Networked

10.10.10.146

Scanning

nmap -p- -T4 10.10.10.146 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 13:05 EDT
Nmap scan report for 10.10.10.146
Host is up (0.092s latency).
Not shown: 65532 filtered ports
PORT    STATE  SERVICE
22/tcp  open   ssh
80/tcp  open   http
443/tcp closed https

nmap -sC -sV -p 22,80,443 10.10.10.146 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 13:11 EDT
Nmap scan report for 10.10.10.146
Host is up (0.088s latency).

PORT    STATE  SERVICE VERSION
22/tcp  open   ssh     OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 22:75:d7:a7:4f:81:a7:af:52:66:e5:27:44:b1:01:5b (RSA)
|   256 2d:63:28:fc:a2:99:c7:d4:35:b9:45:9a:4b:38:f9:c8 (ECDSA)
|_  256 73:cd:a0:5b:84:10:7d:a7:1c:7c:61:1d:f5:54:cf:c4 (ED25519)
80/tcp  open   http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
443/tcp closed https

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.54 seconds

Enumeration

Port 80

Gobuster

• Was able to download code

Analyzing PHP code

This will show us how a user interacts with a server

• We're checking for how a user interacts with a server through php code

Analyzing the upload.php code we fine

looking for check_file_type we can see that it is in the lib.php file

• Mime

• Magic bytes trick a file into thinking that it is another file