Web
Nmap discovered a Web server on the target port 443
The running service is Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ curl -k -I -X OPTIONS https://$IP/
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2025 12:13:31 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
Allow: POST,OPTIONS,HEAD,GET,TRACE
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ curl -k -I https://$IP/
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2025 12:13:34 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
Last-Modified: Mon, 11 Oct 2021 13:26:28 GMT
ETag: "c210-5ce13ad22e900"
Accept-Ranges: bytes
Content-Length: 49680
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ openssl s_client -connect $IP:443
Connecting to 192.168.224.187
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=localhost
verify error:num=10:certificate has expired
notAfter=Nov 8 23:48:47 2019 GMT
verify return:1
depth=0 CN=localhost
notAfter=Nov 8 23:48:47 2019 GMT
verify return:1
---
Certificate chain
0 s:CN=localhost
i:CN=localhost
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 10 23:48:47 2009 GMT; NotAfter: Nov 8 23:48:47 2019 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
-----END CERTIFICATE-----
subject=CN=localhost
issuer=CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 847 bytes and written 518 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 1024 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A2FFBA3C5A79B94E3AE59F72466A8E8E538DEE99F162C71A547C3EE4097E5B98
Session-ID-ctx:
Resumption PSK: F09C43E4D1798BE9BFDC1BBEC6B2D36DA62C5585EB88341390D9C3A72874265DC463EF23EA0F5C44417C41B33EB66B4E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e5 ea af 51 b3 2a da 50-3b 92 2e 07 02 2a e6 f2 ...Q.*.P;....*..
0010 - e5 4b d0 80 f4 30 40 c5-7c e1 98 50 50 1c cb d4 .K...0@.|..PP...
0020 - df d6 75 c6 0e 9e b7 3f-c0 62 29 eb f5 6a 50 98 ..u....?.b)..jP.
0030 - cc dd 35 a1 40 01 cf 0a-84 ae ee 6a b7 99 46 6d ..5.@......j..Fm
0040 - e4 75 ea 65 ae 86 cf b5-14 36 0b b0 99 54 73 f0 .u.e.....6...Ts.
0050 - 0b 11 bb 67 36 d6 ba 3c-d3 e2 ad 3b 7d b2 68 02 ...g6..<...;}.h.
0060 - 40 ab bf 22 41 4c 3b e6-ef 3e 39 be 56 83 99 e1 @.."AL;..>9.V...
0070 - 6d 29 a7 1a a3 e0 d4 86-d5 b8 bd 54 64 8a 62 36 m).........Td.b6
0080 - ba 7b c5 b0 9e b2 0f ee-94 f0 85 86 fe 4d ba 78 .{...........M.x
0090 - 93 8f 49 1c b9 23 5a 1a-3d 7d 2b 65 13 9a 6e 90 ..I..#Z.=}+e..n.
00a0 - 29 46 cc c1 b5 cf ef fe-6f 77 8a 93 ba 6f 7e 4d )F......ow...o~M
00b0 - b8 e8 77 16 4f a4 3c fa-54 4e fd 84 ec c7 15 89 ..w.O.<.TN......
00c0 - 63 2e 06 6d 8c 51 ad bc-8a 15 1f d8 09 aa 62 e0 c..m.Q........b.
00d0 - b6 6e 54 0f d2 7e bd b1-fe e1 2a 28 80 f9 d8 da .nT..~....*(....
Start Time: 1745237642
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1980AD048308E3463DEA4E359A28DC1B0B398BDD5D47BF027AD59E80D5BE583A
Session-ID-ctx:
Resumption PSK: 90241E9B9C5CD32BBD0282EA344E1CEA922C41ABCC3937782F4DD6E7A175854844C17C644FC158A4D3AA2AB107252228
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e5 ea af 51 b3 2a da 50-3b 92 2e 07 02 2a e6 f2 ...Q.*.P;....*..
0010 - 99 a2 b3 4e b6 fc 2e df-b1 16 bc a5 43 5d 2e 8e ...N........C]..
0020 - 5e 0b 47 c0 4b 2c ec 44-9c 55 f3 f5 f1 a0 df 5e ^.G.K,.D.U.....^
0030 - d6 ef fb 0d 7b 1e d5 7f-5f fc ca 90 bf 78 56 ca ....{..._....xV.
0040 - 72 8b 3a fa 0e da ab 0f-d7 7a d6 db a2 d9 42 26 r.:......z....B&
0050 - ab 68 a1 40 87 fa 6f 03-fc a7 69 73 63 ed e2 f3 .h.@..o...isc...
0060 - 12 db 6c c7 e3 0b 56 64-60 59 52 bb d3 5e 47 a0 ..l...Vd`YR..^G.
0070 - db 36 b8 2d 89 74 2f 63-5d 84 ef 81 38 5d a6 01 .6.-.t/c]...8]..
0080 - 8f 37 fe 51 6a 03 9f d8-df f6 ac 42 0a ba c0 af .7.Qj......B....
0090 - 55 79 71 fb 36 99 28 88-df 7f e7 f9 af 3d 9e c9 Uyq.6.(......=..
00a0 - d3 5e 3e d3 27 48 2f c0-3a fb 98 58 c9 05 81 8c .^>.'H/.:..X....
00b0 - a9 f6 bb 86 ea ce f4 d5-45 21 0a c9 b1 fb 57 38 ........E!....W8
00c0 - 7d 6d 28 9c 19 c6 b3 d2-15 ce ab 77 c7 11 88 95 }m(........w....
00d0 - 30 b4 bb 6a e4 ee 6c 48-b7 bc dd 83 2e 30 2f 08 0..j..lH.....0/.
Start Time: 1745237642
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK/Practice/Access/2-Enumeration/attachments/{9DEBBE9B-BEE6-48F9-AA2A-A25A41B23079}.png)
Webroot
This appears to be a custom PHP web application that hosts a ticketing service
The instance also appears to be hosted on the port 80
Continuing with the instance on the port 80
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : https://192.168.224.187/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
Index.html [Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 37ms]
assets [Status: 301, Size: 345, Words: 22, Lines: 10, Duration: 32ms]
forms [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 31ms]
index.html [Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 37ms]
ticket.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
uploads [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 27ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1438 req/sec :: Duration: [0:01:10] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : https://192.168.224.187/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 34ms]
uploads [Status: 200, Size: 778, Words: 61, Lines: 16, Duration: 32ms]
icons [Status: 200, Size: 73983, Words: 7383, Lines: 1005, Duration: 84ms]
assets [Status: 200, Size: 1606, Words: 183, Lines: 20, Duration: 64ms]
forms [Status: 200, Size: 986, Words: 82, Lines: 17, Duration: 35ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1183 req/sec :: Duration: [0:02:50] :: Errors: 0 ::/forms//ticket.php/uploads/