jul 20 19:19:25 2018 as: nmap -Pn -A -sC -sU -T 3 --top-ports 200 -oN ../reports/192.168.117.3/udp_192.168.117.3.nmap 192.168.117.3
Nmap scan report for 192.168.117.3
Host is up (0.00048s latency).
Not shown: 199 closed ports
PORT   STATE         SERVICE VERSION
68/udp open|filtered dhcpc
MAC Address: 08:00:27:60:21:5C (Oracle VirtualBox virtual NIC)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.48 ms 192.168.117.3

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jul 20 19:24:56 2018 -- 1 IP address (1 host up) scanned in 330.83 seconds

00000000000000000000000000

-----------------

GENERATED WORDS: 4612

+ http://192.168.117.3/favicon.ico (CODE:200|SIZE:1150)

+ http://192.168.117.3/index.php (CODE:200|SIZE:2487)

+ http://192.168.117.3/server-status (CODE:403|SIZE:293)

==> DIRECTORY: http://192.168.117.3/skins/

==> DIRECTORY: http://192.168.117.3/uploads/

---- Entering directory: http://192.168.117.3/core/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.117.3/docs/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

shows....PHP 4.1.0 version

cutenews..2.0.3

---- Entering directory: http://192.168.117.3/skins/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

---- Entering directory: http://192.168.117.3/uploads/ ----

(!) WARNING: Directory IS LISTABLE. No need to scan it.

    (Use mode '-w' if you want to scan it anyway)

00000000000000000000000000

ND_TIME: Fri Jul 20 20:09:43 2018

DOWNLOADED: 4612 - FOUND: 3

root@kali:~/reports/192.168.117.3# cat nikto.txt

- Nikto v2.1.6

---------------------------------------------------------------------------

+ Target IP:          192.168.117.3

+ Target Hostname:    192.168.117.3

+ Target Port:        80

+ Start Time:         2018-07-20 19:36:22 (GMT-5)

---------------------------------------------------------------------------

+ Server: Apache/2.4.7 (Ubuntu)

+ Cookie CUTENEWS_SESSION created without the httponly flag

+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.6

+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS

+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

+ No CGI Directories found (use '-C all' to force check all possible dirs)

+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.

+ Server leaks inodes via ETags, header found with file /favicon.ico, fields: 0x47e 0x4ec3e1d077c80

+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.

+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.

+ OSVDB-3268: /docs/: Directory indexing found.

+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.

+ OSVDB-3233: /icons/README: Apache default file found.

+ 7536 requests: 0 error(s) and 11 item(s) reported on remote host

+ End Time:           2018-07-20 19:36:40 (GMT-5) (18 seconds)

00000000000000000000000000

use following to  get shell

https://www.exploit-db.com/exploits/37474/

00000000000000000000000000

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Linux simple 3.16.0-30-generic #40~14.04.1-Ubuntu SMP Thu Jan 15 17:45:15 UTC 2015 i686 i686 i686 GNU/Linux

00000000000000000000000000

use following to  get shell

https://www.exploit-db.com/exploits/37474/

00000000000000000000000000

tried following but no luck on priv esclation 

https://www.exploit-db.com/exploits/44302/

00000000000000000000000000

use following to  get shell

37292.c --> https://blog.geoda-security.com/2016/08/bne0x03-simple-walkthrough.html

36746, 37088.c --> https://scriptkidd1e.wordpress.com/sectalks-bne0x03-simple-vulnhubs-vm-walkthrough/

00000000000000000000000000