Since our current user has not high privileges, we’re running pspy to identify cron jobs that we don’t have permission to see: Linpeas.sh told me something interesting: Let’s try to upload a tiny PHP reverse shell: We can write files in Development shared directory.This is a LFI( Locale File Inclusion) vulnerability! I replaced pagename’s value by dashboard and the page was continuously including itself: I replaced image_id’s value by b.jpg (which is the other image in /images folder) and pagename’s value by timestamp. I replaced image_id’s value by a.jpg and I got this result: I filled the parameters image_id and pagename with the filename and timestamp I’v got in response when I uploaded an image in. The credentials found via smb worked as well on this second admin panel: I looked for hidden directories in order to retrieve the image that I uploaded but /files seems empty and /files/note that the site is still under development: I uploaded a benign picture and it seems that the upload worked: We open aquatone_report.html with firefox.Īmong all the new domain names we identified, the only ones that didn’t respond with a 404 Not Found error were and. XFR size: 9 records (messages 1, bytes 309 ) 604800 IN NS localhost.įriendzoneportal.red. (1 server found ) global options: +cmdįriendzoneportal.red. > DiG 9.16.8-Debian > axfr friendzoneportal.red $ dig axfr $TARGET friendzoneportal.red | tee services/53-friendzoneportal.txt When DNS rely on TCP, usually it means that there are some zone transfer. “check for another one”, let’s try with dirb. We’re successfully logged in with the credentials found via smb, but: Apache/2.4.29 (ports 80)Īnother domain name: friendzoneportal.red.īecause of the “creds for the admin THING:” in creds.txt, I tried the subdomain and it worked: password: we can put files in Development directory.We get some credentials that we will probably use later: We can in the comment section that Files is in /etc/, so do general and Development directories probably. IPC $ IPC IPC Service (FriendZone server (Samba, Ubuntu )) General Disk FriendZone Samba Server Filesĭevelopment Disk FriendZone Samba Server Files
Thanks to this scan we identified a domain name: friendzone.red, so I added it to my /etc/hosts:įiles Disk FriendZone Samba Server Files /etc/Files |_ Message signing enabled but not required |_ message_signing: disabled (dangerous, but default ) |_nbstat: NetBIOS name: FRIENDZONE, NetBIOS user:, NetBIOS MAC: (unknown ) Service Info: Hosts: FRIENDZONE, 127.0.1.1 OSs: Unix, Linux CPE: cpe:/o:linux:linux_kernel |_ssl-date: TLS randomness does not represent timeĤ45/tcp open netbios-ssn Samba smbd 4.7.6-Ubuntu (workgroup: WORKGROUP ) | ssl-cert: Subject: commonName =friendzone.red/organizationName =CODERED/stateOrProvinceName =CODERED/countryName =JO |_http-title: Friend Zone Escape softwareġ39/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP )Ĥ43/tcp open ssl/http Apache httpd 2.4.29 |_http-server-header: Apache/2.4.29 (Ubuntu ) $ nmap -min-rate 5000 -max-retries 1 -sV -sC -p-oN FriendZone-full-port-scan.txt 10.10.10.123Ģ2/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux protocol 2.0 )
0 kommentar(er)
