InfoSec LAB

Busqueda_Web

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.52

Webroot The web application appears to be an indexer to search information online

Wappalyzer identified technologies involved It built on Flask 2.1.2 using Python 3.10.6

Feature

While there are so many search engines to select from, the request itself sends out a POST request to the /search endpoint Additionally, the “Auto redirect” feature seems to work fine as the responses shows

However, without the “Auto redirect” feature, the users are redirected to a page where it displays the search query URL of the selected engine

The key here is that it displays the user input Let’s dive deeper into the web application itself

Version Information

the footer includes the hyperlink to the application source code It also notes that it uses the version 2.4.0

Searchor

The Python web application, Searchor, appears to be a personal project and the current version at the time of writing is 2.5.2

Vulnerability

searching it online for vulnerabilities reveals one; [[Busqueda_CVE-2023-43364#|CVE-2023-43364]] It matches the target web application instance; 2.4.0

Moving to the Exploitation phase

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/busqueda]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt -fc 302
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.208/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________
:: Progress: [441094/441094] :: Job [1/1] :: 364 req/sec :: Duration: [0:21:10] :: Errors: 0 ::

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/busqueda]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.searcher.htb' -fc 302
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.208/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.searcher.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 314 req/sec :: Duration: [0:05:47] :: Errors: 0 ::

Nothing found

Interactive Graph View

Backlinks