The first thing to notice here, is that in order to upload a file, we should submit an external URL which links to the file you want to upload, and not simply drag and drop or Select from filesystem the file. The file upload path looks like the one we should dig more into to get an initial access. /cloud: returns a Personal Cloud Storage where we can upload images via an external URL.logout.php: redirects also to login.php./login.php: contains a login form where we can submit a username and a password./index.php: redirects to /login.php, which means we need to login before accessing the main page index.php.Gobuster found some interesting directories: Wordlist: /usr/share/wordlists/SecLists-master/Discovery/Web-Content/Ġ 05:13:31 Starting gobuster in directory enumeration mode phpīy OJ Reeves ) & Christian Mehlmauer ) = Url: $ gobuster dir -u -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/ -t 64 -no-error -x. Unfortunately, despite spending hours searching the internet, I could not locate any helpful exploits that would provide me with initial access to the target machine. The version of OpenSSH 8.2p1 running on port 22 is linked to several vulnerabilities, including a Remote Code Execution vulnerability identified as CVE-2021-28041, which enables attackers to execute arbitrary code on the targeted system. Port 445 is used for Server Message Block (SMB) over TCP Service Enumeration Port 139 is typically used for NetBIOS Session Service Samba smbd version 4.6.2 is running on ports 139 and 445.An HTTP server Apache httpd 2.4.41 running on port 80.An SSH server OpenSSH 8.2p1 running on port 22.Nmap done: 1 IP address (1 host up ) scanned in 22.27 seconds |_ Message signing enabled but not required |_nbstat: NetBIOS name: OPACITY, NetBIOS user:, NetBIOS MAC: 000000000000 (Xerox ) Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel No exact OS matches for host ( test conditions non-ideal ). |_http-server-header: Apache/2.4.41 (Ubuntu )ġ39/tcp open netbios-ssn Samba smbd 4.6.2Ĥ45/tcp open netbios-ssn Samba smbd 4.6.2 Keep in mind this is a staged payload.22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux protocol 2.0 ) This is a module from Rapid7 that should be used with their handler but you don't have to. This will work with any operating system on a server. I'm writing this on my phone and is a bit difficult to structure the text. Ask me if there is something that you dont understand. So if that other server (remote url) executes that php( you upload the file and open the url), you would need a public IP, because that server is on the internet and cannot find your physical ip. The file needs to be executed from the server that you want to conect to, so that the php in that system executes the bash command. So the php is being executed in your server, not in another site. If your ip is in the same network as the server, (or your routing table is configured to forward to another network) the server tries to make the connection serverip->yourcomputerip:8080 So when you execute the php script, it runs on the server that hosts the file (localhost) and tries to connect to the desired ip. So ngrok makes a localhost port public, like localhost:3000->, so at this point you have something like a public subdomain and a public ip that forwards the connections to your localhost.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |