Web
Nmap discovered a Web server on the target port 80
The running service is nginx 1.18.0
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -i http://$IP/
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 03 Aug 2024 19:13:54 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://itrc.ssg.htb/
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>Sending a GET request to the web root shows a 302 to a domain; http://itrc.ssg.htb/
The /etc/hosts file on Kali has been updated for local DNS resolution
Webroot
Wappalyzer identified technologies involved
The backend appears to be PHP
Register
Registration is made via a POST request to an API endpoint at /api/register.php
Login
Login successful.
Redirected to the Dashboard page
Dashboard
The Dashboard page supports ticketing system
create_ticket
It sends a GET request to the endpoint /index.php?page=create_ticket
Creating a ticket also features a file upload function
As it shows that ZIP archive only, it is safe to assume that there like is a unarchiving operation in the backend potentially via a script
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ zip test.zip test.jpg
adding: test.jpg (deflated 4%)I will create a legitimate zip file
and upload
A POST request is made to the API endpoint at /api/create_ticket.php
Ticket
A ticket is created and assigned an id of 63 with the open state
Clicking into it shows the status of the ticket
It would also appear that the uploaded files are renamed (SHA1 hash) and saved under the /uploads directory
Attempting OS command injection
The returned error message indicates that the unarchiving operation is conducted by the PHP’s ZipArchive::open() function in savefile.inc.php file
Checking the uploaded file an interesting saved format
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://itrc.ssg.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://itrc.ssg.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
uploads [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 775ms]
assets [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 1013ms]
api [Status: 301, Size: 310, Words: 20, Lines: 10, Duration: 702ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 1961ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 308 req/sec :: Duration: [0:36:34] :: Errors: 199 ::ffuf found already known endpoints
Fuzzing /index.php?page=
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://itrc.ssg.htb/index.php?page=FUZZ -ic -fs 3120
________________________________________________
:: Method : GET
:: URL : http://itrc.ssg.htb/index.php?page=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 3120
________________________________________________
admin [Status: 200, Size: 1331, Words: 136, Lines: 26, Duration: 1667ms]
dashboard [Status: 200, Size: 1331, Words: 136, Lines: 26, Duration: 2102ms]
db [Status: 200, Size: 2276, Words: 158, Lines: 35, Duration: 5679ms]
index [Status: 200, Size: 2276, Words: 158, Lines: 35, Duration: 1885ms]
login [Status: 200, Size: 2709, Words: 239, Lines: 44, Duration: 2777ms]
logout [Status: 200, Size: 2627, Words: 196, Lines: 39, Duration: 2411ms]
register [Status: 200, Size: 2842, Words: 255, Lines: 45, Duration: 2881ms]
ticket [Status: 200, Size: 1331, Words: 136, Lines: 26, Duration: 2239ms]
:: Progress: [20476/20476] :: Job [1/1] :: 48 req/sec :: Duration: [0:04:22] :: Errors: 178 ::admin
db
index
/index.php?page=admin
The /index.php?page=admin endpoint appears to be an admin panel, but I am able to access it using the created credential
There are also 5 existing tickets that are closed
I cannot view those tickets as it redirects me to my Dashboard
Check Server UP
Received a single ICMP packet
Provision AD User
Provision User SSH
While the feature is disabled, there is a mention of a potential admin user; zzinter
/index.php?page=db
The /index.php?page=db endpoint is empty
LFI at index.php?page
The page parameter appears to use inclusion, but there appears to be prefix appended in the backend (.php)
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.ssg.htb' -ic -mc all -fs 154
________________________________________________
:: Method : GET
:: URL : http://10.10.11.27/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.ssg.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 154
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 141 req/sec :: Duration: [0:06:42] :: Errors: 2 ::ffuf found none