Escalate_my_privileges_1のwalkthrough

はじめに

www.vulnhub.com

調査

$ nmap -sV -Pn 192.168.100.13
Starting Nmap 7.60 ( https://nmap.org ) at 2020-04-05 14:24 JST
Nmap scan report for 192.168.100.13
Host is up (0.022s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
111/tcp  open  rpcbind 2-4 (RPC #100000)
2049/tcp open  nfs_acl 3 (RPC #100227)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.70 seconds

$ nikto -h 192.168.100.13
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP:          192.168.100.13
+ Target Hostname:    192.168.100.13
+ Target Port:        80
+ Start Time:         2020-04-05 14:33:55 (GMT9)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) PHP/5.4.16
+ Server leaks inodes via ETags, header found with file /, fields: 0xf0 0x5a133f9581a50 
+ The anti-clickjacking X-Frame-Options header is not present.
+ Retrieved x-powered-by header: PHP/5.4.16
+ File/dir '/phpbash.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST, TRACE 
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-3092: /readme.txt: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 6544 items checked: 0 error(s) and 11 item(s) reported on remote host
+ End Time:           2020-04-05 14:34:21 (GMT9) (26 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

phpbash.phpという怪しいファイルがあるので見てみる。