After scanning the target with nmap, we found that two ports were open: 22 and 80. Of those two, the web server feels like the more tempting target. First things first, what kind of web server are we even dealing with? I’m tempted to assume it’s apache or nginx just due to their market share, but lets see what we can confirm.
root@kali:~# telnet 192.168.42.132 80
Trying 192.168.42.132...
Connected to 192.168.42.132.
Escape character is '^]'.
BLEAH / HTTP/1.1
HTTP/1.0 501 Not Implemented
Content-Type: text/html
Content-Length: 357
Connection: close
Date: Wed, 13 Sep 2017 02:15:08 GMT
Server: lighttpd/1.4.28
<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>501 - Not Implemented</title>
</head>
<body>
<h1>501 - Not Implemented</h1>
</body>
</html>
Connection closed by foreign host.
So, my initial guess was wrong. I’ve heard of lighttpd before, but I’m not very familiar with it. The reply helpfully gave us the exact version number, although searching through exploit-db doesn’t seem to offer many immediate hits on security vulnerabilities. Now that we’ve satisfied our curiosity as to what we’re dealing with, lets actually check what it’s serving.
Something, something, dank memes.
We check the source just to be sure, but there doesn’t seem to be much here. I’m actually surprised it renders…
<html>
<img src="blow.jpg">
</html>
Kali linux includes numerous tools that can be used to discover web content, so lets try to fire some up and see if we can find anything.
First we try nikto:
nikto -host 192.168.42.132
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.42.132
+ Target Hostname: 192.168.42.132
+ Target Port: 80
+ Start Time: 2017-09-12 22:34:01 (GMT-4)
---------------------------------------------------------------------------
+ Server: lighttpd/1.4.28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ 26188 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2017-09-12 22:34:44 (GMT-4) (43 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Hmmmm, not much there. We get the PHP version, I guess that’s something.
How about Dirb:
dirb http://192.168.42.132/ /usr/share/wordlists/dirb/common.txt
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Sep 12 22:37:16 2017
URL_BASE: http://192.168.42.132/
WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.42.132/ ----
+ http://192.168.42.132/index.php (CODE:200|SIZE:163)
==> DIRECTORY: http://192.168.42.132/test/
---- Entering directory: http://192.168.42.132/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Tue Sep 12 22:37:18 2017
DOWNLOADED: 4612 - FOUND: 1
We found a test directory, but when we check the directory listing, we get nothing. Bummer.
I also tried some of the other dirb wordlists, but omitted the results due to the lack of anything interesting. So far, not much is really jumping out at me. It feels like the test directory must be important somehow, but I’m not sure what I can do with it.