InfoSec LAB

Extplorer_Web

Created: 3 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.41 (Ubuntu)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 302 Found
Date: Wed, 26 Mar 2025 09:26:05 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://192.168.111.16/wp-admin/setup-config.php
Content-Length: 0
Content-Type: text/html; charset=UTF-8
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ curl -I http://$IP/        
HTTP/1.1 302 Found
Date: Wed, 26 Mar 2025 09:26:08 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://192.168.111.16/wp-admin/setup-config.php
Content-Type: text/html; charset=UTF-8

302 to a WordPress endpoint at /wp-admin/setup-config.php

Redirected to the /wp-admin/setup-config.php page It would appear that the setup hasn’t been completed

Configuring it myself would not be possible unless the DB credential is known

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/extplorer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .txt,.html,.php -fc 302
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.111.16/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 302
________________________________________________
.htaccess.html          [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 22ms]
.htaccess               [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 22ms]
.htaccess.php           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 22ms]
.htaccess.txt           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 22ms]
.htpasswd               [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.html          [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.txt           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 18ms]
.htpasswd.php           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 18ms]
filemanager             [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 21ms]
license.txt             [Status: 200, Size: 19915, Words: 3331, Lines: 385, Duration: 22ms]
readme.html             [Status: 200, Size: 7402, Words: 750, Lines: 98, Duration: 24ms]
server-status           [Status: 403, Size: 279, Words: 20, Lines: 10, Duration: 22ms]
wordpress               [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 21ms]
wp-admin                [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 23ms]
wp-content              [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 17ms]
wp-includes             [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 22ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

Fuzzing the web root revealed another interesting endpoint; /filemanager

/filemanager

There is an instance of eXtplorer at the /filemanager endpoint eXtplorer is a PHP-based file manager. Source code is available for review.

Version

Referring to the source code, there is the CHANGELOG.txt file that reveals the version information of the instance; 2.1.15

Authentication

Testing it for default/weak credential

Successfully authenticated with the default credential; admin:admin Since this is a “filemanager”, I could just upload a PHP shell Additionally, wp-config.php file doesn’t even exist.

Interestingly there is another user; dora

Interactive Graph View

Backlinks