rustscan -a 10.129.95.192 -r 0-65535
nmap -Pn -sC -sV -p 22,80,43 10.129.95.192 --min-rate 1000 -oN service.scan
HTTP:80
Content Discovery
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u http://10.129.95.192/FUZZ -mc 200 -t 10 -c
Did not return any results.
Default Credentials
admin:admin
administrator:administrator
admin:administrator
admin:password
administrator:password
Login successful using default credentials admin:password.
Username: Daniel
XXE
The "order" page is interactive.
The website uses XML to send the order values to the server, could be vulnerable to XEE.
XEE: or XML External Entity attack is a type of attack against an application that parses XML input and allows XML entities. XML entities can be used to tell the XML parser to fetch specific content on the server.
Vulnerable to XXE
Since a LFI exists, find SSH keys for the user Daniel.
Save the Key to a file id_rsa and give permissions chmod 600 id_rsa.
Login with SSH
ssh [email protected] -i id_rsa
Privilege Escalation
Upload WinPEAS
Easy Way:
Hard Way:
