2 :80

$ gobuster dir -u http://192.168.105.11 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
2021/08/11 22:29:21 Starting gobuster in directory enumeration mode
===============================================================
/logs                 (Status: 301) [Size: 315] [--> http://192.168.105.11/logs/]
/cctv                 (Status: 301) [Size: 315] [--> http://192.168.105.11/cctv/]

http://192.168.105.11/
Website currently under construction, try again later.
In case you are suffering from any kind of inconvenience with your device provided by the corporation please contact with IT support as soon as possible, however, if you are not affiliated by any means with "Non-Existent Corporation and Associates" (NECA) LEAVE THIS SITE RIGHT NOW.
Things we need to implement:
    Install camera feeds.
    Update our personal.
    Install a control panel. 

http://192.168.105.11/logs/
Index of /logs
[ICO]	Name	Last modified	Size	Description
[PARENTDIR]	Parent Directory	 	- 	 
[ ]	auth.log	2020-08-01 08:03 	0 	 
[ ]	daemon.log	2020-08-01 08:03 	0 	 
[ ]	error.log	2020-08-01 08:03 	0 	 
[ ]	management.log	2020-08-12 09:54 	81K	

http://192.168.105.11/cctv/
Forbidden: You don't have permission to access /cctv/ on this server.

# cat management.log
# contains pspy style logs
2020/08/12 09:02:06 CMD: UID=0    PID=472    | /bin/sh -c /root/pspy64 > /var/www/html/logs/management.log
# ^ (uid 0) root is running pspy 
2020/08/12 09:03:02 CMD: UID=1000 PID=939    | /bin/sh -c /home/dawn/ITDEPT/product-control 
2020/08/12 09:03:02 CMD: UID=33   PID=936    | /bin/sh -c /home/dawn/ITDEPT/web-control 
# some user is running product-control and web-control
# path corresponds to ITDEPT smb-share, but files are not present
2020/08/12 09:04:01 CMD: UID=0    PID=954    | /bin/sh -c /home/ganimedes/phobos 
# root is running some other file (to look at later)
2020/08/12 09:04:01 CMD: UID=1000 PID=953    | /bin/sh -c /home/dawn/ITDEPT/product-control 
2020/08/12 09:04:01 CMD: UID=0    PID=952    | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control 
# root is running web-control.
2020/08/12 09:06:01 CMD: UID=0    PID=978    | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control 
2020/08/12 09:06:01 CMD: UID=0    PID=977    | /bin/sh -c chmod 777 /home/dawn/ITDEPT/product-control 
# root is updating perms on those files
2020/08/12 09:06:01 CMD: UID=1000 PID=985    | /bin/sh -c /home/dawn/ITDEPT/product-control 
2020/08/12 09:06:01 CMD: UID=0    PID=984    | /bin/sh -c chmod 777 /home/dawn/ITDEPT/web-control 
# root runs web-control but some other user runs product-control

# seems like file is being run like a cron
Previous3 cron exploit using smbNext1 recon

Last updated