HackingLab – CEng Company

Iniziamo con la scansione della rete con arp-scan per identificare la macchina target sulla rete; la sintassi è: arp-scan –interface=eth0 –localnet.
La macchina target risponde all’IP 192.168.188.81.

kali@kali:~$ sudo arp-scan --interface=eth0 --localnet
[sudo] password for kali: 
Interface: eth0, type: EN10MB, MAC: 08:00:27:23:ff:90, IPv4: 192.168.188.53
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.188.1   98:9b:cb:9f:3a:e3       AVM Audiovisuelles Marketing und Computersysteme GmbH
192.168.188.20  cc:b0:da:aa:38:07       Liteon Technology Corporation
192.168.188.26  40:b0:34:db:2a:65       Hewlett Packard
192.168.188.29  00:03:7f:c3:11:0c       Atheros Communications, Inc.
192.168.188.27  7c:2f:80:f5:84:18       Gigaset Communications GmbH
192.168.188.43  54:b8:0a:01:ad:33       D-Link International
192.168.188.81  08:00:27:a0:6e:e2       PCS Systemtechnik GmbH
192.168.188.23  48:d6:d5:03:07:22       Google, Inc.
192.168.188.22  b0:65:bd:80:3a:0b       Apple, Inc.

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 2.488 seconds (102.89 hosts/sec). 9 responded

Con nmap effettuiamo una scansione delle porte e dei servizi aperti; la sintassi è sudo nmap -sV -sT -O -A -p- <INDIRIZZO IP> dove:
-sV indicano un SCTP INIT scan,
-sT indicano un TCP connect scan,
-O indica il riconoscimento del Sistema Operativo,
-A indica una scansione “invasiva”,
-p- indica la scansione di tutte le porte.

La scansione con nmap rivela aperte le seguenti porte:
22 – ssh,
80 – http.

kali@kali:~$ nmap -A 192.168.188.81
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 13:41 EDT
Nmap scan report for cengbox.fritz.box (192.168.188.60)
Host is up (0.0014s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a9:cc:28:f3:8c:f5:0e:3f:5a:ed:13:f3:ad:53:13:9b (RSA)
|   256 f7:3a:a3:ff:a1:f7:e5:1b:1e:6f:58:5f:c7:02:55:9b (ECDSA)
|_  256 f0:dd:2e:1d:3d:0a:e8:c1:5f:52:7c:55:2c:dc:1e:ef (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: CEng Company
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.55 seconds

er valutare le eventuali vulnerabilità abbiamo quindi utilizzato nikto sulla porta 80; la sintassi è nikto -host <INDIRIZZO IP> -port <PORTA> dove:
-host indica l’indirizzo IP della macchina target,
-port indica la porta su cui effettuare la scansione delle vulnerabilità.

kali@kali:~$ nikto -host http://192.168.188.81
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.188.81
+ Target Hostname:    192.168.188.81
+ Target Port:        80
+ Start Time:         2020-05-30 13:42:30 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7915 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time:           2020-05-30 13:43:49 (GMT-4) (79 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Abbiamo iniziato a enumerare le directory con dirb utilizzando la sintassi dirb http://<INDIRIZZO IP>.

kali@kali:~$ sudo dirb http://192.168.188.81

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat May 30 13:52:52 2020
URL_BASE: http://192.168.188.81/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://192.168.188.60/ ----
==> DIRECTORY: http://192.168.188.60/css/                                                                                          
==> DIRECTORY: http://192.168.188.60/img/                                                                                          
+ http://192.168.188.60/index.php (CODE:200|SIZE:5812)                                                                             
==> DIRECTORY: http://192.168.188.60/js/                                                                                           
+ http://192.168.188.60/server-status (CODE:403|SIZE:279)                                                                          
==> DIRECTORY: http://192.168.188.60/uploads/                                                                                      
==> DIRECTORY: http://192.168.188.60/vendor/                                                                                       
                                                                                                                                   
---- Entering directory: http://192.168.188.60/css/ ----
                                                                                                                                   
---- Entering directory: http://192.168.188.60/img/ ----
                                                                                                                                   
---- Entering directory: http://192.168.188.60/js/ ----
                                                                                                                                   
---- Entering directory: http://192.168.188.60/uploads/ ----
                                                                                                                                   
---- Entering directory: http://192.168.188.60/vendor/ ----
==> DIRECTORY: http://192.168.188.60/vendor/jquery/                                                                                
                                                                                                                                   
---- Entering directory: http://192.168.188.60/vendor/jquery/ ----
                                                                                                                                   
-----------------                                                                                                                   
END_TIME: Sat May 30 13:53:14 2020                                                                                                  
DOWNLOADED: 32284 - FOUND: 2

Non avendo ottenuto risultati sempre per enumerare le directory proviamo ad utilizzare gobuster che richiede la seguente sintassi: gobuster -e -u <URL INDIRIZZO> -w /usr/share/wordlists/dirb/common.txt dove:
-e indica l’expanded mode,
-u indica il target url,
-w indica il dizionario da utilizzarsi per il brute forcing.
Dalla scansione troviamo una direcotry potenzialmente interessante: masteradmin.

kali@kali:~$ sudo gobuster dir -u http://192.168.188.81/ -w /usr/share/wordlists/dirb/big.txt -o /home/kali/Documents/CEng/CEng.out
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.188.60/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/30 13:58:22 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/css (Status: 301)
/img (Status: 301)
/js (Status: 301)
/masteradmin (Status: 301)
/server-status (Status: 403)
/uploads (Status: 301)
/vendor (Status: 301)
===============================================================
2020/05/30 13:58:46 Finished
===============================================================

Sempre utilizzando gobuster effettuiamo l’enumerazione della directory masteradmin.

kali@kali:~/Documents/CEng$ sudo gobuster dir -u http://192.168.188.81/masteradmin/ -w /usr/share/wordlists/dirb/big.txt -o /home/kali/Documents/CEng/CEng.out -x php
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://192.168.188.60/masteradmin/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
===============================================================
2020/05/30 14:04:43 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/css (Status: 301)
/db.php (Status: 200)
/fonts (Status: 301)
/images (Status: 301)
/js (Status: 301)
/login.php (Status: 200)
/upload.php (Status: 200)
/vendor (Status: 301)
===============================================================
2020/05/30 14:05:18 Finished
===============================================================

Utilizziamo il browser per accedere alla pagina di login.

Leave a Reply

Your email address will not be published. Required fields are marked *