PGP: Detection

# PGP Writeups: Detection IP Addr: 192.168.154.97 ## Pre-attack Prep ![image](https://hackmd.io/_uploads/SJwRFhYq1e.png) - 3 Folders - enum → for all records we enumerate - files → for any files we find - exploits → for any exploits we might need ## Initial Scan `sudo nmap 192.168.154.97 -p- -Pn -A -T4 -oN enum/97-ports.log` ```shell 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA) | 256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA) |_ 256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519) 5000/tcp open upnp? | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Content-Type: text/html; charset=utf-8 | Content-Length: 22939 | Vary: Accept-Encoding, Cookie | Set-Cookie: session=eyJjc3JmX3Rva2VuIjoiZWE4MmRlMThiODAwYzU3YTA4NDM0Y2EzNzk4OWFmMTNhNmY4YTFhMSJ9.Z7xBEA.BcKYHheo3y8WjLIxIEQ7QFuH-T4; HttpOnly; Path=/ | Date: Mon, 24 Feb 2025 09:51:12 GMT | Connection: close | <!DOCTYPE html> | <html lang="en" data-darkmode="false"> | <head> | <meta charset="utf-8" > | <meta name="viewport" content="width=device-width, initial-scale=1.0" > | <meta name="description" content="Self hosted website change detection." > | <title>Change Detection</title> | <link rel="alternate" type="application/rss+xml" title="Changedetection.io | Feed" href="/rss?tag=&token=766c79a538cb617cfcf10f946ff18b94" > | <link rel="stylesheet" href="/static/styles/pure-min.css" > | <link rel="stylesheet" href="/static/styles/styles.css" > | <link rel= | RTSPRequest: | <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" | "http://www.w3.org/TR/html4/strict.dtd"> | <html> | <head> | <meta http-equiv="Content-Type" content="text/html;charset=utf-8"> | <title>Error response</title> | </head> | <body> | <h1>Error response</h1> | <p>Error code: 400</p> | <p>Message: Bad request version ('RTSP/1.0').</p> | <p>Error code explanation: HTTPStatus.BAD_REQUEST - Bad request syntax or unsupported method.</p> | </body> |_ </html> Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` It appears that we have a webserver running on port 5000 ![image](https://hackmd.io/_uploads/B1NVrTtckx.png) ## Webserver `gobuster dir -u http://192.168.154.97:5000 -w /usr/share/dirb/wordlists/common.txt` ![image](https://hackmd.io/_uploads/BJXZ8aY9ke.png) ### Manual Enumeration #### Main Page ChangeDetection.io v0.45.1 #### /backup Downloads a file to our machine ![image](https://hackmd.io/_uploads/HktwL6Kcyg.png) #### /import ![image](https://hackmd.io/_uploads/SJAF8atq1x.png) #### /login ![image](https://hackmd.io/_uploads/rJA4vaY9kl.png) #### /settings - We find some interesting things here API Key → f7fb037bd530a6579c7a42df63fdd25a ![image](https://hackmd.io/_uploads/B1auD6K9Jg.png) ## Enumeration ![image](https://hackmd.io/_uploads/BJGou6Kc1g.png) - we find an exploit to do with this service ![image](https://hackmd.io/_uploads/r1Ya_pYcJx.png) ## Exploitation ![image](https://hackmd.io/_uploads/rJesFTYqJl.png) - we have a few modules missing Enable virtual environment and install ![image](https://hackmd.io/_uploads/B1Tv9pFcke.png) ![image](https://hackmd.io/_uploads/H1k9cTY9kx.png) ![image](https://hackmd.io/_uploads/HyA55TYckx.png) Give the necessary arguments ![image](https://hackmd.io/_uploads/ByggIiat51e.png) Note the new entry at bottom of table ![image](https://hackmd.io/_uploads/S1OPiaY5ke.png) Click edit, and look in notification body ![image](https://hackmd.io/_uploads/rJByhaY9yx.png) ![image](https://hackmd.io/_uploads/Hy7xhpY91g.png) Click save ![image](https://hackmd.io/_uploads/rkxWnTtcke.png) We have root! ![image](https://hackmd.io/_uploads/ryMfnTtq1l.png) ![image](https://hackmd.io/_uploads/SJ_BhpK51e.png)