Serveurs web - HackMD

# Serveurs web http://10.43.1.13/ Serveur VNC 123456 Rien au fuzz nginx/1.18.0 (Ubuntu) http://172.16.43.11 [GLPI - Mysql Error] GLPI 9.4.3 https://www.tarlogic.com/blog/glpi-vulnerability-cve-2019-14666/ SUR la base interne du GLPI : user : normal mdp : normal SUR la base GLPI reliée à l'AD : le mot de passe était en clair dans la description du compte visible sur l'active directory ![](https://hackmd.io/_uploads/Bky12J0A2.png) Kieran.Noble iyoh6Ain121A@!= compte qui a la possibilité de créer des tickets, voir la liste des personnes qui ont un compte GLPI, prendre des tickets) http://172.16.43.14 [Annuaire Téléphonique E-Corp] Apache/2.4.10 (Debian) ![](https://hackmd.io/_uploads/SyGYr1k1a.png) ![](https://hackmd.io/_uploads/H1dtSq203.png) ``` ┌──(root㉿kali)-[~] └─# nikto -h http://172.16.43.14 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 172.16.43.14 + Target Hostname: 172.16.43.14 + Target Port: 80 + Start Time: 2023-09-13 03:06:19 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.10 (Debian) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /: Server may leak inodes via ETags, header found with file /, inode: 12bf1, size: 5c73b0d23c840, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418 + Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + /admin.cgi: Uncommon header '93e4r0-cve-2014-6271' found, with contents: true. + /admin.cgi: Site appears vulnerable to the 'shellshock' vulnerability. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 + OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS . + /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/ + 8909 requests: 0 error(s) and 8 item(s) reported on remote host + End Time: 2023-09-13 03:11:18 (GMT-4) (299 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ``` http://172.16.43.15:8080/ jenkins admin / admin ![](https://hackmd.io/_uploads/ry8JVe11a.png) ``` ┌──(root㉿kali)-[~] └─# nmap --script vuln 172.16.43.15 Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-13 04:24 EDT Nmap scan report for 172.16.43.15 Host is up (0.036s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 8080/tcp open http-proxy | http-enum: | /robots.txt: Robots file | /api/: Potentially interesting folder | /secured/: Potentially interesting folder (401 Unauthorized) |_ /target/: Potentially interesting folder 50000/tcp open ibm-db2 Nmap done: 1 IP address (1 host up) scanned in 87.32 seconds ``` http://172.16.43.16 [] Gitlab 8.13.1 CVE-2016-9086 http://172.16.43.16/nomutilisateur pour voir le profil de quelqu'un 172.16.43.17 PORT STATE SERVICE VERSION 5432/tcp open postgresql PostgreSQL DB 11.6 - 11.7 (Docker alpine image) 172.16.43.19 http://172.16.43.19/info.php scan wapiti :https://drive.google.com/file/d/1NebEvQTQSoANLvYD5f-1zJKQrh4V5fUC/view?usp=drive_link scan : ``` └─# nikto -h 172.16.43.19 - Nikto v2.5.0 --------------------------------------------------------------------------- + Target IP: 172.16.43.19 + Target Hostname: 172.16.43.19 + Target Port: 80 + Start Time: 2023-09-12 09:55:32 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.52 (Ubuntu) + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + No CGI Directories found (use '-C all' to force check all possible dirs) + Apache/2.4.52 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch. + OPTIONS: Allowed HTTP Methods: HEAD, GET, POST, OPTIONS . + /info.php: Output from the phpinfo() function was found. + /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information. See: CWE-552 + /info.php?file=http://blog.cirt.net/rfiinc.txt: Remote File Inclusion (RFI) from RSnake's RFI list. See: https://gist.github.com/mubix/5d269c686584875015a2 + 8102 requests: 0 error(s) and 7 item(s) reported on remote host + End Time: 2023-09-12 09:59:53 (GMT-4) (261 seconds) --------------------------------------------------------------------------- + 1 host(s) tested ──(root㉿kali)-[~] └─# gobuster dir -u http://172.16.43.19 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.16.43.19 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /admin (Status: 301) [Size: 