InfoSec LAB

Haircut_Web

Created: 2 min read

Web

Nmap discovered a web server running on the target port 80

Webroot

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/haircut]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .html,.php,.txt 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.24/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .html .php .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [Status: 200, Size: 144, Words: 11, Lines: 8, Duration: 31ms]
uploads                 [Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 28ms]
test.html               [Status: 200, Size: 223, Words: 14, Lines: 7, Duration: 28ms]
hair.html               [Status: 200, Size: 141, Words: 11, Lines: 8, Duration: 39ms]
exposed.php             [Status: 200, Size: 446, Words: 24, Lines: 20, Duration: 31ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1437 req/sec :: Duration: [0:10:53] :: Errors: 0 ::

All the files with the .html extension just contain images But /uploads/ and /exposed.php are rather interesting and appear to be relevant to a beaching point

/uploads/

The /uploads/ directory throws a 403 error

/exposed.php

The /explosed.php file features a location check

Upon entering the example URL, it returned the test.html page Based on the returned data, I can see that it is using the curl command

OS Command

I can confirm this by entering the -V flag to invoke the version enumeration

curl 7.47.0

So this confirms that the /exposed.php file has a direct OS command as input with the curl command OS Command Injection may be possible.

Blacklisted Words & Characters

Upon entering the ; whoami # command to terminate the initial curl command, and execute the whoami command and comment out the remaining, the response tells me that there is a blacklist being applied

So I entered a bunch of special characters to see what’s being filtered out %, !, |, ;, &, #, {, }, [, ] are denied

But there is something I can do with the curl command

Bash Subshell

I can use the bash subshell to get code execution

Interactive Graph View

Backlinks