====== ANSSI ECSC ~~ Challenges web ~~ PHP Sandbox ======
[[anssi-ecsc|Retour]]
===== Présentation =====
À vous de trouver les bons arguments pour lui parler.
http://challenges.ecsc-teamfrance.fr:8000/
''Command arguments not found!''
===== 1 - cURL =====
''curl http://challenges.ecsc-teamfrance.fr:8000/ -v''
* Expire in 0 ms for 6 (transfer 0x7fffd075a090)
* Expire in 1 ms for 1 (transfer 0x7fffd075a090)
* Expire in 0 ms for 1 (transfer 0x7fffd075a090)
* Expire in 2 ms for 1 (transfer 0x7fffd075a090)
* Expire in 1 ms for 1 (transfer 0x7fffd075a090)
* Expire in 1 ms for 1 (transfer 0x7fffd075a090)
* Expire in 4 ms for 1 (transfer 0x7fffd075a090)
* Expire in 4 ms for 1 (transfer 0x7fffd075a090)
* Expire in 4 ms for 1 (transfer 0x7fffd075a090)
* Expire in 5 ms for 1 (transfer 0x7fffd075a090)
* Trying 51.91.7.35...
* TCP_NODELAY set
* Expire in 149990 ms for 3 (transfer 0x7fffd075a090)
* Expire in 200 ms for 4 (transfer 0x7fffd075a090)
* Connected to challenges.ecsc-teamfrance.fr (51.91.7.35) port 8000 (#0)
> GET / HTTP/1.1
> Host: challenges.ecsc-teamfrance.fr:8000
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 14 May 2019 11:42:19 GMT
< Server: Apache/2.4.25 (Debian)
< Content-Length: 35
< Content-Type: text/html; charset=UTF-8
<
* Connection #0 to host challenges.ecsc-teamfrance.fr left intact
Command arguments not found!
''curl -sD - -o /dev/null http://challenges.ecsc-teamfrance.fr:8000/''
HTTP/1.1 200 OK
Date: Tue, 14 May 2019 11:43:50 GMT
Server: Apache/2.4.25 (Debian)
Content-Length: 35
Content-Type: text/html; charset=UTF-8
Pas grand chose de mieux en changeant la version de HTTP (1.0 et 2.0).
===== 2 - dirb (directory buster) =====
'' dirb http://challenges.ecsc-teamfrance.fr:8000/''
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue May 14 14:08:11 2019
URL_BASE: http://challenges.ecsc-teamfrance.fr:8000/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://challenges.ecsc-teamfrance.fr:8000/ ----
+ http://challenges.ecsc-teamfrance.fr:8000/index.php (CODE:200|SIZE:35)
+ http://challenges.ecsc-teamfrance.fr:8000/server-status (CODE:403|SIZE:319)
-----------------
END_TIME: Tue May 14 14:13:27 2019
DOWNLOADED: 4612 - FOUND: 2
Nous avons donc 2 URL identifiées :
* http://challenges.ecsc-teamfrance.fr:8000/index.php : page d'accueil
* http://challenges.ecsc-teamfrance.fr:8000/server-status : accès refusé (403)
===== 3 - nikto =====
''nikto -h http://challenges.ecsc-teamfrance.fr:8000/''
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 51.83.96.75
+ Target Hostname: challenges.ecsc-teamfrance.fr
+ Target Port: 8000
+ Message: Multiple IP addresses found: 51.83.96.75, 51.91.16.154, 51.91.7.35
+ Start Time: 2019-05-14 13:57:26 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.25 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.25 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7865 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2019-05-14 14:17:32 (GMT2) (1206 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
1 URL trouvée : http://challenges.ecsc-teamfrance.fr:8000/icons/README
Il y a la liste des icônes accessibles dans ''icons'' mais ce sont des gifs par défaut.
1 ancienne version d'Apache également à priori, mais ne s'agissant pas d'un challenge pwn ni misc je ne pense pas qu'il faille tenter d'exploiter une CVE.