312] [--> http://172.16.43.19/admin/] /info.php (Status: 200) [Size: 70783] /server-status (Status: 403) [Size: 277] Progress: 4614 / 4615 (99.98%) =============================================================== Finished =============================================================== ``` http://172.16.43.21 []Apache/2.4.52 http://172.16.43.21/backup http://172.16.43.21/server-status Accessible que depuis 10.43.1.13 http://172.16.43.25 [Dépôt NDF] pas de résultat bruteforce url (Burpsuite) Server: Apache/2.4.52 (Ubuntu) + The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + Apache/2.4.52 outdated + fail csrf ! https://drive.google.com/file/d/15cAXKsDicXbwnuONSgK_BBZ7K5qE9HP7/view?usp=sharing possibilité d'upload un .exe contenant un reverse shell, l'utilisateur taylor.cartwright a executé ce fichier par la suite et nous aovns obtenu un accès administrateur sur son poste via sa session en utilisant le reverse shell informations de l'ordinateur : Carte Ethernet Ethernet : Suffixe DNS propre � la connexion. . . : Adresse IPv6 de liaison locale. . . . .: fe80::ac4d:9b5c:a3bb:89af%5 Adresse IPv4. . . . . . . . . . . . . .: 10.43.1.214 Masque de sous-r�seau. . . .�. . . . . : 255.255.254.0 Passerelle par d�faut. . . .�. . . . . : 10.43.1.254 e-corp-houston2\taylor.cartwright ![](https://hackmd.io/_uploads/B10bGkJJa.png) http://172.16.43.26 [404 Not Found] pas de résultat bruteforce PORT STATE SERVICE 80/tcp open http |_http-: Couldn't find any CSRF vulnerabilities. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) 443/tcp open https |_http-aspnet-debug: ERROR: Script execution failed (use -d to debug) |_ssl-ccs-injection: No reply from server (TIMEOUT) |_http-csrf: Couldn't find any CSRF vulnerabilities. |_http-vuln-cve2014-3704: ERROR: Script execution failed (use -d to debug) |_http-dombased-xss: Couldn't find any DOM based XSS. |_http-stored-xss: Couldn't find any stored XSS vulnerabilities. http://172.16.43.27 [404 Not Found] pas de résultat bruteforce 80/tcp open http Apache httpd 2.4.38 ((Debian)) http://172.16.43.28 [404 Not Found] Apache/2.4.38 (Ubuntu) https://www.infosecmatter.com/nessus-plugin-library/?id=121355 ![](https://hackmd.io/_uploads/S1tHWYnC2.png) sur les pages trouvées : ![](https://hackmd.io/_uploads/BkfEzt3A2.png) pas d'autres résultats bruteforce arrêté car serveur down 172.16.43.30 SMTP [*] 172.16.43.30:25 - 172.16.43.30:25 Banner: 220 e-corp-houston2.lan Postfix [+] 172.16.43.30:25 - 172.16.43.30:25 Users found: , Debian-exim, Debian-snmp, EZsetup, OutOfBox, _apt, abrt, adm, admin, administrator, anon, arpwatch, auditor, avahi, avahi-autoipd, backup, bbs, beef-xss, bin, bitnami, checkfs, checkfsys, checksys, chronos, chrony, cmwlogin, cockpit-ws, colord, couchdb, cups-pk-helper, daemon, dbadmin, dbus, demo, demos, diag, distccd, dni, dnsmasq, dradis, fal, fax, ftp, games, gdm, geoclue, gnats, gnome-initial-setup, gopher, gropher, guest, haldaemon, halt, hplip, inetsim, informix, install, iodine, irc, jet, karaf, kernoops, king-phisher, landscape, libstoragemgmt, libuuid, lightdm, list, listen, lp, lpadm, lpadmin, lxd, lynx, mail, man, me, messagebus, miredo, mountfs, mountfsys, mountsys, mysql, news, noaccess, nobody, nobody4, ntp, nuucp, nxautomation, nxpgsql, omi, omsagent, operator, oracle, pi, polkitd, pollinate, popr, postfix, postgres, postmaster, printer, proxy, pulse, redsocks, rfindd, rje, rooty, rpc, rpcuser, rtkit, rwhod, saned, service, setroubleshoot, setup, sgiweb, shutdown, sigver, speech-dispatcher, sshd, sslh, sssd, stunnel4, sym, symop, sync, sys, sysadm, sysadmin, sysbin, syslog, system_admin, systemd-bus-proxy, systemd-coredump, systemd-network, systemd-resolve, systemd-timesync, tcpdump, trouble, tss, udadmin, ultra, umountfs, umountfsys, umountsys, unix, unscd, us_admin, usbmux, user, uucp, uucpadm, uuidd, vagrant, varnish, web, webmaster, whoopsie, www, www-data, xpdb, xpopr, zabbix http://172.16.43.31 pas de résultat bruteforce ftp authentification possible avec n'importe quel user / mdp 21/tcp open ftp ProFTPD 1.3.8 80/tcp open http Apache httpd 2.4.26 ((Debian))