Web
Nmap discovered a Web server on the target port 80
The running service is Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Tue, 08 Apr 2025 17:33:17 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
X-Powered-By: PHP/8.0.7
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Tue, 08 Apr 2025 17:33:21 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/8.0.7
X-Powered-By: PHP/8.0.7
Content-Type: text/html; charset=UTF-8/Practice/Craft/2-Enumeration/attachments/{5F87B3D3-7D26-496A-9BE3-EFC7016B0195}.png)
Webroot
Domain
/Practice/Craft/2-Enumeration/attachments/Pasted-image-20250408193507.png)
The Join Us section contains a domain; craft.offsec
/Practice/Craft/2-Enumeration/attachments/{B95D80C0-0871-4385-AC65-22057EC42C0C}.png)
The domain information has been appended to the /etc/hosts on Kali for local DNS resolution
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/craft]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.138.169/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
assets [Status: 301, Size: 343, Words: 22, Lines: 10, Duration: 21ms]
css [Status: 301, Size: 340, Words: 22, Lines: 10, Duration: 18ms]
index.php [Status: 200, Size: 9635, Words: 3434, Lines: 166, Duration: 21ms]
js [Status: 301, Size: 339, Words: 22, Lines: 10, Duration: 44ms]
upload.php [Status: 200, Size: 537, Words: 68, Lines: 9, Duration: 66ms]
uploads [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1904 req/sec :: Duration: [0:00:54] :: Errors: 0 ::/upload.php/uploads/
File Upload
/Practice/Craft/2-Enumeration/attachments/{0E246F13-B6C8-440A-A0EF-6953CA26C59A}-1.png)
The web application features a file upload function
Testing
/Practice/Craft/2-Enumeration/attachments/{6CE1A28A-9725-4E4E-96C5-927D263A38A9}.png)
/Practice/Craft/2-Enumeration/attachments/{4FF322CC-623A-400D-A08A-E896B2820764}.png)
/Practice/Craft/2-Enumeration/attachments/{B470BB1C-45A3-40EF-BB51-4209EEDCDA34}.png)
Attempting to upload a testing JPG file fails as the upload.php file appears to accept only ODT files.
Given the fact that the web application accepts ODT file, it’s likely that the target system has either Microsoft/Libre Office installed, which calls for a client-side attack.
Extension Filter
/Practice/Craft/2-Enumeration/attachments/Pasted-image-20250408194532.png)
It would also appear that the upload.php file only checks for file extension
/uploads Directory
/Practice/Craft/2-Enumeration/attachments/{93D8092D-5A0E-49D9-A5D0-54900CD25FC6}.png)
/Practice/Craft/2-Enumeration/attachments/{3C6AC9D3-64BA-42C2-93BD-DD6F0E4E268A}.png)
Additionally, directly uploading file to the /uploads directory is achievable by altering the filename; uploads/test.odt