Arp -l

netdiscover -i enp2s0
Stealth scan
nmap -sS 192.168.0.105
nmap -T4(Speed) -p-(ALL PORT) -A(Enable OS detection, version detection, script
scanning, and traceroute) 192.168.0.105
nmap -T4 -p 80,443,53 -A (Web application)
Web Vulnerability Scan
443/tcp open ssl/https Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
| ssl-cert: Subject:
commonName=localhost.localdomain/organizationName=SomeOrganization/
stateOrProvinceName=SomeState/countryName=--
| Not valid before: 2009-09-26T09:32:06
|_Not valid after: 2010-09-26T09:32:06
|_ssl-date: 2022-03-29T00:32:23+00:00; +4h59m58s from scanner time
80/tcp open http Apache httpd 1.3.20 ((Unix) (Red-Hat/Linux) mod_ssl/2.8.4
OpenSSL/0.9.6b)
|_http-server-header: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
|_http-title: Test Page for the Apache Web Server on Red Hat Linux
| http-methods:
|_ Potentially risky methods: TRACE

Information disclosure

nikto -h http://192.168.0.105/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 192.168.0.105
+ Target Hostname: 192.168.0.105
+ Target Port: 80
+ Start Time: 2022-03-29 02:00:34 (GMT6)
---------------------------------------------------------------------------
+ Server: Apache/1.3.20 (Unix) (Red-Hat/Linux) mod_ssl/2.8.4 OpenSSL/0.9.6b
+ Server may leak inodes via ETags, header found with file /, inode: 34821, size: 2890,
mtime: Thu Sep 6 09:12:46 2001
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to
protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render
the content of the site in a different fashion to the MIME type
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ OpenSSL/0.9.6b appears to be outdated (current is at least 1.1.1). OpenSSL 1.0.0o and
0.9.8zc are also current.
+ Apache/1.3.20 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34
is the EOL for the 2.x branch.
+ mod_ssl/2.8.4 appears to be outdated (current is at least 2.8.31) (may depend on server
version)
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-838: Apache/1.3.20 - Apache 1.x up 1.2.34 are vulnerable to a remote DoS and
possible code execution. CAN-2002-0392.
+ OSVDB-4552: Apache/1.3.20 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer
overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ OSVDB-2733: Apache/1.3.20 - Apache 1.3 below 1.3.29 are vulnerable to overflows in
mod_rewrite and mod_cgi. CAN-2003-0542.
+ mod_ssl/2.8.4 - mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which
may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082,
OSVDB-756.
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the
URL.
+ OSVDB-682: /usage/: Webalizer may be installed. Versions lower than 2.01-09 vulnerable
to Cross Site Scripting (XSS).
+ OSVDB-3268: /manual/: Directory indexing found.
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3092: /test.php: This might be interesting...
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP
backdoor file manager was found.
+ /wordpress wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/
hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file
manager was found.
+ /wordpresswp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP
backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor
file manager was found.
+ /wordpresswp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP
backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command
execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ 8724 requests: 0 error(s) and 30 item(s) reported on remote host
+ End Time: 2022-03-29 02:00:52 (GMT6) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Directory busting
Tools
Gobuster
Dirbuster
Burp Suite
Information disclosure
-Server headers disclose version information

Information on the web page

Webalizer Version 2.01
http://192.168.0.105/usage/usage_200909.html

SMB

Unix (Samba 2.2.1a)

smbclient -L \\\\192.168.0.108\\ADMIN$
Server does not support EXTENDED_SECURITY but 'client use spnego =
yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful
Enter WORKGROUP\naimurrahman's password:

Sharename Type Comment

--------- ---- -------
IPC$ IPC IPC Service (Samba Server)
ADMIN$ IPC IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.
Server does not support EXTENDED_SECURITY but 'client use spnego =
yes' and 'client ntlmv2 auth = yes' is set
Anonymous login successful

Server Comment
--------- -------
KIOPTRIX Samba Server

Workgroup Master
--------- -------
MYGROUP KIOPTRIX
SSH

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 2.9p2 (protocol 1.99)

Vulnerabilities
80/443 - Potentially vulnerable to
openluck(https://www.exploit-db.com/exploits/47080),https://github.com/
heltonWernik/OpenLuck

139 - Potentially vulnerable to

trans2open(https://www.rapid7.com/db/modules/exploit/linux/samba/trans2open/)
,(https://www.exploit-db.com/exploits/7),(https://www.exploit-db.com/exploits/10)