Scanning
Enumeration
We use to gobuster tool with a dictionary large, we can see the wordpress directory on the server:
I launch nmap with the http-wordpress-enum script, it shows a plugin called "gwolle-gb 1.5.3" which has exploits:
We use to gobuster tool with a dictionary large, we can see the wordpress directory on the server:
A remote attacker, authenticated in the application as a user with few privileges, can perform queries with malicious SQL code on the path "/leaves/validate" and the "id" parameter, managing to extract arbitrary information from the database.
We scan the open ports with the nmap tool with scripts and software versions.
nmap -p22,80,37370 10.10.140.77 -sVC -oN nmap.txt
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-27 10:32 CEST
Nmap scan report for 10.10.140.77
Host is up (0.049s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c2842ac1225a10f16616dda0f6046295 (RSA)
| 256 429e2ff63e5adb51996271c48c223ebb (ECDSA)
|_ 256 2ea0a56cd983e0016cb98a609b638672 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
37370/tcp open ftp vsftpd 3.0.3
Service Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernel
We scan the open ports with the nmap tool with scripts and software versions.
> nmap -sVC 10.10.81.101
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-20 10:57 CEST
Nmap scan report for 10.10.81.101
Host is up (0.050s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH for_Windows_7.7 (protocol 2.0)
| ssh-hostkey:
| 2048 2b17d88a1e8c99bc5bf53d0a5eff5e5e (RSA)
| 256 3cc0fdb5c157ab75ac8110aee298120d (ECDSA)
|_ 256 e9f030bee6cfeffe2d1421a0ac457b70 (ED25519)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: DEV-DATASCI-JUP
| NetBIOS_Domain_Name: DEV-DATASCI-JUP
| NetBIOS_Computer_Name: DEV-DATASCI-JUP
| DNS_Domain_Name: DEV-DATASCI-JUP
| DNS_Computer_Name: DEV-DATASCI-JUP
| Product_Version: 10.0.17763
|_ System_Time: 2023-05-20T08:57:46+00:00
| ssl-cert: Subject: commonName=DEV-DATASCI-JUP
| Not valid before: 2023-03-12T11:46:50
|_Not valid after: 2023-09-11T11:46:50
|_ssl-date: 2023-05-20T08:57:54+00:00; -1s from scanner time.
8888/tcp open http Tornado httpd 6.0.3
| http-title: Jupyter Notebook
|_Requested resource was /login?next=%2Ftree%3F
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: TornadoServer/6.0.3
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-05-20T08:57:51
|_ start_date: N/A
Accessing the only web service through port 8888, we find the Jupyter Notebook 6.0.3 software.
We scan the open ports with the nmap tool with scripts and software versions.
> nmap -sVC -p- --min-rate 5000 prioritise.thm -Pn -n -oN nmap-prioritise.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-14 21:15 CEST
WARNING: Service 10.10.247.170:80 had already soft-matched rtsp, but now soft-matched sip; ignoring second value
Nmap scan report for prioritise.thm (10.10.247.170)
Host is up (0.055s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 51fe13747bbc526a883d21d1b3bf13ad (RSA)
| 256 73fef7fdedf492bde2997188f855b28f (ECDSA)
|_ 256 f848693d7f199f03166337369f84a87a (ED25519)
80/tcp open rtsp
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 NOT FOUND
| Content-Type: text/html; charset=utf-8
| Content-Length: 232
| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
| <title>404 Not Found</title>
| <h1>Not Found</h1>
| <p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>
| GetRequest:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Content-Length: 5082
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="utf-8" />
| <meta
| name="viewport"
| content="width=device-width, initial-scale=1, shrink-to-fit=no"
| <link
| rel="stylesheet"
| href="../static/css/bootstrap.min.css"
| crossorigin="anonymous"
| <link
| rel="stylesheet"
| href="../static/css/font-awesome.min.css"
| crossorigin="anonymous"
| <link
| rel="stylesheet"
| href="../static/css/bootstrap-datepicker.min.css"
| crossorigin="anonymous"
| <title>Prioritise</title>
| </head>
| <body>
| <!-- Navigation -->
| <nav class="navbar navbar-expand-md navbar-dark bg-dark">
| <div class="container">
| class="navbar-brand" href="/"><span class="">Prioritise</span></a>
| <button
| class="na
| HTTPOptions:
| HTTP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, GET, OPTIONS
| Content-Length: 0
| RTSPRequest:
| RTSP/1.0 200 OK
| Content-Type: text/html; charset=utf-8
| Allow: HEAD, GET, OPTIONS
|_ Content-Length: 0
|_rtsp-methods: ERROR: Script execution failed (use -d to debug)
|_http-title: Prioritise
We access the website, no credentials are required and we can create and order items.