Flu
Nmap Scan
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.235.41
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-19 22:00 EDT
Nmap scan report for 192.168.235.41
Host is up (0.0076s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA)
|_ 256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519)
8090/tcp open opsmessaging?
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 302
| Cache-Control: no-store
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| X-Confluence-Request-Time: 1718848880786
| Set-Cookie: JSESSIONID=D2ED582C0A0DC9EEFE871C8DA251F532; Path=/; HttpOnly
| X-XSS-Protection: 1; mode=block
| X-Content-Type-Options: nosniff
| X-Frame-Options: SAMEORIGIN
| Content-Security-Policy: frame-ancestors 'self'
| Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
| Content-Type: text/html;charset=UTF-8
| Content-Length: 0
| Date: Thu, 20 Jun 2024 02:01:20 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 200
| MS-Author-Via: DAV
| Content-Type: text/html;charset=UTF-8
| Content-Length: 0
| Date: Thu, 20 Jun 2024 02:01:20 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1924
| Date: Thu, 20 Jun 2024 02:01:20 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
8091/tcp open jamlink?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 204 No Content
| Server: Aleph/0.4.6
| Date: Thu, 20 Jun 2024 02:02:01 GMT
| Connection: Close
| GetRequest:
| HTTP/1.1 204 No Content
| Server: Aleph/0.4.6
| Date: Thu, 20 Jun 2024 02:01:28 GMT
| Connection: Close
| HTTPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Thu, 20 Jun 2024 02:01:28 GMT
| Connection: Close
| content-length: 0
| Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
| HTTP/1.1 414 Request-URI Too Long
| text is empty (possibly HTTP/0.9)
| RTSPRequest:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Thu, 20 Jun 2024 02:01:28 GMT
| Connection: Keep-Alive
| content-length: 0
| SIPOptions:
| HTTP/1.1 200 OK
| Access-Control-Allow-Origin: *
| Access-Control-Max-Age: 31536000
| Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
| Server: Aleph/0.4.6
| Date: Thu, 20 Jun 2024 02:02:07 GMT
| Connection: Keep-Alive
|_ content-length: 0
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8090-TCP:V=7.94SVN%I=7%D=6/19%Time=66738D70%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,22F,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20no-store\r\n
SF:Expires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nX-Confluenc
SF:e-Request-Time:\x201718848880786\r\nSet-Cookie:\x20JSESSIONID=D2ED582C0
SF:A0DC9EEFE871C8DA251F532;\x20Path=/;\x20HttpOnly\r\nX-XSS-Protection:\x2
SF:01;\x20mode=block\r\nX-Content-Type-Options:\x20nosniff\r\nX-Frame-Opti
SF:ons:\x20SAMEORIGIN\r\nContent-Security-Policy:\x20frame-ancestors\x20's
SF:elf'\r\nLocation:\x20http://localhost:8090/login\.action\?os_destinatio
SF:n=%2Findex\.action&permissionViolation=true\r\nContent-Type:\x20text/ht
SF:ml;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20Thu,\x2020\x20Jun\
SF:x202024\x2002:01:20\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOpti
SF:ons,97,"HTTP/1\.1\x20200\x20\r\nMS-Author-Via:\x20DAV\r\nContent-Type:\
SF:x20text/html;charset=UTF-8\r\nContent-Length:\x200\r\nDate:\x20Thu,\x20
SF:20\x20Jun\x202024\x2002:01:20\x20GMT\r\nConnection:\x20close\r\n\r\n")%
SF:r(RTSPRequest,820,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;c
SF:harset=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x201924\r\nD
SF:ate:\x20Thu,\x2020\x20Jun\x202024\x2002:01:20\x20GMT\r\nConnection:\x20
SF:close\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x
SF:20Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type
SF:=\"text/css\">body\x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20
SF:h2,\x20h3,\x20b\x20{color:white;background-color:#525D76;}\x20h1\x20{fo
SF:nt-size:22px;}\x20h2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x2
SF:0p\x20{font-size:12px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px
SF:;background-color:#525D76;border:none;}</style></head><body><h1>HTTP\x2
