Valentine | Notion

We begin with our usual TCP SYN scan on all ports revealing that ports 22, 80 and 443 are open.

/tmp/tmp.WtvkxLRe4k ❯ hping3 -S --scan 1-65535 10.10.10.79 | grep -v "Not" | tee general/hping3/syn_scan      root@kali
Scanning 10.10.10.79 (10.10.10.79), port 1-65535
65535 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
   22 ssh        : .S..A...  63     0 14600    44
   80 http       : .S..A...  63     0 14600    44
  443 https      : .S..A...  63     0 14600    44

Though we run a comprehensive nmap scan with the vuln script reveals that the box is possibly vulnerable to Heartbleed. In addtion, it reveals the /dev and /index resources which may be worth checking out.

/tmp/tmp.WtvkxLRe4k ❯ sudo nmap -A -oA general/nmap/safe_scan -p22,80,443 10.10.10.79 --script vuln                                                                                                                                                                                                               root@kali
Starting Nmap 7.92 ( <https://nmap.org> ) at 2024-06-14 19:18 NZST
Nmap scan report for target (10.10.10.79)
Host is up (0.042s latency).
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
| vulners:
|   cpe:/a:openbsd:openssh:5.9p1:
|       PRION:CVE-2016-6244     7.8     <https://vulners.com/prion/PRION:CVE-2016-6244>
|       PRION:CVE-2016-6241     7.2     <https://vulners.com/prion/PRION:CVE-2016-6241>
|       PRION:CVE-2016-6240     7.2     <https://vulners.com/prion/PRION:CVE-2016-6240>
|       CVE-2020-14145  5.9     <https://vulners.com/cve/CVE-2020-14145>
|       CVE-2018-15919  5.3     <https://vulners.com/cve/CVE-2018-15919>
|       SSV:60656       5.0     <https://vulners.com/seebug/SSV:60656>    *EXPLOIT*
|       PRION:CVE-2010-5107     5.0     <https://vulners.com/prion/PRION:CVE-2010-5107>
|       CVE-2010-5107   5.0     <https://vulners.com/cve/CVE-2010-5107>
|       PRION:CVE-2016-6522     4.9     <https://vulners.com/prion/PRION:CVE-2016-6522>
|       PRION:CVE-2016-6350     4.9     <https://vulners.com/prion/PRION:CVE-2016-6350>
|       PRION:CVE-2016-6247     4.9     <https://vulners.com/prion/PRION:CVE-2016-6247>
|       PRION:CVE-2016-6246     4.9     <https://vulners.com/prion/PRION:CVE-2016-6246>
|       PRION:CVE-2016-6245     4.9     <https://vulners.com/prion/PRION:CVE-2016-6245>
|       PRION:CVE-2016-6243     4.9     <https://vulners.com/prion/PRION:CVE-2016-6243>
|       PRION:CVE-2016-6242     4.9     <https://vulners.com/prion/PRION:CVE-2016-6242>
|       PRION:CVE-2016-6239     4.9     <https://vulners.com/prion/PRION:CVE-2016-6239>
|       SSV:90447       4.6     <https://vulners.com/seebug/SSV:90447>    *EXPLOIT*
|       PRION:CVE-2016-0778     4.6     <https://vulners.com/prion/PRION:CVE-2016-0778>
|_      PRION:CVE-2016-0777     4.0     <https://vulners.com/prion/PRION:CVE-2016-0777>
80/tcp  open  http     Apache httpd 2.2.22 ((Ubuntu))
|_http-server-header: Apache/2.2.22 (Ubuntu)
| http-enum:
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
443/tcp open  ssl/http Apache httpd 2.2.22 ((Ubuntu))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|   /dev/: Potentially interesting directory w/ listing on 'apache/2.2.22 (ubuntu)'
|_  /index/: Potentially interesting folder
| ssl-heartbleed:
|   VULNERABLE:
|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
|     State: VULNERABLE
|     Risk factor: High
|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
|
|     References:
|       <http://www.openssl.org/news/secadv_20140407.txt>
|       <http://cvedetails.com/cve/2014-0160/>
|_      <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160>

We proceed with further enumeration of the ports

Port 80-HTTP

We begin by visiting the homepage which reveals a picture with no information hidden in the source code.

Untitled

whatweb reveals the php and apache versions but this turned out to be of no consequence to our attack chain.


/tmp/tmp.WtvkxLRe4k ❯ whatweb -v <http://10.10.10.79> | tee 80/whatweb                                                       root@kali
WhatWeb report for <http://10.10.10.79>
Status    : 200 OK
Title     : <None>
IP        : 10.10.10.79
Country   : RESERVED, ZZ

Summary   : Apache[2.2.22], HTTPServer[Ubuntu Linux][Apache/2.2.22 (Ubuntu)], PHP[5.3.10-1ubuntu3.26], X-Powered-By[PHP/5.3.10-1ubuntu3.26]

Discovering hidden resources with gobuster reveals the /decode, /dev and /encode directories in addition to the ones already found by nmap.

Inpsecting the discovered resources.

/dev

Visiting the page reveals that it is a directory with 2 files.