Profile
Website
ezio@kali:~/htb/knife$ nmap -sC -sV 10.10.10.242 > scan.txt
after scanning result
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-30 21:04 EDT Nmap scan report for 10.10.10.242 Host is up (0.23s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 be:54:9c:a3:67:c3:15:c3:64:71:7f:6a:53:4a:4c:21 (RSA) | 256 bf:8a:3f:d4:06:e9:2e:87:4e:c9:7e:ab:22:0e:c0:ee (ECDSA) |_ 256 1a:de:a1:cc:37:ce:53:bb:1b:fb:2b:0b:ad:b3:f6:84 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Emergent Medical Idea Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 40.45 seconds
Now finding about site using tool nikto.
ezio@kali:~/htb/knife$ nikto -h [<http://10.10.10.242>](<http://10.10.10.242/>) -o enum.txt
now what we got from scanning
- Nikto v2.1.6/2.1.5
+ Target Host: 10.10.10.242
+ Target Port: 80
+ GET Retrieved x-powered-by header: PHP/8.1.0-dev
+ GET The anti-clickjacking X-Frame-Options header is not present.
+ GET The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ GET The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ XSEQWXJR Web Server returns a valid response with junk HTTP methods, this may cause false positives.
We have found an impressive PHP Bug. It may be a remote code execution bug, no idea. To get more information about these PHP 8.1 bugs, let’s jump into google.
After searching about this bug , we found a way to exploit using python script