TOPPO

Scanning

Nmap

➜  ~ nmap -T4 -p- -A toppo.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 08:54 EDT
Nmap scan report for toppo.vuln (172.16.129.142)
Host is up (0.0015s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey: 
|   1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
|   2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
|   256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_  256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp    open  http    Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp   open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version    port/proto  service
|   100000  2,3,4        111/tcp   rpcbind
|   100000  2,3,4        111/udp   rpcbind
|   100000  3,4          111/tcp6  rpcbind
|   100000  3,4          111/udp6  rpcbind
|   100024  1          41898/tcp   status
|   100024  1          46451/udp   status
|   100024  1          56365/tcp6  status
|_  100024  1          60840/udp6  status
41898/tcp open  status  1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 seconds

Enumeration

port 80 is opened let's take a look

blog landing page ...

Whatweb

➜  ~ whatweb toppo.vuln
http://toppo.vuln [200 OK] Apache[2.4.10], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.142], JQuery, Script, Title[Clean Blog - Start Bootstrap Theme]

Check directory

➜  ~ gobuster dir -u http://toppo.vuln -w ~/SecLists/Discovery/Web-Content/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://toppo.vuln
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/14 09:11:26 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 294]
/.hta                 (Status: 403) [Size: 289]
/.htaccess            (Status: 403) [Size: 294]
/LICENSE              (Status: 200) [Size: 1093]
/admin                (Status: 301) [Size: 308] [--> http://toppo.vuln/admin/]
/css                  (Status: 301) [Size: 306] [--> http://toppo.vuln/css/]  
/img                  (Status: 301) [Size: 306] [--> http://toppo.vuln/img/]  
/index.html           (Status: 200) [Size: 6437]                              
/js                   (Status: 301) [Size: 305] [--> http://toppo.vuln/js/]   
/mail                 (Status: 301) [Size: 307] [--> http://toppo.vuln/mail/] 
/manual               (Status: 301) [Size: 309] [--> http://toppo.vuln/manual/]
/server-status        (Status: 403) [Size: 298]                                
/vendor               (Status: 301) [Size: 309] [--> http://toppo.vuln/vendor/]

===============================================================
2021/08/14 09:11:27 Finished
===============================================================

/admin/ directory

note.txt

password 12345ted123 from password we can guess username is ted

Credentials : ted:12345ted123

ssh target ...

WE IN ...

• Regular User Account Access

Privilege Escalation

SUID rights Exploit

we can run python

spawn shell

• Root User Account Access

• Root Flag