IP Address

❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.205

Nmap Scan

❯ nmap -sC -sV -p- -oN nmap.log 10.0.0.205
Starting Nmap 7.93 ( <https://nmap.org> ) at 2023-01-15 15:25 +0545
Nmap scan report for 10.0.0.205
Host is up (0.0015s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 0265e605afc8819c30b0dae31ed8be02 (RSA)
|   256 3f7d4b868dc7018fb3566d65c2e5cf4e (ECDSA)
|_  256 8ed4b8d68ed961a13e7f5ed7ecdcbbde (ED25519)
80/tcp open  http    nginx 1.14.2
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.14.2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Forbidden page on http

Gobuster

❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u <http://10.0.0.205> -x php,html,txt -o medium.log
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     <http://10.0.0.205>
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.4
[+] Extensions:              php,html,txt
[+] Timeout:                 10s
===============================================================
2023/01/15 15:27:37 Starting gobuster in directory enumeration mode
===============================================================
/blog                 (Status: 301) [Size: 185] [--> <http://10.0.0.205/blog/>]

/blog gets me to the login page of a blog.

Untitled

The version name and author’s name led to me the source code and exploit of the app.

There is a file upload vulnerability.

Github:

https://github.com/m1k1o/blog

I checked the default files. config.ini contains the default password. I could try the default password.

But, we can download the file from the server. This confirmed that it used the default password.

Let’s upload a random image which we will edit in the burpsuite.