Web
Nmap discovered a Web service on the target port 80
The running service is Apache httpd 2.4.29 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Wed, 05 Feb 2025 19:54:33 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Mon, 17 May 2021 15:00:14 GMT
ETag: "711d-5c287d9d2c6e3"
Accept-Ranges: bytes
Content-Length: 28957
Vary: Accept-Encoding
Content-Type: text/html/Practice/Apex/2-Enumeration/attachments/{2EB95392-8E80-4016-8D34-0DD807D9169C}.png)
Webroot
It appears to be a website for a hospital
/Practice/Apex/2-Enumeration/attachments/{07BA57EC-4386-494D-BD11-DC8E72F9DA00}.png)
/Practice/Apex/2-Enumeration/attachments/{BBD145C9-65C3-4395-B074-2E56F4202DF4}.png)
Updated the /etc/hosts file
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/apex]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://apex.offsec/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://apex.offsec/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 3790ms]
.htpasswd [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 3848ms]
assets [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 20ms]
filemanager [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 36ms]
server-status [Status: 403, Size: 276, Words: 20, Lines: 10, Duration: 25ms]
source [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 25ms]
thumbs [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 36ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1574 req/sec :: Duration: [0:00:16] :: Errors: 0 ::/filemanager//source/
/source/ Directory
/Practice/Apex/2-Enumeration/attachments/{8A85D3E4-578A-4481-9312-AFABFE6E9A67}.png)
/source/images
/Practice/Apex/2-Enumeration/attachments/{AFB6DA2C-29EB-43CD-8E53-1A29CB38A84C}.png)
N/A
/source/Documents
/Practice/Apex/2-Enumeration/attachments/{73FC16B2-0EE7-42C5-9EF9-8C9D9DDD6501}.png)
The /source/Documents directory corresponds to the docs Samba share
/filemanager
/Practice/Apex/2-Enumeration/attachments/{2D4E32A7-4920-4E56-BF4B-192C5935BC18}.png)
There appears to be another web application running on the /filemanager endpoint
It shows the /source directory above
/Practice/Apex/2-Enumeration/attachments/{380C454C-72DA-4E94-A9A4-DA9FB1E33B74}.png)
It’s written in PHP
/Practice/Apex/2-Enumeration/attachments/{DFC39B6F-E0AF-4C2D-99BD-9794B067921C}.png)
/Practice/Apex/2-Enumeration/attachments/{3487353A-7DE0-4CC0-BD4F-1C7BF7CAD0F2}.png)
The application is Responsive FileManager 9.13.4
Vulnerabilities
/Practice/Apex/2-Enumeration/attachments/{16B2CB50-87A1-42F9-8799-1CF4278276AB}.png)
It would appear that the target instance has multiple vulnerabilities;
OpenEMR
/Practice/Apex/2-Enumeration/attachments/{EF55F451-EB28-4C85-B706-4BBC83836A53}.png)
There is an endpoint; /openemr
/Practice/Apex/2-Enumeration/attachments/{DC79964F-E551-427A-9B29-BBF2DC7048FD}.png)
301 to a login page at /openemr/interface/login/login.php?site=default
It’s hosting a OpenEMR instance