Web
Nmap discovered a Web server on the port 80 of the 192.168.207.219 host.
The running service is Apache httpd 2.2.22 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 17:30:21 GMT
Server: Apache/2.2.22 (Debian)
Allow: GET,HEAD,POST,OPTIONS
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 17:30:23 GMT
Server: Apache/2.2.22 (Debian)
Last-Modified: Mon, 15 Mar 2021 13:36:18 GMT
ETag: "36f3-2ee-5bd9355a0d880"
Accept-Ranges: bytes
Content-Length: 750
Vary: Accept-Encoding
Content-Type: text/html
X-Pad: avoid browser bug/Play/DriftingBlues6/2-Enumeration/attachments/{B95B7840-5358-45FA-8438-9B6848EADDC5}.png)
Webroot
/Play/DriftingBlues6/2-Enumeration/attachments/{B923A6A6-8FAF-4CD6-AB06-B6D7B9EC9E7B}.png)
Comment in the source code mentions vvmlist.github.io
/robots.txt
Initial Nmap scan revealed the presence of the /robots.txt file.
/Play/DriftingBlues6/2-Enumeration/attachments/{E9EC9D92-1DB4-495B-8904-2707890CCFF2}.png)
/textpattern/textpatternendpoint.zipextension
/textpattern/textpattern Endpoint
/Play/DriftingBlues6/2-Enumeration/attachments/{5E3A682D-55D0-4D20-ACB3-163AE1472E29}.png)
There is a login page at the /textpattern/textpattern endpoint.
This is a Textpattern CMS instance.
/Play/DriftingBlues6/2-Enumeration/attachments/Pasted-image-20250702193939.png)
Textpattern is a free and open-source content management system (CMS) for PHP and MySQL. It was originally developed by Dean Allen and now developed by Team Textpattern. While it is typically listed among weblogging tools, its aim is to be a general-purpose content management system. The current stable version is Textpattern 4.8.8.
Source code is available for review.
Version Information
/Play/DriftingBlues6/2-Enumeration/attachments/{FD0BA2E1-4952-4CE5-ADEA-0B82C8D0B46D}.png)
The version information is disclosed at the /teextpattern/README.txt file; Textpattern CMS 4.8.3
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ searchsploit Textpattern CMS 4.8.3
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
TextPattern CMS 4.8.3 - Remote Code Execution (Authenticated) | php/webapps/48943.py
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsTextpattern CMS 4.8.3 suffers from an RCE vulnerability
Authentication
A credential has been discovered in the ZIP file; mayer:lionheart
/Play/DriftingBlues6/2-Enumeration/attachments/{E1D259C2-9D72-4ECD-8CC4-B7FE33958484}.png)
/Play/DriftingBlues6/2-Enumeration/attachments/{2351A9AF-3327-4C6C-BD63-0928C6BEA083}.png)
/Play/DriftingBlues6/2-Enumeration/attachments/{9C928190-C905-49C6-8DF1-80A3D3F9D7F5}.png)
Successfully authenticated.
File Upload
/Play/DriftingBlues6/2-Enumeration/attachments/{004D4457-2244-4520-A59F-0CDCAACEA767}.png)
The Textpattern CMS supports file upload.
Moving on to the Exploitation phase.
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php,.zip
________________________________________________
:: Method : GET
:: URL : http://192.168.207.219/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php .zip
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.html [Status: 403, Size: 297, Words: 21, Lines: 11, Duration: 20ms]
.htaccess.zip [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 19ms]
.htaccess.php [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 19ms]
.htaccess [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 20ms]
.htaccess.txt [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 20ms]
.htpasswd.html [Status: 403, Size: 297, Words: 21, Lines: 11, Duration: 19ms]
.htpasswd [Status: 403, Size: 292, Words: 21, Lines: 11, Duration: 19ms]
.htpasswd.txt [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 19ms]
.htpasswd.php [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 21ms]
.htpasswd.zip [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 20ms]
cgi-bin/ [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 20ms]
cgi-bin/.html [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 21ms]
cgi-bin/.php [Status: 403, Size: 295, Words: 21, Lines: 11, Duration: 20ms]
db [Status: 200, Size: 53656, Words: 196, Lines: 212, Duration: 19ms]
index [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 29ms]
index.html [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 30ms]
robots [Status: 200, Size: 110, Words: 11, Lines: 6, Duration: 19ms]
robots.txt [Status: 200, Size: 110, Words: 11, Lines: 6, Duration: 21ms]
robots.txt [Status: 200, Size: 110, Words: 11, Lines: 6, Duration: 21ms]
server-status [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 20ms]
textpattern [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [102390/102390] :: Job [1/1] :: 1960 req/sec :: Duration: [0:00:58] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.207.219/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 22ms]
icons [Status: 403, Size: 289, Words: 21, Lines: 11, Duration: 21ms]
cgi-bin [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 2197ms]
server-status [Status: 403, Size: 297, Words: 21, Lines: 11, Duration: 22ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1941 req/sec :: Duration: [0:01:54] :: Errors: 0 ::/textpattern/ endpoint.
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ -ic -e .zip
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://192.168.207.219/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Extensions : .zip
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index [Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 27ms]
[Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 1732ms]
db [Status: 200, Size: 53656, Words: 196, Lines: 212, Duration: 20ms]
robots [Status: 200, Size: 110, Words: 11, Lines: 6, Duration: 20ms]
spammer.zip [Status: 200, Size: 179, Words: 3, Lines: 2, Duration: 21ms]
spammer [Status: 200, Size: 179, Words: 3, Lines: 2, Duration: 21ms]
[Status: 200, Size: 750, Words: 44, Lines: 76, Duration: 20ms]
server-status [Status: 403, Size: 296, Words: 21, Lines: 11, Duration: 22ms]
:: Progress: [415260/415260] :: Job [1/1] :: 1923 req/sec :: Duration: [0:03:43] :: Errors: 0 ::Found the ZIP file; spammer.zip
spammer.zip
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ curl -s http://$IP/spammer.zip -o ./spammer.zip
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ unzip spammer.zip
Archive: spammer.zip
[spammer.zip] creds.txt password:The spammer.zip file is password-protected.
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ zip2john ./spammer.zip > ./spammer.zip.hash
ver 2.0 spammer.zip/creds.txt PKZIP Encr: cmplen=27, decmplen=15, crc=B003611D ts=ADCB cs=b003 type=0
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ john ./spammer.zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 12 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
myspace4 (spammer.zip/creds.txt)
1g 0:00:00:00 DONE 2/3 (2025-07-02 20:15) 20.00g/s 2039Kp/s 2039Kc/s 2039KC/s MINNIE..ship4
Use the "--show" option to display all of the cracked passwords reliably
Session completed. Password hash cracked; myspace4
Extraction
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ unzip spammer.zip
Archive: spammer.zip
[spammer.zip] creds.txt password: myspace4
extracting: creds.txtExtracting the creds.txt file.
creds.txt
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/driftingblues6]
└─$ cat creds.txt
mayer:lionheartmayer:lionheart
Validating..