Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.41 ((Ubuntu))
Webroot
It appears to be providing a web hosting service
The passive crawler from Burp Suites found a file; month
False-positive
Statement
The NEWS button and the “notification” lead to a domain; megahosting.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
The NEWS contains a statement with a mention of data breach and a tool having been removed
Another interesting thing is that this statement is fetched using a parameter; file
This may suggest a potential directory traversal or LFI vulnerabilities
LFI
LFI confirmed for the file parameter of the /news.php file
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Extensions : .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 14175, Words: 2135, Lines: 374, Duration: 100ms]
* FUZZ:
[Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 169ms]
* FUZZ: files
[Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 95ms]
* FUZZ: assets
[Status: 200, Size: 14175, Words: 2135, Lines: 374, Duration: 95ms]
* FUZZ:
[Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 108ms]
* FUZZ: server-status
:: Progress: [415260/415260] :: Job [1/1] :: 416 req/sec :: Duration: [0:18:01] :: Errors: 0 ::ffuf found a directory; files
/files/
403
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/files/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194/files/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 95ms]
* FUZZ: archive
[Status: 200, Size: 6507, Words: 1812, Lines: 151, Duration: 96ms]
* FUZZ: statement
:: Progress: [622890/622890] :: Job [1/1] :: 408 req/sec :: Duration: [0:26:30] :: Errors: 0 ::ffuf found a file and a directory;
/statement- This might be the statement file loaded to the
fileparameter of thenews.phpfile earlier.
- This might be the statement file loaded to the
/archive/
/files/statement
The /files/statement file is indeed the source of the statement loaded to the file parameter of the news.php file earlier
/archive/
403
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-lowercase-2.3-medium.txt -u http://$IP/files/archive/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194/files/archive/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
:: Progress: [622890/622890] :: Job [1/1] :: 319 req/sec :: Duration: [0:26:30] :: Errors: 0 ::Nothing found
Parameter Busting
┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt -u http://megahosting.htb/news.php?file=FUZZ -ic -fw 1
________________________________________________
:: Method : GET
:: URL : http://megahosting.htb/news.php?file=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
[Status: 200, Size: 6507, Words: 1812, Lines: 151, Duration: 98ms]
* FUZZ: statement
:: Progress: [107982/107982] :: Job [1/1] :: 373 req/sec :: Duration: [0:04:48] :: Errors: 0 ::No additional file found for the file parameter of the /news.php file in the statement
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/tabby]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.megahosting.htb' -fs 14175
________________________________________________
:: Method : GET
:: URL : http://10.10.10.194/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.megahosting.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 14175
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 386 req/sec :: Duration: [0:04:53] :: Errors: 0 ::Nothing found