Web
Nmap discovered a Web server on the target port 80
The running service is nginx 1.18.0
┌──(kali㉿kali)-[~/archive/htb/labs/soccer]
└─$ curl http://$IP/ -I
HTTP/1.1 301 Moved Permanently
server: nginx/1.18.0 (Ubuntu)
date: Mon, 18 Dec 2023 15:22:30 GMT
content-type: text/html
content-length: 178
connection: keep-alive
location: http://soccer.htb/Webroot points to a domain; soccer.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Webroot of soccer.htb
It appears to be a blog about soccer club
Wappalyzer identified technologies involved
There’s nothing loaded according to Burp Suite’s passive crawler
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/soccer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 200 -u
________________________________________________
:: Method : GET
:: URL : http://soccer.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 6917, Words: 2196, Lines: 148, Duration: 131ms]
tiny [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 95ms]
:: Progress: [661644/661644] :: Job [1/1] :: 1715 req/sec :: Duration: [0:05:24] :: Errors: 0 ::Found a single directory; /tiny/
/tiny/
the /tiny/ directory hosts tiny file manager
Tiny File Manager
Tiny File Manager is a single-PHP-file web application
Checking the source code reveals that it indeed runs off a single PHP file; tinyfilemanager.php
Additionally, the project doesn’t appear to be maintained for at least a year as the latest version was released during the last quarter of 2022
It’s highly possible that it may contain several vulnerabilities
Default Credentials
The official documentation provides step-by-step guides on configuring the web application, including default credentials;
admin:admin@123user:12345
the target instance must have configured with the default setting as the default admin credential worked out; admin:admin@123
While the GUI looks rather nice, it contains several key information;
- Version information;
2.4.3 - Uploaded filesystem that resembles the soccer club web app that runs on Webroot directory
- It’s highly possible that the whole web root directory (
/var/www/html) is loaded in
- It’s highly possible that the whole web root directory (
Vulnerability
The source code of the tinyfilemanager.php file also reveals the version information; 2.4.3
Looking it up online shows that the target instance suffers from many vulnerabilities, one of which is a remote code execution; [[Soccer_CVE-2021-45010#[CVE-2021-45010](https //nvd.nist.gov/vuln/detail/CVE-2021-45010)|CVE-2021-45010]]
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/soccer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -t 800 -u http://$IP/ -H 'Host: FUZZ.soccer.htb' -fc 301
________________________________________________
:: Method : GET
:: URL : http://10.10.11.194/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.soccer.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 800
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 301
________________________________________________
:: Progress: [114442/114442] :: Job [1/1] :: 4711 req/sec :: Duration: [0:00:22] :: Errors: 0 ::Nothing found