Security Journal

This machine was nice. I learnt something new: remote file inclusion. There are many examples on google. Google it. Let's start: # Nmap 7.60 scan initiated Sun Feb 18 12:37:05 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.23 Nmap scan report for 10.0.2.23 Host is up (0.00014s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.10 ((Debian)) |_http-server-header: Apache/2.4.10 (Debian) |_http-title: PwnLab Intranet Image Hosting 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100024 1 37405/udp status |_ 100024 1 49755/tcp status 3306/tcp open mysql MySQL 5.5.47-0+deb8u1 | mysql-info: | Protocol: 10 | Version: 5.5.47-0+deb8u1 | Thread ID: 38 | Capabilities flags: 63487 | Some Capabilities: Support41Auth, ConnectWithDatabase, LongPassword, SupportsL...

This Machine was not easy. I had to have a little patience. Cause, when you think you're going to some place, you're not. It got me trolled all the time. Let's start: # Nmap 7.60 scan initiated Sat Feb 24 11:50:53 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.10 Nmap scan report for 10.0.2.10 Host is up (0.00017s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.2 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_-rwxrwxrwx 1 1000 0 8068 Aug 09 2014 lol.pcap [NSE: writeable] | ftp-syst: | STAT: | FTP server status: | Connected to 10.0.2.21 | Logged in as ftp | TYPE: ASCII | No session bandwidth limit | Session timeout in seconds is 600 | Control connection is plain text | Data connections will be plain text | At session startup, client count was 5 | vsFTPd 3.0.2 - secure, fast, stable |_End of status 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2...

This machine was cool, it was hard. It took many hours to solve this. Let's start: # Nmap 7.60 scan initiated Fri Mar 16 20:11:28 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.31 Nmap scan report for 10.0.2.31 Host is up (0.00014s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp ProFTPD 1.3.5b 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-robots.txt: 4 disallowed entries | /login.php /dev_shell.php /lat_memo.html |_/passwords.html |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Site doesn't have a title (text/html). 25468/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u2 (protocol 2.0) | ssh-hostkey: | 2048 84:f2:f8:e5:ed:3e:14:f3:93:d4:1e:4c:41:3b:a2:a9 (RSA) | 256 5b:98:c7:4f:84:6e:fd:56:6a:35:16:83:aa:9c:ea:f8 (ECDSA) |_ 256 39:16:56:fb:4e:0f:50:85:40:d3:53:22:41:43:38:15 (EdDSA) MAC Address: 08:00:27:C0:CC:74 (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:l...

This Vm is cool. They always are. Let's start: # Nmap 7.60 scan initiated Tue Feb 20 16:04:52 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.24 Nmap scan report for 10.0.2.24 Host is up (0.00021s latency). Not shown: 65532 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10 (protocol 2.0) | ssh-hostkey: | 2048 d0:6a:10:e0:fb:63:22:be:09:96:0b:71:6a:60:ad:1a (RSA) | 256 ac:2c:11:1e:e2:d6:26:ea:58:c4:3e:2d:3e:1e:dd:96 (ECDSA) |_ 256 13:b3:db:c5:af:62:c2:b1:60:7d:2f:48:ef:c3:13:fc (EdDSA) 80/tcp open http nginx 1.10.3 |_http-server-header: nginx/1.10.3 |_http-title: Welcome to nginx! 31337/tcp open http Werkzeug httpd 0.11.15 (Python 3.5.3) | http-robots.txt: 3 disallowed entries |_/.bashrc /.profile /taxes |_http-server-header: Werkzeug/0.11.15 Python/3.5.3 |_http-title: 404 Not Found MAC Address: 08:00:27:EC:98:F3 (Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection pe...

This vm was hard to find the first solution, but it was cool. # Nmap 7.60 scan initiated Sat Feb 17 20:04:07 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.20 Nmap scan report for 10.0.2.20 Host is up (0.00019s latency). Not shown: 65523 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 1024 aa:c3:9e:80:b4:81:15:dd:60:d5:08:ba:3f:e0:af:08 (DSA) | 2048 41:7f:c2:5d:d5:3a:68:e4:c5:d9:cc:60:06:76:93:a5 (RSA) | 256 ef:2d:65:85:f8:3a:85:c2:33:0b:7d:f9:c8:92:22:03 (ECDSA) |_ 256 ca:36:3c:32:e6:24:f9:b7:b4:d4:1d:fc:c0:da:10:96 (EdDSA) 53/tcp open domain ISC BIND 9.9.5-3-Ubuntu | dns-nsid: |_ bind.version: 9.9.5-3-Ubuntu 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_Hackers |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 110/tcp open pop3 Dovecot pop3d |_p...

This Machine is trully nice. I've saw before a drupal painel. I'm wordpress user, but i've never seen before. Let's go: # Nmap 7.60 scan initiated Sat Feb 17 18:25:25 2018 as: nmap -sV -sC -p- -oN nmap.txt 10.0.2.6 Nmap scan report for 10.0.2.6 Host is up (0.00031s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) |_http-generator: Drupal 7 (http://drupal.org) | http-robots.txt: 36 disallowed entries (15 shown) | /includes/ /misc/ /modules/ /profiles/ /scripts/ | /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt | /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt |_/LICENSE.txt /MAINTAINERS.txt |_http-server-header: Apache/2.4.7 (Ubuntu) |_http-title: La fraude fiscale des grandes soci\xC3\xA9t\xC3\xA9s | l'imp\xC3\xB4t que les pa... MAC Address: 08:00:27:F6:2F:97 (Oracle VirtualBox virtual NIC) Service detection performed. Please report any incorrect results at https:...