Initial Nmap Scan →

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ )

So the open ports here are http and ssh .We will apporach this in a way that we first use http to get information and then use ssh if its possible for us to exploit stuff or escalate privelage on the machine.

First of all again there is information disclosure on this machine with the version of the apache server that was leaked.

After going through the source code there is an intresting comment there which leads us to a nibbleblog page

Nikto results →

• Server: Apache/2.4.18 (Ubuntu)
• The anti-clickjacking X-Frame-Options header is not present.
• The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
• The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
• No CGI Directories found (use '-C all' to force check all possible dirs)
• Server may leak inodes via ETags, header found with file /, inode: 5d, size: 5616c3cf7fa77, mtime: gzip
• Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
• Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
• OSVDB-3233: /icons/README: Apache default file found.