Hola me presento me llamo lucas y ahora con el covid e estao en cuarentena y he estado testeando kali linux y aprendiendo por mi cuenta con libros y videos durante esta semana, me decidi por intentar cojer el root en un servidor que utilizaba una version de apache anticuada(3.2.2.34) consegui el acceso al servidor pero para utilizar los comandos necesitaba una contraseña por lo que intente tirar por el lado de los exploits y metaexploits para aprovechar sus vulnerabilidades utilize para analizarlo nmap viendo el port 22 abierto el 88 y el 433 y utilizando nikto para ver que exploits podia utilizar hasta hay llegue ya que no se introducir exploits o metasploits agradeceria que me pusieran referencias,videos,libros de como ejecutarlos correctamente.
dejo las vulnerabiidades que he encontrado:
+ Server: Apache/2
+ Cookie MoodleSession created without the secure flag
+ Cookie MoodleSession created without the httponly flag
+ Retrieved x-powered-by header: PHP/7.1.33
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'content-style-type' found, with contents: text/css
+ Uncommon header 'content-script-type' found, with contents: text/javascript
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The site uses SSL and Expect-CT header is not present.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Multiple index files found: /moodle/login/index.php/default.htm, /moodle/login/index.php/index.pl, /moodle/login/index.php/index.php7, /moodle/login/index.php/index.php3, /moodle/login/index.php/index.cfm, /moodle/login/index.php/index.php, /moodle/login/index.php/index.htm, /moodle/login/index.php/index.do, /moodle/login/index.php/index.php5, /moodle/login/index.php/index.xml, /moodle/login/index.php/index.cgi, /moodle/login/index.php/index.aspx, /moodle/login/index.php/index.jhtml, /moodle/login/index.php/default.asp, /moodle/login/index.php/index.jsp, /moodle/login/index.php/default.aspx, /moodle/login/index.php/index.shtml, /moodle/login/index.php/index.php4, /moodle/login/index.php/index.asp, /moodle/login/index.php/index.html
+ Apache/2 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ The Content-Encoding header is set to "deflate" this may mean that the server is vulnerable to the BREACH attack.
+ /moodle/login/index.php/kboard/: KBoard Forum 0.3.0 and prior have a security problem in forum_edit_post.php, forum_post.php and forum_reply.php
+ /moodle/login/index.php/lists/admin/: PHPList pre 2.6.4 contains a number of vulnerabilities including remote administrative access, harvesting user info and more. Default login to admin interface is admin/phplist
+ /moodle/login/index.php/splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ /moodle/login/index.php/ssdefs/: Siteseed pre 1.4.2 has 'major' security problems.
+ /moodle/login/index.php/sshome/: Siteseed pre 1.4.2 has 'major' security problems.
+ /moodle/login/index.php/tiki/: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin
+ /moodle/login/index.php/tiki/tiki-install.php: Tiki 1.7.2 and previous allowed restricted Wiki pages to be viewed via a 'URL trick'. Default login/pass could be admin/admin
+ /moodle/login/index.php/scripts/samples/details.idc: See RFP 9901; www.wiretrip.net
+ OSVDB-396: /moodle/login/index.php/_vti_bin/shtml.exe: Attackers may be able to crash FrontPage by requesting a DOS device, like shtml.exe/aux.htm -- a DoS was not attempted.
+ OSVDB-637: /moodle/login/index.php/~root/: Allowed to browse root's home directory.
+ /moodle/login/index.php/cgi-bin/wrap: comes with IRIX 6.2; allows to view directories
+ /moodle/login/index.php/forums//admin/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/forums//adm/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/forums//administrator/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/forums//moodle/pluginfile.php/1/core_admin/logo/0x200/1587321683/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/forums//moodle/admin/tool/dataprivacy/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/forums/config.php: PHP Config file may contain database IDs and passwords.
+ /moodle/login/index.php/guestbook/guestbookdat: PHP-Gastebuch 1.60 Beta reveals sensitive information about its configuration.
+ /moodle/login/index.php/guestbook/pwd: PHP-Gastebuch 1.60 Beta reveals the md5 hash of the admin password.
