Web
Nmap discovered a web server on the target port 80
The running service is Apache httpd 2.4.41
Webroot
It appears to be providing a medical service
Wappalyzer identified technologies involved
It’s written in PHP 8.1.0
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/knife]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .php,.txt,.html
________________________________________________
:: Method : GET
:: URL : http://10.10.10.242/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 200, Size: 5815, Words: 646, Lines: 221, Duration: 97ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 92ms]
:: Progress: [882188/882188] :: Job [1/1] :: 427 req/sec :: Duration: [0:35:06] :: Errors: 0 ::It’s empty as far as the wordlist covers
Vulnerability
upon searching on google for php 8.1.0, the top 2 results shows that php 8.1.0 dev version suffers from an rce vulnerability because it was release with a backdoor
The target web application is using PHP 8.1.0-dev
Moving on to the Exploitation phase