10.1 : Web app exploitation - Recon (Part I)

J0eii

2019-11-05

Pen-Testing

Cracking XSS & MySQL File Vul lab

Before we start cracking Web app, lets try to crack XSS Mysql File vul lab.

Download here, xss_and_mysql_file.iso , mount as live CD
https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/

Recon

We can use the traditional nmap or netdiscover

root@kali:~# nmap 192.168.56.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-05 19:15 PST
Nmap scan report for 192.168.56.1
Host is up (0.00015s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
MAC Address: 0A:00:27:00:00:00 (Unknown)

Nmap scan report for 192.168.56.100
Host is up (0.000067s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:75:46:19 (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.104
Host is up (0.00012s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:B0:86:4D (Oracle VirtualBox virtual NIC)

Nmap scan report for 192.168.56.101
Host is up (0.0000040s latency).
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind

Nmap done: 256 IP addresses (4 hosts up) scanned in 19.44 seconds


netdiscover
 Currently scanning: 192.168.216.0/16   |   Screen View: Unique Hosts

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.56.1    0a:00:27:00:00:00      1      60  Unknown vendor
 192.168.56.100  08:00:27:75:46:19      1      60  PCS Systemtechnik GmbH
 192.168.56.104  08:00:27:b0:86:4d      1      60  PCS Systemtechnik GmbH

Found that 192.168.56.104 is our target.

lets dig deeper by nmap -sSV --version-intensity 9

root@kali:~# nmap -sSV --version-intensity 9 192.168.56.104 -p 1-10000
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-05 19:21 PST
Nmap scan report for 192.168.56.104
Host is up (0.00011s latency).
Not shown: 9998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
80/tcp open  http    Apache httpd 2.2.16 ((Debian))
MAC Address: 08:00:27:B0:86:4D (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds

Our target has 2 open attack vector, ssh & the apache.