Web
Nmap discovered a Web service on the target port 80
The running service is Apache httpd 2.4.46 ((Win64) OpenSSL/1.1.1j PHP/7.3.27)
Webroot
It shows Voting System and is a login page
Wappalyzer identified technologies involved
OpenSSL 1.1.1jPHP 7.3.27
Authentication sends a POST request to the /login.php file
I have tried default and weak credentials, and none of them worked
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.10.239/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 34ms]
* FUZZ: .htaccess
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 36ms]
* FUZZ: .htpasswd
[Status: 301, Size: 337, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: admin
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 24ms]
* FUZZ: aux
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 46ms]
* FUZZ: cgi-bin/
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 23ms]
* FUZZ: com4
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: com1
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 27ms]
* FUZZ: com2
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: com3
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 27ms]
* FUZZ: con
[Status: 301, Size: 336, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: dist
[Status: 301, Size: 338, Words: 22, Lines: 10, Duration: 26ms]
* FUZZ: images
[Status: 301, Size: 340, Words: 22, Lines: 10, Duration: 26ms]
* FUZZ: includes
[Status: 403, Size: 421, Words: 37, Lines: 12, Duration: 25ms]
* FUZZ: licenses
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 30ms]
* FUZZ: lpt2
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 37ms]
* FUZZ: lpt1
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 24ms]
* FUZZ: nul
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 27ms]
* FUZZ: phpmyadmin
[Status: 301, Size: 339, Words: 22, Lines: 10, Duration: 26ms]
* FUZZ: plugins
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 26ms]
* FUZZ: prn
[Status: 403, Size: 421, Words: 37, Lines: 12, Duration: 25ms]
* FUZZ: server-status
[Status: 403, Size: 421, Words: 37, Lines: 12, Duration: 25ms]
* FUZZ: server-info
[Status: 301, Size: 337, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: tcpdf
[Status: 403, Size: 302, Words: 22, Lines: 10, Duration: 25ms]
* FUZZ: webalizer
:: Progress: [20476/20476] :: Job [1/1] :: 1538 req/sec :: Duration: [0:00:13] :: Errors: 0 ::While there are a lot of files and directories returned, most of them aren’t accessible
/admin
This appears to be the login page to the administrative panel of the web application
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ searchsploit voting system
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Online Voting System - Authentication Bypass | php/webapps/43967.py
Online Voting System 1.0 - Authentication Bypass (SQLi) | php/webapps/50075.txt
Online Voting System 1.0 - Remote Code Execution (Authenticated) | php/webapps/50076.txt
Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE) | php/webapps/50088.py
Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting | multiple/webapps/49159.txt
Voting System 1.0 - Authentication Bypass (SQLI) | php/webapps/49843.txt
Voting System 1.0 - File Upload RCE (Authenticated Remote Code Execution) | php/webapps/49445.py
Voting System 1.0 - Remote Code Execution (Unauthenticated) | php/webapps/49846.txt
Voting System 1.0 - Time based SQLI (Unauthenticated SQL injection) | php/webapps/49817.txt
WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injec | php/webapps/50052.txt
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsIt appears that Voting System might actually be a legitimate published application as the result shown above
Looking further into it online reveals that Online Voting System is indeed an open-source web application published by sourcecodester
2 vulnerabilities have been identified to be exploitable;
- [[Love_CVE-2018-6180#[CVE-2018-6180](https //nvd.nist.gov/vuln/detail/CVE-2018-6180)|CVE-2018-6180]]
- [[Love_File_Upload_RCE#[Online Voting System 1.0 Remote Code Execution](https //packetstormsecurity.com/files/163333/Online-Voting-System-1.0-Remote-Code-Execution.html)|File_Upload_RCE]]
Virtual Host Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.love.htb' -fs 4388
________________________________________________
:: Method : GET
:: URL : http://10.10.10.239/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.love.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 4388
________________________________________________
[status: 200, Size: 5357, Words: 1543, Lines: 192, Duration: 24ms]
* fuzz: staging
:: Progress: [114441/114441] :: Job [1/1] :: 22 req/sec :: Duration: [0:10:08] :: Errors: 17 ::No additional virtual host found.
staging.love.htb
As discovered during the Recon phase, there appears to be another virtual host; staging.love.htb
Webroot
Free File Scanner
The passive crawler from Burp Suites found a file; beta.php
Scanner
It’s mapped to the Demo button in the navigation tab
I will test out the scanner
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ simplehttp . 80
serving http on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Starting a local web service on Kali
It sends out a POST request to the /beta.php file with 2 parameters; file and read
A moment later I get a hit
The web application sent out a GET request and fetched the list.
I will test out the inclusion as well
┌──(kali㉿kali)-[~/…/htb/labs/love/test]
└─$ cat test.php
system("whoami");
<?php system("whoami"); ?>
Only the first line is printed out. This might suggest the presence of a blacklist as <?php and ?> were filtered out
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://staging.love.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://staging.love.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 306, Words: 22, Lines: 10, Duration: 7974ms]
* FUZZ: .htpasswd
[Status: 403, Size: 306, Words: 22, Lines: 10, Duration: 7978ms]
* FUZZ: .htaccess
:: Progress: [20476/20476] :: Job [1/1] :: 380 req/sec :: Duration: [0:02:41] :: Errors: 17773 ::Fuzzing result is rather inconsistent as most are errored out