Use netdiscover to detect target IP address
netdiscover -i eth0 -r 192.168.79.0/24
192.168.79.188 is the target.
Then run nmap to detect opening ports and running services on the target machine.
nmap -sV -v -O -A -T5 192.168.79.184 -p-
Only port 80 is opening.
Use Wfuzz to scan
wfuzz -c -z file,/usr/share/wordlists/dirbuster/directory-list-2.3-small.txt --hc 404 http://192.168.79.188/FUZZ 2>/dev/null
use nikto to scan
nikto -h 192.168.79.188
looks like there is a php include vulnerability
Lets confirm it:
(the reason why add %00 after /etc/passwd is php code will ad a suffix .php, so that we have to add a Null byte to get rid of it)
I tried to exploit remote file inclide:
Exam the webpage, I find that I can upload pdf file to the server. I tried just rename webshell.txt to webshell.pdf and the server doesn’t accpet it. I guess the server will valid the pdf file format. So I create a craft pdf file:
1 2 3 4
Upload it. Works.
Now try to visit after log in.
Try to verify the webshell:
set up netcat listener on my kali and run the command on server:
and get the shell: