arroutada | Notion

IP Address

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.4
10.0.0.217

Nmap Scan

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.217
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-18 21:31 +0545
Nmap scan report for 10.0.0.217
Host is up (0.0015s latency).
Not shown: 65534 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.54 (Debian)

There is only one port, i.e. 80.

So, there has to be a way to spawn a reverse shell from the web server.

Gobuster scan

❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://10.0.0.217> -x php,txt,html -o medium.log
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.0.0.217>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
2023/01/18 21:33:57 Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 59]
/.html                (Status: 403) [Size: 275]
/imgs                 (Status: 301) [Size: 307] [--> <http://10.0.0.217/imgs/>]
/scout                (Status: 301) [Size: 308] [--> <http://10.0.0.217/scout/>]
/.html                (Status: 403) [Size: 275]
/.php                 (Status: 403) [Size: 275]
/server-status        (Status: 403) [Size: 275]
Progress: 881946 / 882244 (99.97%)
===============================================================
2023/01/18 21:43:37 Finished
===============================================================

HTTP

Untitled

Download the image and see the exif tags.

❯ wget <http://10.0.0.217/imgs/apreton.png>
--2023-01-18 21:35:15--  <http://10.0.0.217/imgs/apreton.png>
Connecting to 10.0.0.217:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 70806 (69K) [image/png]
Saving to: ‘apreton.png’

apreton.png                                100%[=====================================================================================>]  69.15K  --.-KB/s    in 0.01s   

2023-01-18 21:35:15 (6.67 MB/s) - ‘apreton.png’ saved [70806/70806]

❯ exiftool apreton.png
ExifTool Version Number         : 12.54
File Name                       : apreton.png
Directory                       : .
File Size                       : 71 kB
File Modification Date/Time     : 2023:01:08 20:28:02+05:45
File Access Date/Time           : 2023:01:18 21:35:15+05:45
File Inode Change Date/Time     : 2023:01:18 21:35:15+05:45
File Permissions                : -rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1280
Image Height                    : 661
Bit Depth                       : 8
Color Type                      : Grayscale with Alpha
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Title                           : {"path": "/scout"}
Image Size                      : 1280x661
Megapixels                      : 0.846

The gobuster scan resulted in the same path /scout.

/scout

❯ curl <http://10.0.0.217/scout/>

<div>
<p>
Hi, Telly,
<br>
<br>
I just remembered that we had a folder with some important shared documents. The problem is that I don't know wich first path it was in, but I do know the second path. Graphically represented:
<br>
/scout/******/docs/
<br>
<br>
With continued gratitude,
<br>
J1.
</p>
</div>
<!-- Stop please -->
<!-- I told you to stop checking on me! -->
<!-- OK... I'm just J1, the boss. -->

Perform fuzzing.

❯ ffuf -r -c -ic -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u '<http://10.0.0.217/scout/FUZZ/docs>'

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <http://10.0.0.217/scout/FUZZ/docs>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

j2                      [Status: 200, Size: 189764, Words: 15060, Lines: 1017, Duration: 3485ms]

Untitled

Directory listing enabled. Download all files.

❯ wget -r -np -nH --cut-dirs=2 -R 'index.html*' <http://10.0.0.217/scout/j2/docs/>