Web
Nmap discovered a Web server on the target port 8080
The running service is Apache httpd 2.4.38 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 12:26:29 GMT
Server: Apache/2.4.38 (Debian)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ curl -I http://$IP:8080/
HTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 12:23:33 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Wed, 09 Dec 2020 16:39:13 GMT
ETag: "9f-5b60ab3060e40"
Accept-Ranges: bytes
Content-Length: 159
Vary: Accept-Encoding
Content-Type: text/html/Practice/Escape_OffSec/2-Enumeration/attachments/{9575B8BA-A628-4328-A1CC-894B1F3CB505}.png)
Webroot
It appears identical to the web application on the port 80
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:8080/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.122.113:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 2944ms]
.htaccess [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 4953ms]
dev [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 97ms]
server-status [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 24ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1449 req/sec :: Duration: [0:00:17] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:8080/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.122.113:8080/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 159, Words: 10, Lines: 17, Duration: 29ms]
icons [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 56ms]
dev [Status: 200, Size: 1021, Words: 257, Lines: 36, Duration: 36ms]
server-status [Status: 403, Size: 282, Words: 20, Lines: 10, Duration: 26ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1526 req/sec :: Duration: [0:02:22] :: Errors: 0 :ffuf found an endpoint, /dev/
/dev/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/escape_offsec]
└─$ curl -I http://$IP:8080/dev/
HTTP/1.1 200 OK
Date: Thu, 06 Mar 2025 12:34:59 GMT
Server: Apache/2.4.38 (Debian)
X-Powered-By: PHP/7.2.34
Content-Type: text/html; charset=UTF-8Additionally, the /dev/ endpoint uses PHP
/Practice/Escape_OffSec/2-Enumeration/attachments/{1B7B0689-FA6F-40FC-AD59-9E052A6B1FCE}.png)
The /dev/ endpoint supports file upload
It also notes that it only accepts GIF files
This raises an opportunity to upload a malicious PHP file to get code execution