InfoSec LAB

Astronaut_Web

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.41

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ curl -I -X OPTIONS http://$IP/      
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 14:06:17 GMT
Server: Apache/2.4.41 (Ubuntu)
Allow: GET,POST,OPTIONS,HEAD
Content-Length: 0
Content-Type: httpd/unix-directory
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ curl -I http://$IP/          
HTTP/1.1 200 OK
Date: Mon, 31 Mar 2025 14:06:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html;charset=UTF-8

Webroot Directory indexing is enabled ;/grav-admin/

/grav-admin/ Directory

This is a default installation page of a Grav instance Source code is available for reference

Grav is a free software, self-hosted content management system (CMS) written in the PHP programming language and based on the Symfony web application framework. It uses a flat file database for both backend and frontend.

/grav-admin/admin Directory

Login page for the admin panel is available at the /grav-admin/admin endpoint No credential is known at this time

/grav-admin/robots.txt

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ searchsploit Grav CMS
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting                                   | php/webapps/42131.txt
Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Site Scripting   | php/webapps/49264.txt
Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated)              | php/webapps/49961.py
GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2)                   | php/webapps/49973.py
GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit)                   | php/webapps/49788.rb
gravy media CMS 1.07 - Multiple Vulnerabilities                                      | php/webapps/8315.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

There are multiple vulnerabilities While the version information has not been confirmed yet, I will attempt the unauthenticated RCE exploit

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/astronaut]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/grav-admin/FUZZ -ic -e .php,.txt,.html
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.154.12/grav-admin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess               [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 296ms]
.htaccess.php           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 291ms]
.htpasswd.txt           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 214ms]
.htpasswd.php           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 215ms]
.htpasswd.html          [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 215ms]
.htaccess.html          [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 224ms]
.htaccess.txt           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 226ms]
.htpasswd               [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 218ms]
LICENSE.txt             [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 66ms]
admin.txt               [Status: 403, Size: 0, Words: 1, Lines: 1, Duration: 540ms]
admin.html              [Status: 200, Size: 15508, Words: 4330, Lines: 139, Duration: 606ms]
admin                   [Status: 200, Size: 15508, Words: 4330, Lines: 139, Duration: 648ms]
assets                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 67ms]
backup                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 80ms]
bin                     [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 64ms]
cache                   [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 80ms]
cgi-bin/                [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 90ms]
forgot_password.html    [Status: 200, Size: 12383, Words: 2246, Lines: 155, Duration: 751ms]
forgot_password         [Status: 200, Size: 12383, Words: 2246, Lines: 155, Duration: 774ms]
forgot_password.txt     [Status: 200, Size: 12383, Words: 2246, Lines: 155, Duration: 815ms]
home                    [Status: 200, Size: 14014, Words: 2089, Lines: 160, Duration: 308ms]
home.html               [Status: 200, Size: 14014, Words: 2089, Lines: 160, Duration: 297ms]
home.txt                [Status: 200, Size: 14014, Words: 2089, Lines: 160, Duration: 323ms]
images                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 80ms]
login.txt               [Status: 200, Size: 13967, Words: 3067, Lines: 190, Duration: 299ms]
login                   [Status: 200, Size: 13967, Words: 3067, Lines: 190, Duration: 316ms]
login.html              [Status: 200, Size: 13967, Words: 3067, Lines: 190, Duration: 298ms]
logs                    [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 61ms]
robots.txt              [Status: 200, Size: 274, Words: 17, Lines: 16, Duration: 69ms]
robots.txt              [Status: 200, Size: 274, Words: 17, Lines: 16, Duration: 65ms]
system                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 77ms]
tmp                     [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 84ms]
user                    [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 68ms]
user_profile.txt        [Status: 403, Size: 0, Words: 1, Lines: 1, Duration: 292ms]
user_profile            [Status: 200, Size: 13974, Words: 3067, Lines: 190, Duration: 423ms]
user_profile.html       [Status: 200, Size: 13974, Words: 3067, Lines: 190, Duration: 443ms]
vendor                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 68ms]
:: Progress: [81912/81912] :: Job [1/1] :: 134 req/sec :: Duration: [0:11:24] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks