Web
Nmap discovered a Web server on the target port 80
Webroot at /home
It claims to be a company, velik71, organizing cycling races
Wappalyzer identified technologies involved
The backend is PHP
The HOW TO PARTICIPATE button leads to an endpoint; /how-to-participate
It suggests to fill & send out a contact form, which reveals a domain
The domain information has been appended to the /etc/hosts file for local DNS resolution
/contact.php
The /contact.php file indeed contains a form submission
SSRF
It makes a POST request to contact.php
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ simplehttp . 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...Starting a local “webserver” on Kali
SSRF confirmed.
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 91ms]
plugins [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 22ms]
messages [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 37ms]
404 [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 36ms]
home [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 3663ms]
data [Status: 301, Size: 232, Words: 14, Lines: 8, Duration: 6841ms]
themes [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 5907ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 176 req/sec :: Duration: [0:18:08] :: Errors: 1 ::ffuf found 3 interesting directories; /plugins, /messages, and /themes
/plugins
403
Fuzzing /plugins/
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/plugins/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/plugins/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
home [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 33ms]
404 [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 50ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 669 req/sec :: Duration: [0:01:01] :: Errors: 17 ::Nothing found
but there appears to be an error, routing to /home
/messages
403
Fuzzing /messages/
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/messages/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/messages/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
404 [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 38ms]
home [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 4265ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 669 req/sec :: Duration: [0:01:01] :: Errors: 17 ::Nothing found
but there appears to be an error, routing to /home
/themes
403
Fuzzing /themes/
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/themes/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/themes/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
home [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 864ms]
404 [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 47ms]
bike [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 102ms]
pmp [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 614ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 669 req/sec :: Duration: [0:01:01] :: Errors: 17 ::ffuf found a sub-directory; /bike
/theme/bike
403
Fuzzing /themes/bike/
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/themes/bike/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/themes/bike/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
version [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 70ms]
css [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 42ms]
summary [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 32ms]
404 [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 66ms]
LICENSE [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 42ms]
img [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 5023ms]
home [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 5030ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 171 req/sec :: Duration: [0:20:07] :: Errors: 96 ::ffuf returned a few interesting files;
versionsummaryLICENSE
version
3.2.0
summary
LICENSE
The /themes/bike/LICENSE file reveals the developer
Vulnerability
Looking it further online reveals a CMS; WonderCMS
WonderCMS appears to suffer from a RCE vulnerability; [[Sea_CVE-2023-41425#[CVE-2023-41425](https //nvd.nist.gov/vuln/detail/CVE-2023-41425)|CVE-2023-41425]]
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.sea.htb' -ic -mc all -fw 582
________________________________________________
:: Method : GET
:: URL : http://10.10.11.28/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.sea.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response words: 582
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 203 req/sec :: Duration: [0:04:19] :: Errors: 0 ::Nothing found