Skip to main content

Shifty Walkthrough

Platform: Offsec | PG Practice
Difficulty: Very Hard
OS: Linux
Author: Pawan Kumar (Vulntricks)

🛰️ 1. Reconnaissance

Quick Scan using RustScan

└─$ rustscan -a $IP
PORT      STATE SERVICE  REASON
22/tcp    open  ssh      syn-ack ttl 61
80/tcp    open  http     syn-ack ttl 61
5000/tcp  open  upnp     syn-ack ttl 61
11211/tcp open  memcache syn-ack ttl 61

and scanning those ports with Nmap to check versions and using default script scanning .

─$ nmap -sV -sC -p22,80,5000,11211 -oN nmap_tcp 192.168.190.59

PORT      STATE SERVICE   VERSION
22/tcp    open  ssh       OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey: 
|   2048 54:d8:d1:1a:e4:8c:66:48:37:ba:89:0a:9b:aa:db:47 (RSA)
|   256 fb:75:84:86:ec:b5:00:f3:4f:cb:c8:f2:18:85:42:b7 (ECDSA)
|_  256 2f:fd:b2:b1:6c:02:e8:a0:ba:e7:f7:52:80:3f:de:a3 (ED25519)
80/tcp    open  http      nginx 1.10.3
|_http-title: Gatsby + Netlify CMS Starter
|_http-generator: Gatsby 2.22.15
|_http-server-header: nginx/1.10.3
5000/tcp  open  http      Werkzeug httpd 1.0.1 (Python 3.5.3)
|_http-title: Hello, world!
11211/tcp open  memcached Memcached 1.4.33 (uptime 726 seconds)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

🔎 Enumeartion

Though I am interested in the non common ports but I have to follow enumeartion process :

Enumearting HTTP , PORT 80

So it is using a CMS called gatesbay and platform it is hosted on is netlify . netlify

Some More Information on versions:

versions

Putting it for directory enumeartion

└─$ gobuster dir --url $URL --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 

===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/contact              (Status: 301) [Size: 185] [--> http://192.168.190.59/contact/]
/about                (Status: 301) [Size: 185] [--> http://192.168.190.59/about/]
/blog                 (Status: 301) [Size: 185] [--> http://192.168.190.59/blog/]
/products             (Status: 301) [Size: 185] [--> http://192.168.190.59/products/]
/img                  (Status: 301) [Size: 185] [--> http://192.168.190.59/img/]
/admin                (Status: 301) [Size: 185] [--> http://192.168.190.59/admin/]
/static               (Status: 301) [Size: 185] [--> http://192.168.190.59/static/]
/tags                 (Status: 301) [Size: 185] [--> http://192.168.190.59/tags/]
/404                  (Status: 301) [Size: 185] [--> http://192.168.190.59/404/]

Enumerating Werkzeug , port 5000

I found some basic information , Werkzeug is a Python library that provides utility functions for building WSGI (Web Server Gateway Interface) compliant web applications. It's a collection of tools that web developers can use to handle requests, responses, routing, and more, often used as a foundation for web frameworks like Flask.

On a quick look we see that there are vulnerable versions:
version_vul

Let's enumearte further, So there is a website which we can login using admin:admin

open_website

And that's it we can log out...
logout

Enumearting Memcached , PORT 11211

Memcached is an easy-to-use, high-performance, in-memory data store. It offers a mature, scalable, open-source solution for delivering sub-millisecond response times making it useful as a cache or session store.

This is what I found