Previse - Hack The Box
“Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry’s standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.”
██╗ ██╗███████╗███████╗██████╗ ██║ ██║██╔════╝██╔════╝██╔══██╗ ██║ ██║███████╗█████╗ ██████╔╝ ██║ ██║╚════██║██╔══╝ ██╔══██╗ ╚██████╔╝███████║███████╗██║ ██║ ╚═════╝ ╚══════╝╚══════╝╚═╝ ╚═╝
- [root:/git/htb/previse]# nmap -Pn -n -sCV 10.10.11.104 –open (master✱) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 53:ed:44:40:11:6e:8b:da:69:85:79:c0:81:f2:3a:12 (RSA) | 256 bc:54:20:ac:17:23:bb:50:20:f4:e1:6e:62:0f:01:b5 (ECDSA) |_ 256 33:c1:89:ea:59:73:b1:78:84:38:a4:21:10:0c:91:d8 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-server-header: Apache/2.4.29 (Ubuntu) | http-title: Previse Login |_Requested resource was login.php Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
DIRB: ==> DIRECTORY: http://10.10.11.104/css/
-
http://10.10.11.104/favicon.ico (CODE:200 SIZE:15406) - http://10.10.11.104/index.php (CODE:302|SIZE:2801) ==> DIRECTORY: http://10.10.11.104/js/
-
http://10.10.11.104/server-status (CODE:403 SIZE:277)
NIKTO:
- Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
- /config.php: PHP Config file may contain database IDs and passwords.
- OSVDB-3268: /css/: Directory indexing found.
- OSVDB-3092: /css/: This might be interesting…
- OSVDB-3233: /icons/README: Apache default file found.
FFUF (.php): .htaccess [Status: 403, Size: 277, Words: 20, Lines: 10] .htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10] accounts [Status: 302, Size: 3994, Words: 1096, Lines: 94] config [Status: 200, Size: 0, Words: 1, Lines: 1] download [Status: 302, Size: 0, Words: 1, Lines: 1] files [Status: 302, Size: 4914, Words: 1531, Lines: 113] footer [Status: 200, Size: 217, Words: 10, Lines: 6] header [Status: 200, Size: 980, Words: 183, Lines: 21] index [Status: 302, Size: 2801, Words: 737, Lines: 72] login [Status: 200, Size: 2224, Words: 486, Lines: 54] logout [Status: 302, Size: 0, Words: 1, Lines: 1] logs [Status: 302, Size: 0, Words: 1, Lines: 1] nav [Status: 200, Size: 1248, Words: 462, Lines: 32] status [Status: 302, Size: 2966, Words: 749, Lines: 75]
- Visiting the http server there’s not much to take away from it, it’s a blank login page. None of the found .php pages yeild anything either. However, if we capture our GET requests in Burp, we find some hidden information.
accounts.php: Add New Account Create new user. ONLY ADMINS SHOULD BE ABLE TO ACCESS THIS PAGE!! Usernames and passwords must be between 5 and 32 characters!