+ /moodle/login/index.php/help/: Help directory should not be accessible
+ OSVDB-2411: /moodle/login/index.php/hola/admin/cms/htmltags.php?datei=./sec/data.php: hola-cms-1.2.9-10 may reveal the administrator ID and password.
+ OSVDB-8103: /moodle/login/index.php/global.inc: PHP-Survey's include file should not be available via the web. Configure the web server to ignore .inc files or change this to global.inc.php
+ OSVDB-59620: /moodle/login/index.php/inc/common.load.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ OSVDB-59619: /moodle/login/index.php/inc/config.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ OSVDB-59618: /moodle/login/index.php/inc/dbase.php: Bookmark4U v1.8.3 include files are not protected and may contain remote source injection by using the 'prefix' variable.
+ OSVDB-2703: /moodle/login/index.php/geeklog/users.php: Geeklog prior to 1.3.8-1sr2 contains a SQL injection vulnerability that lets a remote attacker reset admin password.
+ OSVDB-8204: /moodle/login/index.php/gb/index.php?login=true: gBook may allow admin login by setting the value 'login' equal to 'true'.
+ /moodle/login/index.php/guestbook/admin.php: Guestbook admin page available without authentication.
+ /moodle/login/index.php/getaccess: This may be an indication that the server is running getAccess for SSO
+ /moodle/login/index.php/cfdocs/expeval/openfile.cfm: Can use to expose the system/server path.
+ /moodle/login/index.php/tsweb/: Microsoft TSAC found. http://www.dslwebserver.com/main/fr_index.html?/main/sbs-Terminal-Services-Advanced-Client-Configuration.html
+ /moodle/login/index.php/vgn/performance/TMT: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/performance/TMT/Report: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/performance/TMT/Report/XML: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/performance/TMT/reset: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/ppstats: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/previewer: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/record/previewer: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/stylepreviewer: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/vr/Deleting: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/vr/Editing: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/vr/Saving: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/vgn/vr/Select: Vignette CMS admin/maintenance script available.
+ /moodle/login/index.php/scripts/iisadmin/bdir.htr: This default script shows host info, may allow file browsing and buffer a overrun in the Chunked Encoding data transfer mechanism, request /scripts/iisadmin/bdir.htr??c:\<dirs> . https://docs.microsoft.com/en-us/security-updates/securitybulletins/2002/MS02-028. http://www.cert.org/advisories/CA-2002-09.html.
+ /moodle/login/index.php/scripts/iisadmin/ism.dll: Allows you to mount a brute force attack on passwords
+ /moodle/login/index.php/scripts/tools/ctss.idc: This CGI allows remote users to view and modify SQL DB contents, server paths, docroot and more.
+ /moodle/login/index.php/bigconf.cgi: BigIP Configuration CGI
+ /moodle/login/index.php/blah_badfile.shtml: Allaire ColdFusion allows JSP source viewed through a vulnerable SSI call.
+ OSVDB-4910: /moodle/login/index.php/vgn/style: Vignette server may reveal system information through this file.
+ OSVDB-17653: /moodle/login/index.php/SiteServer/Admin/commerce/foundation/domain.asp: Displays known domains of which that server is involved.
+ OSVDB-17654: /moodle/login/index.php/SiteServer/Admin/commerce/foundation/driver.asp: Displays a list of installed ODBC drivers.
+ OSVDB-17655: /moodle/login/index.php/SiteServer/Admin/commerce/foundation/DSN.asp: Displays all DSNs configured for selected ODBC drivers.
+ OSVDB-17652: /moodle/login/index.php/SiteServer/admin/findvserver.asp: Gives a list of installed Site Server components.
+ /moodle/login/index.php/SiteServer/Admin/knowledge/dsmgr/default.asp: Used to view current search catalog configurations
+ /moodle/login/index.php/basilix/mbox-list.php3: BasiliX webmail application prior to 1.1.1 contains a XSS issue in 'message list' function/page
+ /moodle/login/index.php/basilix/message-read.php3: BasiliX webmail application prior to 1.1.1 contains a XSS issue in 'read message' function/page
+ /moodle/login/index.php/clusterframe.jsp: Macromedia JRun 4 build 61650 remote administration interface is vulnerable to several XSS attacks.
Gracias un love