Nmap done: 1 IP address (1 host up) scanned in 88.54 secondsīased on the Apache version, this looks like Ubuntu bionic (18.04). Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel If you know the service/version, please submit the following fingerprint at : Patents Managementġ service unrecognized despite returning data. |_http-server-header: Apache/2.4.29 (Ubuntu) Nmap done: 1 IP address (1 host up) scanned in 7.89 nmap -p 22,80,8888 -sC -sV -oA scans/tcpscripts 10.10.10.173Ģ2/tcp open ssh OpenSSH 7.7p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux protocol 2.0) Nmap shows three services over TCP, SSH (22), HTTP (80), and unknown on nmap -p-min-rate 10000 -oA scans/alltcp 10.10.10.173
In Beyond Root, I’ll look at chaining PHP filters to exfil larger data over XXE. I’ll also find a Git repo with the server binary, which I can reverse and find an exploit in, resulting in a shell as root on the host machine. As root, I get access to an application that’s communicating with the custom service on the host machine. To get root in that container, I’ll find a password in the process list. In that section, there is a directory traversal vulnerability that allows me to use log poisoning to get execution and a shell in the web docker container.
I’ll exploit XXE in Libre Office that’s being used to convert docx files to PDFs to leak a configuration file, which uncovers another section of the site. I’ll find two listening services, a webserver and a custom service. Patents was a really tough box, that probably should have been rated insane.
0 kommentar(er)
