Durian VulnHub

Escaneo de puertos

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>
nmap -sCV -p<PORTS> <IP>

Info:

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 13:36 EDT
Nmap scan report for 192.168.5.177
Host is up (0.00038s latency).

PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
|   256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
|_  256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
80/tcp   open  http          Apache httpd 2.4.38 ((Debian))
|_http-title: Durian
|_http-server-header: Apache/2.4.38 (Debian)
7080/tcp open  ssl/empowerid LiteSpeed
|_ssl-date: TLS randomness does not represent time
|_http-server-header: LiteSpeed
| tls-alpn: 
|   h2
|   spdy/3
|   spdy/2
|_  http/1.1
|_http-title: Did not follow redirect to https://192.168.5.177:7080/login.php
| ssl-cert: Subject: commonName=durian/organizationName=LiteSpeedCommunity/stateOrProvinceName=NJ/countryName=US
| Not valid before: 2020-09-08T02:05:32
|_Not valid after:  2022-12-07T02:05:32
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=a7bde4e7fd792e0ada2e3cf48c30366f; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Sun, 09 Jun 2024 17:36:54 GMT
|     server: LiteSpeed
|     alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
|   HTTPOptions: 
|     HTTP/1.0 302 Found
|     x-powered-by: PHP/5.6.36
|     x-frame-options: SAMEORIGIN
|     x-xss-protection: 1;mode=block
|     referrer-policy: same-origin
|     x-content-type-options: nosniff
|     set-cookie: LSUI37FE0C43B84483E0=cd74de731bb865489f3b69f7a7af8ab8; path=/; secure; HttpOnly
|     expires: Thu, 19 Nov 1981 08:52:00 GMT
|     cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|     pragma: no-cache
|     set-cookie: LSID37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSPA37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     set-cookie: LSUI37FE0C43B84483E0=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/
|     location: /login.php
|     content-type: text/html; charset=UTF-8
|     content-length: 0
|     date: Sun, 09 Jun 2024 17:36:54 GMT
|     server: LiteSpeed
|_    alt-svc: quic=":7080"; ma=2592000; v="43,46", h3-Q043=":7080";
8088/tcp open  radan-http    LiteSpeed
|_http-server-header: LiteSpeed
|_http-title: Durian
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     etag: "2fd-5f56ea13-40590;;;"
|     last-modified: Tue, 08 Sep 2020 02:18:59 GMT
|     content-type: text/html
|     content-length: 765
|     accept-ranges: bytes
|     date: Sun, 09 Jun 2024 17:36:38 GMT
|     server: LiteSpeed
|     connection: close
|     <html>
|     <body bgcolor="white">
|     <head>
|     <title>Durian</title>
|     <meta name="description" content="We Are Still Alive!">
|     <meta name="keywords" content="Hacked by Ind_C0d3r">
|     <meta name="robots" content="index, follow">
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="language" content="English">
|     </head>
|     <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
|     <style type="text/css">
|     @font-face {
|     font-family: 'Righteous', cursive;
|     font-family: 'Saira Stencil One', cursive;
|     </style>
|     <center><br><br>
|     <img src="https://www.producemarketguide.com/sites/default/files/Commoditi
|   Socks5: 
|     HTTP/1.1 400 Bad Request
|     content-type: text/html
|     cache-control: private, no-cache, max-age=0
|     pragma: no-cache
|     content-length: 1209
|     date: Sun, 09 Jun 2024 17:36:38 GMT
|     server: LiteSpeed
|     connection: close
|     <!DOCTYPE html>
|     <html style="height:100%">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <title> 400 Bad Request
|     </title></head>
|     <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
|     <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">
|     style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1>
|     style="margin-top:20px;font-size: 30px;">Bad Request
|     </h2>
|     <p>It is not a valid request!</p>
|_    </div></div><div style="color:#f0f0
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port7080-TCP:V=7.94SVN%T=SSL%I=7%D=6/9%Time=6665E836%P=x86_64-pc-linux-
SF:gnu%r(GetRequest,430,"HTTP/1\.0\x20302\x20Found\r\nx-powered-by:\x20PHP
SF:/5\.6\.36\r\nx-frame-options:\x20SAMEORIGIN\r\nx-xss-protection:\x201;m
SF:ode=block\r\nreferrer-policy:\x20same-origin\r\nx-content-type-options:
SF:\x20nosniff\r\nset-cookie:\x20LSUI37FE0C43B84483E0=a7bde4e7fd792e0ada2e
SF:3cf48c30366f;\x20path=/;\x20secure;\x20HttpOnly\r\nexpires:\x20Thu,\x20
SF:19\x20Nov\x201981\x2008:52:00\x20GMT\r\ncache-control:\x20no-store,\x20
SF:no-cache,\x20must-revalidate,\x20post-check=0,\x20pre-check=0\r\npragma