SF:0Status\x20400\x20\xe2\x80\x93\x20Bad\x20Request</h1><hr\x20class=\"lin
SF:e\"\x20/><p><b>Type</b>\x20Exception\x20Report</p><p><b>Message</b>\x20
SF:Invalid\x20character\x20found\x20in\x20the\x20HTTP\x20protocol\x20\[RTS
SF:P/1\.00x0d0x0a0x0d0x0a\.\.\.\]</p><p><b>Description</b>\x20The\x20s
SF:erver\x20cannot\x20or\x20will\x20not\x20process\x20the\x20request\x20du
SF:e\x20to\x20something\x20that\x20is\x20perceived\x20to\x20be\x20a\x20cli
SF:ent\x20error\x20\(e\.g\.,\x20malformed\x20request\x20syntax,\x20invalid
SF:\x20");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8091-TCP:V=7.94SVN%I=7%D=6/19%Time=66738D77%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,68,"HTTP/1\.1\x20204\x20No\x20Content\r\nServer:\x20Aleph/0
SF:\.4\.6\r\nDate:\x20Thu,\x2020\x20Jun\x202024\x2002:01:28\x20GMT\r\nConn
SF:ection:\x20Close\r\n\r\n")%r(HTTPOptions,EC,"HTTP/1\.1\x20200\x20OK\r\n
SF:Access-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x20315360
SF:00\r\nAccess-Control-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST
SF:\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Thu,\x2020\x20Jun\x202024\x200
SF:2:01:28\x20GMT\r\nConnection:\x20Close\r\ncontent-length:\x200\r\n\r\n"
SF:)%r(RTSPRequest,F1,"HTTP/1\.1\x20200\x20OK\r\nAccess-Control-Allow-Orig
SF:in:\x20\*\r\nAccess-Control-Max-Age:\x2031536000\r\nAccess-Control-Allo
SF:w-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POST\r\nServer:\x20Aleph/0\.4
SF:\.6\r\nDate:\x20Thu,\x2020\x20Jun\x202024\x2002:01:28\x20GMT\r\nConnect
SF:ion:\x20Keep-Alive\r\ncontent-length:\x200\r\n\r\n")%r(Help,46,"HTTP/1\
SF:.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\
SF:(possibly\x20HTTP/0\.9\)")%r(SSLSessionReq,46,"HTTP/1\.1\x20414\x20Requ
SF:est-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP
SF:/0\.9\)")%r(TerminalServerCookie,46,"HTTP/1\.1\x20414\x20Request-URI\x2
SF:0Too\x20Long\r\n\r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%
SF:r(TLSSessionReq,46,"HTTP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\
SF:r\ntext\x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%r(Kerberos,46,"HT
SF:TP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty
SF:\x20\(possibly\x20HTTP/0\.9\)")%r(FourOhFourRequest,68,"HTTP/1\.1\x2020
SF:4\x20No\x20Content\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Thu,\x2020\x
SF:20Jun\x202024\x2002:02:01\x20GMT\r\nConnection:\x20Close\r\n\r\n")%r(LP
SF:DString,46,"HTTP/1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\
SF:x20is\x20empty\x20\(possibly\x20HTTP/0\.9\)")%r(LDAPSearchReq,46,"HTTP/
SF:1\.1\x20414\x20Request-URI\x20Too\x20Long\r\n\r\ntext\x20is\x20empty\x2
SF:0\(possibly\x20HTTP/0\.9\)")%r(SIPOptions,F1,"HTTP/1\.1\x20200\x20OK\r\
SF:nAccess-Control-Allow-Origin:\x20\*\r\nAccess-Control-Max-Age:\x2031536
SF:000\r\nAccess-Control-Allow-Methods:\x20OPTIONS,\x20GET,\x20PUT,\x20POS
SF:T\r\nServer:\x20Aleph/0\.4\.6\r\nDate:\x20Thu,\x2020\x20Jun\x202024\x20
SF:02:02:07\x20GMT\r\nConnection:\x20Keep-Alive\r\ncontent-length:\x200\r\
SF:n\r\n");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 121.61 secondsInitial Access
Confluence CMS
There is a confluence CMS running on port 8090.
However, some searching online, there are no default credentials.
But the version of Confluence looks like it is vulnerable.
CVE-2022-26134
This version is vulnerable to remote code execution (RCE).
First, we need to see if the exploit is able to work
However, we will try another exploit to see if it works
It turns out this works and we are able to gain shell as confluence.
Privilege Escalation
Upgrading Shell
Use the Upgrading Shells
Linpeas
During the linpeas scan, we can see that there is an internal port 8000 that is running.
However, they are both running the same application so this does not really tell us much.
pspy64
When we are running pspy64, we see something interesting.
If we look at the permission of the file, we can see that we are able to write to the file
Using a running task to gain root
We will just write our reverse shell inside.
After a while, we will get our reverse shell.
Last updated