TOPPO
Scanning
Nmap
➜ ~ nmap -T4 -p- -A toppo.vuln
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-14 08:54 EDT
Nmap scan report for toppo.vuln (172.16.129.142)
Host is up (0.0015s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0)
| ssh-hostkey:
| 1024 ec:61:97:9f:4d:cb:75:99:59:d4:c1:c4:d4:3e:d9:dc (DSA)
| 2048 89:99:c4:54:9a:18:66:f7:cd:8e:ab:b6:aa:31:2e:c6 (RSA)
| 256 60:be:dd:8f:1a:d7:a3:f3:fe:21:cc:2f:11:30:7b:0d (ECDSA)
|_ 256 39:d9:79:26:60:3d:6c:a2:1e:8b:19:71:c0:e2:5e:5f (ED25519)
80/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Clean Blog - Start Bootstrap Theme
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100024 1 41898/tcp status
| 100024 1 46451/udp status
| 100024 1 56365/tcp6 status
|_ 100024 1 60840/udp6 status
41898/tcp open status 1 (RPC #100024)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.39 secondsEnumeration
port 80 is opened let's take a look
blog landing page ...
Whatweb
➜ ~ whatweb toppo.vuln
http://toppo.vuln [200 OK] Apache[2.4.10], Bootstrap, Country[RESERVED][ZZ], HTML5, HTTPServer[Debian Linux][Apache/2.4.10 (Debian)], IP[172.16.129.142], JQuery, Script, Title[Clean Blog - Start Bootstrap Theme]Check directory
➜ ~ gobuster dir -u http://toppo.vuln -w ~/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://toppo.vuln
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/x/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/14 09:11:26 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 294]
/.hta (Status: 403) [Size: 289]
/.htaccess (Status: 403) [Size: 294]
/LICENSE (Status: 200) [Size: 1093]
/admin (Status: 301) [Size: 308] [--> http://toppo.vuln/admin/]
/css (Status: 301) [Size: 306] [--> http://toppo.vuln/css/]
/img (Status: 301) [Size: 306] [--> http://toppo.vuln/img/]
/index.html (Status: 200) [Size: 6437]
/js (Status: 301) [Size: 305] [--> http://toppo.vuln/js/]
/mail (Status: 301) [Size: 307] [--> http://toppo.vuln/mail/]
/manual (Status: 301) [Size: 309] [--> http://toppo.vuln/manual/]
/server-status (Status: 403) [Size: 298]
/vendor (Status: 301) [Size: 309] [--> http://toppo.vuln/vendor/]
===============================================================
2021/08/14 09:11:27 Finished
===============================================================/admin/ directory
note.txt
password 12345ted123 from password we can guess username is ted
Credentials : ted:12345ted123
ssh target ...
WE IN ...
Privilege Escalation
SUID rights Exploit
we can run python
spawn shell
Last updated