SF::\x20no-cache\r\nset-cookie:\x20LSID37FE0C43B84483E0=deleted;\x20expire
SF:s=Thu,\x2001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nse
SF:t-cookie:\x20LSPA37FE0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-19
SF:70\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nset-cookie:\x20LSUI37
SF:FE0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-1970\x2000:00:01\x20G
SF:MT;\x20Max-Age=0;\x20path=/\r\nlocation:\x20/login\.php\r\ncontent-type
SF::\x20text/html;\x20charset=UTF-8\r\ncontent-length:\x200\r\ndate:\x20Su
SF:n,\x2009\x20Jun\x202024\x2017:36:54\x20GMT\r\nserver:\x20LiteSpeed\r\na
SF:lt-svc:\x20quic=\":7080\";\x20ma=2592000;\x20v=\"43,46\",\x20h3-Q043=\"
SF::7080\";\x20")%r(HTTPOptions,430,"HTTP/1\.0\x20302\x20Found\r\nx-powere
SF:d-by:\x20PHP/5\.6\.36\r\nx-frame-options:\x20SAMEORIGIN\r\nx-xss-protec
SF:tion:\x201;mode=block\r\nreferrer-policy:\x20same-origin\r\nx-content-t
SF:ype-options:\x20nosniff\r\nset-cookie:\x20LSUI37FE0C43B84483E0=cd74de73
SF:1bb865489f3b69f7a7af8ab8;\x20path=/;\x20secure;\x20HttpOnly\r\nexpires:
SF:\x20Thu,\x2019\x20Nov\x201981\x2008:52:00\x20GMT\r\ncache-control:\x20n
SF:o-store,\x20no-cache,\x20must-revalidate,\x20post-check=0,\x20pre-check
SF:=0\r\npragma:\x20no-cache\r\nset-cookie:\x20LSID37FE0C43B84483E0=delete
SF:d;\x20expires=Thu,\x2001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20
SF:path=/\r\nset-cookie:\x20LSPA37FE0C43B84483E0=deleted;\x20expires=Thu,\
SF:x2001-Jan-1970\x2000:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nset-cooki
SF:e:\x20LSUI37FE0C43B84483E0=deleted;\x20expires=Thu,\x2001-Jan-1970\x200
SF:0:00:01\x20GMT;\x20Max-Age=0;\x20path=/\r\nlocation:\x20/login\.php\r\n
SF:content-type:\x20text/html;\x20charset=UTF-8\r\ncontent-length:\x200\r\
SF:ndate:\x20Sun,\x2009\x20Jun\x202024\x2017:36:54\x20GMT\r\nserver:\x20Li
SF:teSpeed\r\nalt-svc:\x20quic=\":7080\";\x20ma=2592000;\x20v=\"43,46\",\x
SF:20h3-Q043=\":7080\";\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8088-TCP:V=7.94SVN%I=7%D=6/9%Time=6665E826%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,3EC,"HTTP/1\.0\x20200\x20OK\r\netag:\x20\"2fd-5f56ea13-40590
SF:;;;\"\r\nlast-modified:\x20Tue,\x2008\x20Sep\x202020\x2002:18:59\x20GMT
SF:\r\ncontent-type:\x20text/html\r\ncontent-length:\x20765\r\naccept-rang
SF:es:\x20bytes\r\ndate:\x20Sun,\x2009\x20Jun\x202024\x2017:36:38\x20GMT\r
SF:\nserver:\x20LiteSpeed\r\nconnection:\x20close\r\n\r\n<html>\n<body\x20
SF:bgcolor=\"white\">\n<head>\n<title>Durian</title>\n<meta\x20name=\"desc
SF:ription\"\x20content=\"We\x20Are\x20Still\x20Alive!\">\n<meta\x20name=\
SF:"keywords\"\x20content=\"Hacked\x20by\x20Ind_C0d3r\">\n<meta\x20name=\"
SF:robots\"\x20content=\"index,\x20follow\">\n<meta\x20http-equiv=\"Conten
SF:t-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n<meta\x20name=\"l
SF:anguage\"\x20content=\"English\">\n</head>\n<link\x20href=\"https://fon
SF:ts\.googleapis\.com/css\?family=Righteous\|Saira\+Stencil\+One&display=
SF:swap\"\x20rel=\"stylesheet\">\n<style\x20type=\"text/css\">\n@font-face
SF:\x20{\n\tfont-family:\x20'Righteous',\x20cursive;\n\tfont-family:\x20'S
SF:aira\x20Stencil\x20One',\x20cursive;\n}\n</style>\n<center><br><br>\n<i
SF:mg\x20src=\"https://www\.producemarketguide\.com/sites/default/files/Co
SF:mmoditi")%r(Socks5,58E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent-t
SF:ype:\x20text/html\r\ncache-control:\x20private,\x20no-cache,\x20max-age
SF:=0\r\npragma:\x20no-cache\r\ncontent-length:\x201209\r\ndate:\x20Sun,\x
SF:2009\x20Jun\x202024\x2017:36:38\x20GMT\r\nserver:\x20LiteSpeed\r\nconne
SF:ction:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20style=\"height:100%
SF:\">\n<head>\n<meta\x20name=\"viewport\"\x20content=\"width=device-width
SF:,\x20initial-scale=1,\x20shrink-to-fit=no\">\n<title>\x20400\x20Bad\x20
SF:Request\r\n</title></head>\n<body\x20style=\"color:\x20#444;\x20margin:
SF:0;font:\x20normal\x2014px/20px\x20Arial,\x20Helvetica,\x20sans-serif;\x
SF:20height:100%;\x20background-color:\x20#fff;\">\n<div\x20style=\"height
SF::auto;\x20min-height:100%;\x20\">\x20\x20\x20\x20\x20<div\x20style=\"te
SF:xt-align:\x20center;\x20width:800px;\x20margin-left:\x20-400px;\x20posi
SF:tion:absolute;\x20top:\x2030%;\x20left:50%;\">\n\x20\x20\x20\x20\x20\x2
SF:0\x20\x20<h1\x20style=\"margin:0;\x20font-size:150px;\x20line-height:15
SF:0px;\x20font-weight:bold;\">400</h1>\n<h2\x20style=\"margin-top:20px;fo
SF:nt-size:\x2030px;\">Bad\x20Request\r\n</h2>\n<p>It\x20is\x20not\x20a\x2
SF:0valid\x20request!</p>\n</div></div><div\x20style=\"color:#f0f0");
MAC Address: 00:0C:29:39:12:EA (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 110.20 seconds

