Web
Nmap discovered a Web server on the target port 80
The running service is Apache/2.4.38 (Debian)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 14:00:55 GMT
Server: Apache/2.4.38 (Debian)
Allow: OPTIONS,HEAD,GET,POST
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 14:00:57 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Tue, 30 Mar 2021 12:04:12 GMT
ETag: "89-5bebfcbe49cf9"
Accept-Ranges: bytes
Content-Length: 137
Vary: Accept-Encoding
Content-Type: text/html/Play/Gaara/2-Enumeration/attachments/{03580E56-2A99-44DB-A133-CEAB01D3116D}.png)
Webroot
/Play/Gaara/2-Enumeration/attachments/Pasted-image-20250429160326.png)
There is a possible username disclosure; dynamyiapa
gaara.jpg
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ curl -s http://$IP/gaara.jpg -o gaara.jpg
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ exiftool -a gaara.jpg
ExifTool Version Number : 13.10
File Name : gaara.jpg
Directory : .
File Size : 128 kB
File Modification Date/Time : 2025:04:29 16:06:16+02:00
File Access Date/Time : 2025:04:29 16:06:16+02:00
File Inode Change Date/Time : 2025:04:29 16:06:16+02:00
File Permissions : -rw-rw-r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
JFIF Version : 1.02
Resolution Unit : inches
X Resolution : 72
Y Resolution : 72
Exif Byte Order : Big-endian (Motorola, MM)
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : Adobe Photoshop CS2 Windows
Modify Date : 2008:11:28 19:51:36
Color Space : Uncalibrated
Exif Image Width : 1024
Exif Image Height : 768
Compression : JPEG (old-style)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Thumbnail Offset : 332
Thumbnail Length : 7179
Current IPTC Digest : 460cf28926b856dab09c01a1b0a79077
Application Record Version : 2
IPTC Digest : 460cf28926b856dab09c01a1b0a79077
X Resolution : 72
Displayed Units X : inches
Y Resolution : 72
Displayed Units Y : inches
Print Style : Centered
Print Position : 0 0
Print Scale : 1
Global Angle : 30
Global Altitude : 30
Copyright Flag : False
URL List :
Slices Group Name : a
Num Slices : 1
Pixel Aspect Ratio : 1
Photoshop Thumbnail : (Binary data 7179 bytes, use -b option to extract)
Has Real Merged Data : Yes
Writer Name : Adobe Photoshop
Reader Name : Adobe Photoshop CS2
Photoshop Quality : 7
Photoshop Format : Optimized
XMP Toolkit : 3.1.1-111
Color Space : Unknown (-1)
Exif Image Width : 1024
Exif Image Height : 768
Native Digest : 36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;C350426F8EFA697791B8331A81A73525
Orientation : Horizontal (normal)
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Native Digest : 256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;5AE74CEC12C01027B703F4EAEFCC620E
Create Date : 2008:11:28 19:51:36+07:00
Modify Date : 2008:11:28 19:51:36+07:00
Metadata Date : 2008:11:28 19:51:36+07:00
Creator Tool : Adobe Photoshop CS2 Windows
Derived From Instance ID : uuid:1E20E0444BBDDD11A729A9C88935196E
Derived From Document ID : uuid:90FBC4A347BDDD11A729A9C88935196E
Document ID : uuid:2020E0444BBDDD11A729A9C88935196E
Instance ID : uuid:2120E0444BBDDD11A729A9C88935196E
Format : image/jpeg
Color Mode : RGB
History :
DCT Encode Version : 100
APP14 Flags 0 : (none)
APP14 Flags 1 : (none)
Color Transform : YCbCr
Image Width : 1024
Image Height : 768
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:4:4 (1 1)
Image Size : 1024x768
Megapixels : 0.786
Thumbnail Image : (Binary data 7179 bytes, use -b option to extract)N/A
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.239.142/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
index.html [Status: 200, Size: 137, Words: 40, Lines: 6, Duration: 25ms]
:: Progress: [81912/81912] :: Job [1/1] :: 2020 req/sec :: Duration: [0:00:44] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.239.142/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 137, Words: 40, Lines: 6, Duration: 21ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1941 req/sec :: Duration: [0:01:52] :: Errors: 0 ::N/A
Fuzzing 2
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.239.142/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 137, Words: 40, Lines: 6, Duration: 18ms]
Cryoserver [Status: 200, Size: 327, Words: 1, Lines: 303, Duration: 17ms]
:: Progress: [220546/220546] :: Job [1/1] :: 1834 req/sec :: Duration: [0:01:59] :: Errors: 0 ::Performing another fuzzing with a different wordlist reveals an endpoint; /Cryoserver
/Cryoserver
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ curl -i http://$IP/Cryoserver
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 14:45:07 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Sun, 13 Dec 2020 21:14:08 GMT
ETag: "147-5b65f0192318f"
Accept-Ranges: bytes
Content-Length: 327
/Temari
/Kazekage
/iamGaaraThe /Cryoserver endpoint reveals 3 more endpoints;
/Temari/Kazekage/iamGaara
/Temari
/Play/Gaara/2-Enumeration/attachments/{6C400D5D-41AA-4CB7-8617-1ABCA6B34014}.png)
The /Temari endpoint contains a description of the Gaara character in a well known media
/Kazekage
/Play/Gaara/2-Enumeration/attachments/Pasted-image-20250429164757.png)
Copy of the /Temari endpoint
/iamGaara
/Play/Gaara/2-Enumeration/attachments/{F6600754-D1BA-47CF-B626-90F04336710D}.png)
The /iamGaara endpoint is also more or less the same
Secret
/Play/Gaara/2-Enumeration/attachments/Pasted-image-20250429172353.png)
What appears to be a base64 string found in the /iamGaara endpoint; f1MgN9mTf9SNbzRygcU
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ echo f1MgN9mTf9SNbzRygcU | base64 -d
S 7ٓԍo4r�� Decoded output is a binary blob
Decoding
/Play/Gaara/2-Enumeration/attachments/{6B65BDA9-7270-4C3B-9118-4AA73413A151}.png)
Using a detection tool online reveals that it was base58; gaara:ismyname
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/gaara]
└─$ sshpass -p ismyname ssh gaara@$IP
Permission denied, please try again.Testing the recovered credential against the target SSH server fails
gaara might be a valid user and I could attempt to perform a brute-force attack