InfoSec LAB

Access_Web_80

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.48 ((Win64) OpenSSL/1.1.1k PHP/8.0.7)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ curl -I -X OPTIONS http://$IP/     
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2025 12:13:08 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
Allow: POST,OPTIONS,HEAD,GET,TRACE
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Mon, 21 Apr 2025 12:13:12 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
Last-Modified: Mon, 11 Oct 2021 13:26:28 GMT
ETag: "c210-5ce13ad22e900"
Accept-Ranges: bytes
Content-Length: 49680
Content-Type: text/html

Webroot This appears to be a custom PHP web application that hosts a ticketing service The instance also appears to be hosted on the port 443 over TLS

Speakers

Possible username disclosure at the Speakers section

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ nano users.txt                                                            
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ python3 ~/Tools/username_gen_v2.py -w ./users.txt > possible-usernames.txt

Generating all the possible username combinations

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ kerbrute userenum --dc server.access.offsec -d ACCESS.OFFSEC ./possible-usernames.txt -t 200
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 04/21/25 - Ronnie Flathers @ropnop
 
2025/04/21 14:34:57 >  Using KDC(s):
2025/04/21 14:34:57 >  	server.access.offsec:88
 
2025/04/21 14:34:57 >  Done! Tested 66 usernames (0 valid) in 0.049 seconds

None of them are valid domain user

buy-tickets

The buy-tickets section is interesting because it supports file upload

Testing

Uploaded files are stored in the /uploads/ directory

PHP File

PHP file upload failed as there is an extension filter

Extension Filter Bypass

Uppercase letters failed

shell.png.php failed

Null byte injection succeeded in uploading

Tested several null byte injections. But the web app interpreted it as is and code execution is not possible

Those extensions work but they are not getting executed

.htaccess Upload

The web application allows uploading the .htaccess file

There is a RCE technique that leverages uploading a .htaccess file Moving on to the Exploitation phase

Contact

While the Contact section contains a form submission that sends a POST request to the /forms/contact.php file, the returned error reveals that it’s missing “PHP Email Form” library, rendering it not functional.

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.224.187/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
Index.html              [Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 29ms]
assets                  [Status: 301, Size: 343, Words: 22, Lines: 10, Duration: 25ms]
forms                   [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 27ms]
index.html              [Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 37ms]
ticket.php              [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 376ms]
uploads                 [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 25ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1234 req/sec :: Duration: [0:01:10] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/access]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.224.187/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
                        [Status: 200, Size: 49680, Words: 13785, Lines: 1101, Duration: 26ms]
uploads                 [Status: 200, Size: 777, Words: 61, Lines: 16, Duration: 29ms]
icons                   [Status: 200, Size: 73983, Words: 7383, Lines: 1005, Duration: 62ms]
assets                  [Status: 200, Size: 1605, Words: 183, Lines: 20, Duration: 73ms]
forms                   [Status: 200, Size: 985, Words: 82, Lines: 17, Duration: 50ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1123 req/sec :: Duration: [0:02:51] :: Errors: 0 ::
  • /ticket.php
  • /forms/
  • /uploads/

/form/

There is the contact for for the Contact section

It’s missing the PHP Email Form library

Looking it up online leads to bootstrapmade that explains the PHP Email Form library, which should be located at the /assets/vendor/php-email-form/php-email-form.php

and it’s indeed missing

Interactive Graph View

Backlinks