Skip to content

chojnowski.it

THM Neighbour done

THM Neighbour done

Neighbour¶

Notes¶

OS:¶

Linux

Technology:¶

IP Address:¶

10.10.200.143

Open ports:¶

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.53 ((Debian))

Users and pass:¶

Nmap¶

┌──(kali㉿kali)-[~/Desktop/writeups/THM/THM_Neighbour]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.10.31.220_nmap 10.10.31.220 ; cat 10.10.31.220_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-20 11:21 CEST
Nmap scan report for 10.10.31.220
Host is up (0.054s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e1:a8:47:a5:cd:8f:d7:c2:30:f8:4a:ec:d4:6b:a9:ba (RSA)
|   256 72:04:cc:29:de:f7:b3:ce:25:ef:ed:8c:fa:cc:33:5b (ECDSA)
|_  256 c7:99:2b:a1:e7:12:8c:02:ba:1a:67:b3:08:86:2a:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.53 ((Debian))
|_http-server-header: Apache/2.4.53 (Debian)
|_http-title: Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set

Ffuz¶

┌──(kali㉿kali)-[~/Desktop/writeups/THM/THM_Neighbour]
└─$ ffuf -u http://10.10.31.220/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -o 10.10.31.220_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.31.220/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/big.txt
 :: Extensions       : .php .html .txt .bac .backup .md .git 
 :: Output file      : 10.10.31.220_ffuz.{json,ejson,html,md,csv,ecsv}
 :: File format      : all
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

assets                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 61ms]
db                      [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 49ms]
db.php                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 111ms]
index.php               [Status: 200, Size: 1357, Words: 364, Lines: 38, Duration: 307ms]
login.php               [Status: 200, Size: 1316, Words: 358, Lines: 38, Duration: 54ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 50ms]
profile.php             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 64ms]
:: Progress: [163752/163752] :: Job [1/1] :: 706 req/sec :: Duration: [0:04:14] :: Errors: 0 ::

Open the web: http://10.10.200.143/login.php¶

Login as guest with password guest

Change parametr user¶

Change parametr user from guest to admin
From http://10.10.200.143/profile.php?user=guest
to http://10.10.200.143/profile.php?user=admin

Get flag¶

flag{66be95c478473d91a5358f2440c7af1f}

Lessons Learned¶

Tags¶