Scribd Logo
Upload

Welcome to Scribd!

  • Bounty Hunter

    Uploaded by

    Jack Boelan
    10 views3 pages
    Bounty Hunter

    Original Title

    BountyHunter

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Bounty Hunter

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views3 pages

    Bounty Hunter

    Uploaded by

    Jack Boelan
    Bounty Hunter

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    Target = 10.10.11.

    100

    ***********************************************************************

    Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-06 13:30 UTC


    Nmap scan report for 10.10.11.100 (10.10.11.100)
    Host is up (0.38s latency).
    Not shown: 791 closed ports, 207 filtered ports
    PORT STATE SERVICE VERSION
    22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey:
    | 3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
    | 256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
    |_ 256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
    80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Bounty Hunters
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Service detection performed. Please report any incorrect results at


    https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 418.31 seconds

    ***********************************************************************************
    ***********************

    LIST OF DIRECTORIES

    /index.php (Status: 200) [Size: 25169]


    /resources (Status: 301) [Size: 316] [-->
    http://10.10.11.100/resources/]
    /assets (Status: 301) [Size: 313] [--> http://10.10.11.100/assets/]
    /portal.php (Status: 200) [Size: 125]
    /css (Status: 301) [Size: 310] [--> http://10.10.11.100/css/]
    /db.php (Status: 200) [Size: 0]
    /js (Status: 301) [Size: 309] [--> http://10.10.11.100/js/]

    ***********************************************************************************
    ***********************

    Ptential use found under /resources/README.txt

    USERNAME : "test"
    PASSWORD :

    ***********************************************************************************
    **********************

    Vulnerabilities using nikto

    + Server: Apache/2.4.41 (Ubuntu)


    + The anti-clickjacking X-Frame-Options header is not present.
    + The X-XSS-Protection header is not defined. This header can hint to the user
    agent to protect against some forms of XSS
    + The X-Content-Type-Options header is not set. This could allow the user agent to
    render the content of the site in a different fashion to the MIME type
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    + Web Server returns a valid response with junk HTTP methods, this may cause false
    positives.
    + OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from
    an unknown scanner.
    + 7891 requests: 0 error(s) and 5 item(s) reported on remote host
    + End Time: 2021-10-07 01:59:27 (GMT0) (2612 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested

    *********************************************************************
    Portions of the server's headers (Apache/2.4.41) are not in
    the Nikto 2.1.6 database or are newer than the known string. Would you like
    to submit this information (*no server specific data*) to CIRT.net
    for a Nikto update (or you may email to sullo@cirt.net) (y/n)? y

    + The anti-clickjacking X-Frame-Options header is not present.


    + The X-XSS-Protection header is not defined. This header can hint to the user
    agent to protect against some forms of XSS
    + The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
    + The site uses SSL and Expect-CT header is not present.
    - Sent updated info to cirt.net -- Thank you!

    ***********************************************************************************
    ***********************

    confirmed that /log_submit.php is vulnerable to xml injection [XXE]

    Use XXE: File Disclosure; found a user

    Username = development

    USE XXE: Access Control Bypass; found credentials

    <?php
    // TODO -> Implement login system with the database.
    $dbserver = "localhost";
    $dbname = "bounty";
    $dbusername = "admin";
    $dbpassword = "m19RoAU0hP41A1sTsq6K";
    $testuser = "test";
    ?>

    ***********************************************************************************
    *********

    Used the following credentials:

    Username : development
    Password : m19RoAU0hP41A1sTsq6K

    and gained access to the machine using SSH

    use flag = 4bb9d2af93d5b85d64b1a3418e338b4d

    ***********************************************************************************
    ********

    Privilage Excalation

    can run ticketValidator.py using python3.8 with root privilages


    we alseo created a ticketmwith the correct format and appended a command that would
    create a shell

    ROOT FLAG : 1ed41cc4a009d1ed62cdc00c1ebee8d4

    ***********************************************************************************
    *******

    END

    You might also like