InfoSec LAB

Networked_Web

Created: 3 min read

Web

Nmap discovered a web server running on the target port 80

Webroot It’s a note

wappalyzer enumerated technologies involved It’s written in PHP 5.4.16

A comment in the source code mentions about upload and gallery not being linked.

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.146/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
uploads                 [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 28ms]
photos.php              [Status: 200, Size: 1302, Words: 68, Lines: 23, Duration: 33ms]
index.php               [Status: 200, Size: 229, Words: 33, Lines: 9, Duration: 2853ms]
upload.php              [Status: 200, Size: 169, Words: 11, Lines: 6, Duration: 31ms]
lib.php                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 27ms]
backup                  [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 29ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1394 req/sec :: Duration: [0:10:52] :: Errors: 0 ::

ffuf found a few files and directories

/upload.php

The upload.php file has a file upload feature.

It sends out a POST request to the /uploads.php file. Would it store the uploaded files to the /uploads/ directory?

Uploading a test JPG file

It says that the file’s uploaded and suggests to refresh the gallery

/photos.php

The /photos.php file appears to be the “gallery” that was mentioned from a comment earlier and the test

I can see the test JPG file, but it’s been renamed after my IP address with underscores(__) replaced instead of the dots(.)

Looking at the source code, those images are loaded from the /uploads/ directory

/lib.php

This file doesn’t print out anything

/uploads/

The directory doesn’t seem to contain anything other than a single dot. I can’t see the uploaded file either.

/backup/

There is directory indexing at the /backuo/ directory It also contains an archive, backup.tar

backup.tar

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ wget http://10.10.10.146/backup/backup.tar                                           
--2023-01-27 16:29:49--  http://10.10.10.146/backup/backup.tar
Connecting to 10.10.10.146:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10240 (10K) [application/x-tar]
Saving to: ‘backup.tar’
 
backup.tar                        100%[=============================================================>]  10.00K  --.-KB/s    in 0s      
 
2023-01-27 16:29:49 (207 MB/s) - ‘backup.tar’ saved [10240/10240]

I downloaded the archive

┌──(kali㉿kali)-[~/archive/htb/labs/networked]
└─$ tar -xvf backup.tar 
index.php
lib.php
photos.php
upload.php

Upon extraction, 4 files are revealed. I’d assume that the archive is a backup for the web server

I will be able to take a look at the source code of these PHP files

Interactive Graph View

Backlinks