Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.41 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 302 Found
Date: Wed, 02 Apr 2025 09:57:50 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: INTELLI_06c8042c3d=ml0vp7reslpt6rbk1kocbehbra; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: INTELLI_06c8042c3d=ml0vp7reslpt6rbk1kocbehbra; expires=Wed, 02-Apr-2025 10:27:50 GMT; Max-Age=1800; path=/
Location: http://exfiltrated.offsec/
Content-Length: 0
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ curl -I http://$IP/
HTTP/1.1 302 Found
Date: Wed, 02 Apr 2025 09:57:54 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: INTELLI_06c8042c3d=2ur0llr9vmsp089vr01pcgc5c3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: INTELLI_06c8042c3d=2ur0llr9vmsp089vr01pcgc5c3; expires=Wed, 02-Apr-2025 10:27:54 GMT; Max-Age=1800; path=/
Location: http://exfiltrated.offsec/
Content-Type: text/html; charset=UTF-8302 to a domain; exfiltrated.offsec
/Practice/Exfiltrated/2-Enumeration/attachments/{3C195B53-F800-49B4-833D-AF02974A8873}.png)
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
/Practice/Exfiltrated/2-Enumeration/attachments/{CDA1E404-5F27-44F8-AEA7-F387A2CCF6D2}.png)
Webroot
It appears to be a Subrion instance.
/Practice/Exfiltrated/2-Enumeration/attachments/{8FAC029B-7003-4154-BC8A-D3B385858CE2}.png)
Subrion CMS is an open source PHP content management system.
Source code is available for review
Admin Panel
/Practice/Exfiltrated/2-Enumeration/attachments/{C09F41BA-88D1-42C4-994B-B3999B6425EF}.png)
The admin panel is located at /panel/ endpoint
It also leaked the version information; 4.2.1
Default Credential
/Practice/Exfiltrated/2-Enumeration/attachments/{F2668237-36CB-4B7C-A093-5F689BE6D03D}.png)
/Practice/Exfiltrated/2-Enumeration/attachments/{FA6C4C9A-E241-4875-8326-CCA90397E7F6}.png)
The default credential works; admin:admin
Successfully authenticated and redirected to the admin panel
The version is indeed 4.2.1
Version Information
/Practice/Exfiltrated/2-Enumeration/attachments/Pasted-image-20250402120705.png)
Checking the /changelog.txt file reveals the version information, 3.0.1, which does not match with the version information found in the admin panel
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ searchsploit subrion
--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------- ---------------------------------
Subrion 3.x - Multiple Vulnerabilities | php/webapps/38525.txt
Subrion 4.2.1 - 'Email' Persistant Cross-Site Scripting | php/webapps/47469.txt
Subrion Auto Classifieds - Persistent Cross-Site Scripting | php/webapps/14391.txt
SUBRION CMS - Multiple Vulnerabilities | php/webapps/17390.txt
Subrion CMS 2.2.1 - Cross-Site Request Forgery (Add Admin) | php/webapps/21267.txt
subrion CMS 2.2.1 - Multiple Vulnerabilities | php/webapps/22159.txt
Subrion CMS 4.0.5 - Cross-Site Request Forgery (Add Admin) | php/webapps/47851.txt
Subrion CMS 4.0.5 - Cross-Site Request Forgery Bypass / Persistent Cross-Site Scripting | php/webapps/40553.txt
Subrion CMS 4.0.5 - SQL Injection | php/webapps/40202.txt
Subrion CMS 4.2.1 - 'avatar[path]' XSS | php/webapps/49346.txt
Subrion CMS 4.2.1 - Arbitrary File Upload | php/webapps/49876.py
Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin) | php/webapps/50737.txt
Subrion CMS 4.2.1 - Cross-Site Scripting | php/webapps/45150.txt
Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) | php/webapps/51110.txt
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsIt would appear that the target Subrion instance suffers from multiple vulnerabilities The RCE vulnerability stands out; CVE-2018-19422
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/exfiltrated]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://exfiltrated.offsec/FUZZ -ic -e .txt,.html,.php -fc 301
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://exfiltrated.offsec/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .txt .html .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 301
________________________________________________
.htpasswd.txt [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 23ms]
.htpasswd.html [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 23ms]
.htpasswd.php [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 23ms]
.htaccess.txt [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 23ms]
.htaccess.html [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 23ms]
.htaccess.php [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 24ms]
.htaccess [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 25ms]
.htpasswd [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 26ms]
0 [Status: 200, Size: 21687, Words: 9133, Lines: 581, Duration: 242ms]
actions.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 100ms]
actions.html [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 116ms]
actions.txt [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 122ms]
changelog.txt [Status: 200, Size: 49250, Words: 10094, Lines: 913, Duration: 21ms]
cron.txt [Status: 200, Size: 43, Words: 1, Lines: 1, Duration: 83ms]
cron.html [Status: 200, Size: 43, Words: 1, Lines: 1, Duration: 82ms]
cron.php [Status: 200, Size: 43, Words: 1, Lines: 1, Duration: 90ms]
favicon.ico [Status: 200, Size: 1150, Words: 10, Lines: 4, Duration: 22ms]
index.php [Status: 200, Size: 21693, Words: 9133, Lines: 581, Duration: 239ms]
license.txt [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 22ms]
logout.html [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 67ms]
logout.txt [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 72ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 56ms]
panel.txt [Status: 200, Size: 6155, Words: 1618, Lines: 107, Duration: 136ms]
panel.html [Status: 200, Size: 6155, Words: 1618, Lines: 107, Duration: 156ms]
panel.php [Status: 200, Size: 6155, Words: 1618, Lines: 107, Duration: 168ms]
redirect.php [Status: 200, Size: 1048, Words: 194, Lines: 34, Duration: 250ms]
redirect.txt [Status: 200, Size: 1048, Words: 194, Lines: 34, Duration: 262ms]
redirect.html [Status: 200, Size: 1048, Words: 194, Lines: 34, Duration: 257ms]
robots.txt [Status: 200, Size: 142, Words: 9, Lines: 8, Duration: 18ms]
robots.txt [Status: 200, Size: 142, Words: 9, Lines: 8, Duration: 21ms]
server-status [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 20ms]
sitemap.xml [Status: 200, Size: 637, Words: 6, Lines: 4, Duration: 23ms]
updates [Status: 403, Size: 283, Words: 20, Lines: 10, Duration: 24ms]
web.xml [Status: 200, Size: 104, Words: 5, Lines: 3, Duration: 77ms]
webpack.manifest.json [Status: 200, Size: 76, Words: 4, Lines: 1, Duration: 81ms]
:: Progress: [81912/81912] :: Job [1/1] :: 236 req/sec :: Duration: [0:06:41] :: Errors: 0 ::N/A