catland | Notion

IP Address

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.186

Nmap Scan

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.186
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-12 13:14 +0545
Nmap scan report for 10.0.0.186
Host is up (0.0026s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c71014a89af0251e0db1c66f1ca188d8 (RSA)
|   256 1b66f4e5b6236e778e9ec178c5bcace9 (ECDSA)
|_  256 f4e9d87a0815d0929014dfb3ec81a1ed (ED25519)
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
|_http-title: Catland
|_http-server-header: Apache/2.4.54 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster Scan

❯ gobuster dir -r -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://10.0.0.186> -o medium.log
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.0.0.186>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2023/01/12 13:15:18 Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 200) [Size: 1575]
/server-status        (Status: 403) [Size: 275]

gallery.php script has cats images

/images have cats images

so, gallery.php is including images from /images. Might have file inclusion vulnerability

check for param.

No way to know the domain name, so, I checked the VM machine’s input prompt. There it says, “catland.hmv”

Untitled

Performed subdomain bruteforce

❯ ffuf -r -c -ic -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.catland.hmv' -u '<http://10.0.0.186>' -fs 757

        /'___\\  /'___\\           /'___\\       
       /\\ \\__/ /\\ \\__/  __  __  /\\ \\__/       
       \\ \\ ,__\\\\ \\ ,__\\/\\ \\/\\ \\ \\ \\ ,__\\      
        \\ \\ \\_/ \\ \\ \\_/\\ \\ \\_\\ \\ \\ \\ \\_/      
         \\ \\_\\   \\ \\_\\  \\ \\____/  \\ \\_\\       
          \\/_/    \\/_/   \\/___/    \\/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <http://10.0.0.186>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.catland.hmv
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 757
________________________________________________

admin                   [Status: 200, Size: 1068, Words: 103, Lines: 24, Duration: 1174ms]