BountyHunter

$ nmap -p- -T4 -A 10.129.143.92
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 d4:4c:f5:79:9a:79:a3:b0:f1:66:25:52:c9:53:1f:e1 (RSA)
|   256 a2:1e:67:61:8d:2f:7a:37:a7:ba:3b:51:08:e8:89:a6 (ECDSA)
|_  256 a5:75:16:d9:69:58:50:4a:14:11:7a:42:c1:b6:23:44 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Bounty Hunters
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
$ nikto -h 10.129.143.92
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ 7916 requests: 0 error(s) and 5 item(s) reported on remote host
$ dirb http://10.129.143.92
---- Scanning URL: http://10.129.143.92/ ----
==> DIRECTORY: http://10.129.143.92/assets/                                                                                                     
==> DIRECTORY: http://10.129.143.92/css/                                                                                                        
+ http://10.129.143.92/index.php (CODE:200|SIZE:25169)                                                                                          
==> DIRECTORY: http://10.129.143.92/js/                                                                                                         
==> DIRECTORY: http://10.129.143.92/resources/                                                                                                  
+ http://10.129.143.92/server-status (CODE:403|SIZE:278)                                                                                        
                                                                                                                                                
---- Entering directory: http://10.129.143.92/assets/ ----
==> DIRECTORY: http://10.129.143.92/assets/img/                                                                                                 
                                                                                                                                                
---- Entering directory: http://10.129.143.92/css/ ----
                                                                                                                                                
---- Entering directory: http://10.129.143.92/js/ ----
                                                                                                                                                
---- Entering directory: http://10.129.143.92/resources/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                
---- Entering directory: http://10.129.143.92/assets/img/ ----
+ http://10.129.143.92/assets/img/favicon.ico (CODE:200|SIZE:23462)                                                                             
==> DIRECTORY: http://10.129.143.92/assets/img/portfolio/                                                                                       
                                                                                                                                                
---- Entering directory: http://10.129.143.92/assets/img/portfolio/ ----
$ gobuster dir -u http://10.129.143.92 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php,html
/index.php            (Status: 200) [Size: 25169]
/resources            (Status: 301) [Size: 318] [--> http://10.129.143.92/resources/]
/assets               (Status: 301) [Size: 315] [--> http://10.129.143.92/assets/]   
/portal.php           (Status: 200) [Size: 125]                                      
/css                  (Status: 301) [Size: 312] [--> http://10.129.143.92/css/]      
/db.php               (Status: 200) [Size: 0]                                        
/js                   (Status: 301) [Size: 311] [--> http://10.129.143.92/js/]     

http://10.129.143.92/portal.php
http://10.129.143.92/log_submit.php
http://10.129.143.92/resources/
http://10.129.143.92/tracker_diRbPr00f314.php
http://10.129.143.92/resources/README.txt
Tasks:

[ ] Disable 'test' account on portal and switch to hashed password. Disable nopass.
[X] Write tracker submit script
[ ] Connect tracker submit script to the database
[X] Fix developer group permissions
http://10.129.143.92/resources/bountylog.js
function returnSecret(data) {
	return Promise.resolve($.ajax({
            type: "POST",
            data: {"data":data},
            url: "tracker_diRbPr00f314.php"
            }));
}

async function bountySubmit() {
	try {
		var xml = `<?xml  version="1.0" encoding="ISO-8859-1"?>
		<bugreport>
		<title>${$('#exploitTitle').val()}</title>
		<cwe>${$('#cwe').val()}</cwe>
		<cvss>${$('#cvss').val()}</cvss>
		<reward>${$('#reward').val()}</reward>
		</bugreport>`
		let data = await returnSecret(btoa(xml));
  		$("#return").html(data)
	}
	catch(error) {
		console.log('Error:', error);
	}
}
XML external entity (XXE) injection

Navigation