Unattended was a medium difficulty Linux box. Good learning path for:
- Nginx off-by-slash Attack
- SQLi (boolean-based Blind)
- SQLi → LFI (Abusing Existing
<?php include(); ?>
) - LFI → PHP Session Poisoning → RCE
- Socket TTY Shell
- Linux
initrd
Exploit
Initial Recon
Nmap
# nmap -Pn --open -T4 -sV -sC -p- 10.10.10.126Starting Nmap 7.80 ( https://nmap.org ) at 2021-04-12 12:33 EDT
Nmap scan report for 10.10.10.126
Host is up (0.078s latency).
Not shown: 65533 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have a title (text/html).
443/tcp open ssl/http nginx 1.10.3
|_http-server-header: nginx/1.10.3
|_http-title: Site doesn't have a title (text/html).
| ssl-cert: Subject: commonName=www.nestedflanders.htb/organizationName=Unattended ltd/stateOrProvinceName=IT/countryName=IT
| Not valid before: 2018-12-19T09:43:58
|_Not valid after: 2021-09-13T09:43:58
- HTTPS (443/TCP) — An SSL certificate tells a domain as
www.nestedflanders.htb
. I added it to my/etc/hosts
and it rendered a default Apache2 page.
Web Directory Enumeration (Gobuster)
As usual, I ran a quick gobuster
to see if I could discover more of the interesting files/folders on the web server.
# gobuster dir -u https://www.nestedflanders.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k-k: Ignore the SSL verification
/index.php