Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.41 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Sun, 27 Apr 2025 16:11:25 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 245
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sun, 27 Apr 2025 16:11:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8/Play/Potato/2-Enumeration/attachments/Pasted-image-20250427181144.png)
Webroot
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.120.101/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
admin [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 26ms]
index.php [Status: 200, Size: 245, Words: 31, Lines: 9, Duration: 26ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1600 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/potato]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.120.101/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 245, Words: 31, Lines: 9, Duration: 2629ms]
admin [Status: 200, Size: 466, Words: 145, Lines: 20, Duration: 47ms]
potato [Status: 200, Size: 744, Words: 52, Lines: 16, Duration: 38ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1600 req/sec :: Duration: [0:02:30] :: Errors: 0 ::/index.php/admin//potato/
/index.php
/Play/Potato/2-Enumeration/attachments/{A638F927-8DC6-481E-9888-60F4E277560F}.png)
N/A
/potato/
/Play/Potato/2-Enumeration/attachments/{3FF2B8B0-11D0-44E1-9394-F458D26B54F5}.png)
Empty
/admin/
/Play/Potato/2-Enumeration/attachments/{F75330EB-E3C4-479B-9CB3-3A28245A2C79}.png)
Login page
/Play/Potato/2-Enumeration/attachments/Pasted-image-20250427182010.png)
/Play/Potato/2-Enumeration/attachments/Pasted-image-20250427182025.png)
Backup file for the login page found in the target FTP server
Credential failed; admin:potato
strcmp
/Play/Potato/2-Enumeration/attachments/Pasted-image-20250427182339.png)
Checking back at the source code, it uses the PHP’s vulnerable strcmp function
This could easily be bypassed by sending an empty array; username=admin&password[]=
Authentication Bypass
/Play/Potato/2-Enumeration/attachments/{2E9666F6-827D-481C-BB45-FC9785385523}.png)
Like so
/Play/Potato/2-Enumeration/attachments/{544FF9C1-82A9-49DC-B170-4E3EFA696796}.png)
Authentication successfully bypassed
Dashboard
/Play/Potato/2-Enumeration/attachments/{747DEACA-00A9-426D-80DC-B303353309BC}.png)
Several features are available at the /admin/dashboard endpoint
Logs
/Play/Potato/2-Enumeration/attachments/{D34011C0-0E1E-498F-BE3E-44B3775F9793}.png)
/Play/Potato/2-Enumeration/attachments/{5043062B-F9AF-49ED-A5F7-1B28A9D1CBB8}.png)
The Logs feature is interesting as it seems to fetch a target file via the file parameter
LFI
/Play/Potato/2-Enumeration/attachments/{7756C153-76E1-414F-9084-3ABF4AD64F20}.png)
LFI confirmed
Moving on to the Exploitation phase