Gobuster

Info:

Vemos que hay un directorio llamado /blog bastante interesante, si vamos hay no nos llega a cargar muy bien, por lo que tendremos que tocar en algun momento el /etc/hosts...

Nikto

Info:

Vemos que hay un Wordpress por lo que ya sabremos por donde tirar, pero antes tendremos que descubrir el dominio que utiliza...

Pero por mucha busqueda es imposible, por lo que tiraremos por otros sitios, como por ejemplo...

Vemos que hay un .php dentro de ese directorio y que si lo inspeccionamos...

Por lo que vemos tenemos la opcion de leer con ese parametro llamado file, por lo que haremos lo siguiente...

Info:

Por lo que haremos una tecnica llamada LFI (Local File Inclusion) Utilizando Wrappers...

Nos descargamos en un repositorio de GitHub un script de python que nos ayudara a crear lo que queramos poner en la URL...

URL = https://github.com/synacktiv/php_filter_chain_generator

Una vez nos descargamos el .py lo ejecutaremos de la siguiente manera...

Info:

Aqui lo que estamos creando es un parametro llamado cmd en el que podamos ejecutar comandos...

Y si enviamos esto, nos mostrara lo siguiente...

Vemos que funciona ya que nos pone que somos www-data, por lo que crearemos una Reverse Shell....

Creamo el siguiente archivo...

Antes de hacer nada nos preparamos en metasploit...

Con eso ya estariamos a la escucha...

Abriremos un server de python3 para pasarnos el archivo con wget...

En la URL haremos lo siguiente...

Info:

Vemos que se subio correctamente...

Y con eso lo que hacemos es chmod +x /tmp/shell.php si volvemos hacer un ls veremos que se pusieron los permisos de ejecucion, por lo que lo ejecutaremos...

Enviado eso, si volvemos al metasploit nos habra hecho una shell con el usuario www-data...

Si hacemos sudo -l veremos lo siguiente...

Por lo que vemos podemos hacer /sbin/shutdown y /bin/ping como si fueramos root utilizando sudo, pero no nos interesa mucho eso...

Si hacemos esto para ver las capabilities que tenemos veremos lo siguiente...

Por lo que vemos tenemos el del gdb por lo que podremos escalar por ahi privilegios...

URL = https://gtfobins.github.io/gtfobins/gdb/

Poniendo eso seriamos root, por lo que leeremos la flag...

proof.txt (flag_final)

PreviousDripping_blues VulnHubNextElection VulnHub

Last updated