Beyond

This is the beyond page that an additional post enumeration and assessment are conducted as the root user after compromising the target system.

Apache

root@blaze:~# cat /etc/apache2/apache2.conf | grep -v '^[#/]'
 
DefaultRuntimeDir ${APACHE_RUN_DIR}
 
PidFile ${APACHE_PID_FILE}
 
Timeout 300
 
KeepAlive On
 
MaxKeepAliveRequests 100
 
KeepAliveTimeout 5
 
 
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
 
HostnameLookups Off
 
ErrorLog ${APACHE_LOG_DIR}/error.log
 
LogLevel warn
 
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
 
Include ports.conf
 
 
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>
 
<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>
 
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>
 
 
 
 
 
AccessFileName .htaccess
 
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>
 
 
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
 
 
IncludeOptional conf-enabled/*.conf
 
IncludeOptional sites-enabled/*.conf
 
root@blaze:~# cat /etc/apache2/sites-enabled/000-default.conf | grep -v '^[#/]'
<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName blaze.offsec
				DocumentRoot /var/www/blaze.offsec
 
        ErrorLog /error.log
        CustomLog /access.log combined
</VirtualHost>

Web

root@blaze:/var/www/blaze.offsec# ll
total 44K
4.0K drwxrwxr-- 5 www-data www-data 4.0K Apr  6  2023 .
4.0K -rwxrwxr-- 1 www-data www-data 2.5K Apr  6  2023 login.php
4.0K -rwxr-xr-x 1 www-data www-data 1.1K Apr  6  2023 password-dashboard.php
4.0K drwxr-xr-x 3 root     root     4.0K Mar 29  2023 ..
4.0K -rwxrwxr-- 1 www-data www-data  233 Mar 29  2023 blocked.html
4.0K drwxrwxr-- 2 www-data www-data 4.0K Mar 29  2023 css
4.0K -rwxrwxr-- 1 www-data www-data  252 Mar 29  2023 db_config.php
4.0K drwxrwxr-- 2 www-data www-data 4.0K Mar 29  2023 img
4.0K -rwxrwxr-- 1 www-data www-data 3.3K Mar 29  2023 index.html
4.0K drwxrwxr-- 2 www-data www-data 4.0K Mar 29  2023 js
4.0K -rwxrwxr-- 1 www-data www-data  234 Mar 29  2023 logout.php

`login.php`

root@blaze:/var/www/blaze.offsec# cat login.php
<?php
ob_start();
session_start();
include("db_config.php");
ini_set('display_errors', 1);
?>
<html>
<title>Blaze</title>
<head>
  <link rel="stylesheet" href="css/style.css">
</head>
<div class="login">
<div class="form">
	<span class="material-icons">blaze</span>
	<form action="./login.php" class="p-3 mt-3" method="POST">
	<div class="form-field d-flex align-items-center"> <span class="far fa-user"></span> <input type="text" name="username" id="username" placeholder="username"> </div>
        <div class="form-field d-flex align-items-center"> <span class="fas fa-key"></span> <input type="password" name="password" id="password" placeholder="Password"> </div>
	<button>login</button>    
</form>
</div>
</html>
<?php
 
if (!empty($_GET['msg'])) {
    echo "<font style=\"color:#FF0000\">Please login to continue.<br\></font\>";
}
 
if (!empty($_POST['username'])) {
$username = ($_POST['username']);
$password = $_POST['password'];
 
$user_waf = strtolower($_POST['username']);
// sqlmap choker
$shitwords = ["/sleep/i", "/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "/ifnull/i", "/ or /i"];
foreach ($shitwords as $shitword) {
if (preg_match( $shitword, $user_waf )) {
header("Location: ./blocked.html");
die("blocked");
	}
}
$pass_waf = strtolower($_POST['password']);
// sqlmap choker
$shitwords = ["/sleep/i", "/0x/i", "/\*\*/", "/-- [a-z0-9]{4}/i", "/ifnull/i", "/ or /i"];
foreach ($shitwords as $shitword) {
if (preg_match( $shitword, $pass_waf )) {
header("Location: ./blocked.html");
die("blocked");
        }
}
 
$q = "SELECT * FROM users where username like '%".$username."%' AND password like '%".$password."%'" ;
//echo $q;
if (!mysqli_query($con,$q))
	{
		die('Error: ' . mysqli_error($con));
	}
	
	$result = mysqli_query($con,$q);
	$row_cnt = mysqli_num_rows($result);
	if ($row_cnt > 0) {
	
	$row = mysqli_fetch_array($result);
 
	if ($row){
	//$_SESSION["id"] = $row[0];
	$_SESSION["username"] = $row[1];
	$_SESSION["password"] = $row[2];
	//ob_clean();
	
	header('Location:password-dashboard.php');
	}
}
	else{
		echo "<font style=\"color:#FF0000\"><br \>Invalid password!</font\>";
		
	}
while($row = mysqli_fetch_array($result))
                {
                        echo '<div class="d-flex movie align-items-end">
                                <div class="mr-auto p-2">
                                        <h5 class="p-2">'.$row["username"].'</h5>';
                }
}
?>
 
	</div>
	</div>
	  
	  
	  <div class="footer">
		<p>by JDgodd | blaze.offsec</p>
      </div>
	</div> <!-- /container -->
  
</body>
</html>

`db_config.php`

root@blaze:/var/www/blaze.offsec# cat db_config.php
<?php
// Create connection
$con=mysqli_connect("127.0.0.1","admin","adminpasword","blazeDB");
 
// Check connection
if (mysqli_connect_errno($con))
  {
  echo "<font style=\"color:#FF0000\">Could not connect:". mysqli_connect_error()."</font\>";
  }
?>

InfoSec LAB

Explorer

Cockpit_Beyond

Beyond

Apache

Web

`login.php`

`db_config.php`

Interactive Graph View

Table of Contents

Backlinks