+ 8595 requests: 0 error(s) and 13 item(s) reported on remote host + OSVDB-3233: /icons/README: Apache default file found. + OSVDB-3092: /cgi-bin/test/test.cgi: This might be interesting. + OSVDB-112004: /cgi-bin/test.sh: Site appears vulnerable to the 'shellshock' vulnerability (). + OSVDB-112004: /cgi-bin/test: Site appears vulnerable to the 'shellshock' vulnerability (). + Uncommon header '93e4r-6278' found, with contents: true + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS Apache 2.2.34 is the EOL for the 2.x branch.
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.37). The following alternatives for 'index' were found: index.html + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. + Uncommon header 'tcn' found, with contents: list This could allow the user agent to render the content of the site in a different fashion to the MIME type + The X-Content-Type-Options header is not set. This header can hint to the user agent to protect against some forms of XSS + The X-XSS-Protection header is not defined. + The anti-clickjacking X-Frame-Options header is not present. + Server may leak inodes via ETags, header found with file /, inode: 1706318, size: 177, mtime: Mon May 11 23:25:10 2020 Then I performed a nikto scan to search for some web based vulnerabilities and found that this web server is vulnerable to shellshock vulnerability. Next I ran a gobuster scan to look for hidden directories, but didn't find anything interesting there. We have a port 80 open which displays a default web server page that says “It Works!” Nmap done: 1 IP address (1 host up) scanned in 7.48 seconds Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel
#Netcat reverse shell shellshock curl mac#
MAC Address: 08:00:27:97:C2:5C (Oracle VirtualBox virtual NIC)
|_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.2.22 (Ubuntu) Nmap scan report for sumo.local (192.168.1.16)Ģ2/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux protocol 2.0) I started the reconnaissance by running a port scan with Nmap, checking default scripts and testing for vulnerabilities. I’ve added the IP to my hosts file, So Let’s Begin! cat /etc/hosts This includes exploiting a shellshock vulnerability to get a reverse shell and then exploiting the old version kernel used by the VM to get root.
0 kommentar(er)
