Pwned Date - 27th July 2022

Enumeration

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 99:1a:ea:d7:d7:b3:48:80:9f:88:82:2a:14:eb:5f:0e (RSA)
|   256 f4:f6:9c:db:cf:d4:df:6a:91:0a:81:05:de:fa:8d:f8 (ECDSA)
|_  256 ed:b9:a9:d7:2d:00:f8:1b:d3:99:d6:02:e5:ad:17:9f (ED25519)
80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
|_http-title: Tre
|_http-server-header: Apache/2.4.38 (Debian)
8082/tcp open  http    nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Tre
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Both port 80 and 8082 gives us the same bamboo image:

file.jpg

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:80/> -w /usr/share/wordlists/dirb/common.txt -q -t 200 
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/cms                  (Status: 301) [Size: 314] [--> <http://192.168.158.84/cms/>]
/index.html           (Status: 200) [Size: 164]                                 
/info.php             (Status: 200) [Size: 87827]                               
/server-status        (Status: 403) [Size: 279]                                 
/system               (Status: 401) [Size: 461]                                 
                                                                                     
┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:8082/> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/index.html           (Status: 200) [Size: 164]

There is nothing interesting on port 8082, however on port 80 there is a basic authentication on /system

Untitled

And the website looks like a CMS

Untitled

Even though when we go to /cms we are then navigated to /cms/sites

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:80/cms> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/cache                (Status: 301) [Size: 320] [--> <http://192.168.158.84/cms/cache/>]
/core                 (Status: 301) [Size: 319] [--> <http://192.168.158.84/cms/core/>] 
/custom               (Status: 301) [Size: 321] [--> <http://192.168.158.84/cms/custom/>]
/extensions           (Status: 301) [Size: 325] [--> <http://192.168.158.84/cms/extensions/>]
/index.php            (Status: 302) [Size: 0] [--> site/]                                  
/site                 (Status: 301) [Size: 319] [--> <http://192.168.158.84/cms/site/>]      
/templates            (Status: 301) [Size: 324] [--> <http://192.168.158.84/cms/templates/>] 
/vendor               (Status: 301) [Size: 321] [--> <http://192.168.158.84/cms/vendor/>]

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:80/cms/site> -w /usr/share/wordlists/dirb/common.txt -q -t 200
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/css                  (Status: 301) [Size: 323] [--> <http://192.168.158.84/cms/site/css/>]
/img                  (Status: 301) [Size: 323] [--> <http://192.168.158.84/cms/site/img/>]
/index.html           (Status: 200) [Size: 12540]                                        
/js                   (Status: 301) [Size: 322] [--> <http://192.168.158.84/cms/site/js/>]

Seems like there is nothing interesting so move on to fuzz the extension, only inside /cms/site got some interesting returns

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:80/cms/site> -w /usr/share/wordlists/dirb/common.txt -q -t 200 -x php,html
/.htaccess            (Status: 403) [Size: 279]
/.hta.html            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.hta                 (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]
/blog.html            (Status: 200) [Size: 6728]
/category.html        (Status: 200) [Size: 23863]
/contact.html         (Status: 200) [Size: 6223] 
/css                  (Status: 301) [Size: 323] [--> <http://192.168.158.84/cms/site/css/>]
/index.html           (Status: 200) [Size: 12540]                                        
/index.html           (Status: 200) [Size: 12540]                                        
/main.html            (Status: 200) [Size: 931]                                          
/playlist.html        (Status: 200) [Size: 8885]

After fuzzing so much, there is nothing valuable returned. Wasted so much time and get back to the main home page and re fuzz with another dictionary

┌──(kali㉿VirtualBox)-[~]
└─$ gobuster dir -u <http://192.168.158.84:80/> -w /usr/share/wordlists/dirb/big.txt -q -t 200 -x php,html
/.htaccess.html       (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/adminer.php          (Status: 200) [Size: 4655]
/cms                  (Status: 301) [Size: 314] [--> <http://192.168.158.84/cms/>]
/index.html           (Status: 200) [Size: 164]                                 
/info.php             (Status: 200) [Size: 87833]                               
/mantisbt             (Status: 301) [Size: 319] [--> <http://192.168.158.84/mantisbt/>]
/server-status        (Status: 403) [Size: 279]                                      
/system               (Status: 401) [Size: 461]

This time seems like there is something interesting on /adminer.php and /mantisbt

Untitled

Untitled

Since /mantisbt is a directory so there will be another ducky fuzz in it