Web
Nmap discovered a Web server on the target port 50080
The running service is Apache httpd 2.4.46 ((Unix) PHP/7.4.15)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -I -X OPTIONS http://$IP:50080/
HTTP/1.1 200 OK
Date: Sat, 08 Mar 2025 14:28:24 GMT
Server: Apache/2.4.46 (Unix) PHP/7.4.15
Allow: GET,POST,OPTIONS,HEAD,TRACE
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -I http://$IP:50080/
HTTP/1.1 200 OK
Date: Sat, 08 Mar 2025 14:28:30 GMT
Server: Apache/2.4.46 (Unix) PHP/7.4.15
Last-Modified: Mon, 15 Feb 2021 16:23:07 GMT
ETag: "2380-5bb6266aed339"
Accept-Ranges: bytes
Content-Length: 9088
Content-Type: text/html/Practice/Hawat/2-Enumeration/attachments/{20EF34E6-C713-49EB-85B8-B360F29A842D}.png)
Webroot
It appears to be a website for a pizza restaurant
/Practice/Hawat/2-Enumeration/attachments/{B760DB62-B907-4289-B222-057922248B01}.png)
It appears to be a static website
Form Submission
/Practice/Hawat/2-Enumeration/attachments/{888F0E35-B3B3-45B2-BBCE-C6BEB08F6C96}.png)
There is a form at the bottom of the page, but the web app is configured to send submission to the W3’s default https://www.w3schools.com/action_page.php page
This suggests that this is just a demo page
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:50080/FUZZ -ic -e .php
________________________________________________
:: Method : GET
:: URL : http://192.168.162.147:50080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 31ms]
.htaccess.php [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 31ms]
.htpasswd.php [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 2783ms]
4 [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 25ms]
.htpasswd [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 3871ms]
cgi-bin/ [Status: 403, Size: 994, Words: 102, Lines: 43, Duration: 30ms]
cgi-bin/.php [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 32ms]
cloud [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 32ms]
images [Status: 301, Size: 244, Words: 14, Lines: 8, Duration: 26ms]
~bin [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 30ms]
~http [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 29ms]
~ftp [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 30ms]
~mail [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 26ms]
~nobody [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 27ms]
~root [Status: 403, Size: 980, Words: 101, Lines: 43, Duration: 27ms]
:: Progress: [40956/40956] :: Job [1/1] :: 1526 req/sec :: Duration: [0:00:33] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:50080/FUZZ -ic -e .php
________________________________________________
:: Method : GET
:: URL : http://192.168.162.147:50080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 9088, Words: 1204, Lines: 193, Duration: 26ms]
images [Status: 301, Size: 244, Words: 14, Lines: 8, Duration: 25ms]
4 [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 30ms]
cloud [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 32ms]
:: Progress: [415260/415260] :: Job [1/1] :: 1398 req/sec :: Duration: [0:05:17] :: Errors: 0 ::/cloud/
Nextcloud (/cloud/)
/Practice/Hawat/2-Enumeration/attachments/{00C463EF-B788-4473-8201-FBF7E77582F4}.png)
Accessing the /cloud/ directory redirects to a Nextcloud login page at the /cloud/index.php/login endpoint
Authentication
/Practice/Hawat/2-Enumeration/attachments/{E7BE8B1D-C200-4F08-B249-E35257EA56ED}.png)
The default credential specified in the official documentation did not work
/Practice/Hawat/2-Enumeration/attachments/{3132D88A-F613-4110-B7C9-5E1F20F2A841}.png)
/Practice/Hawat/2-Enumeration/attachments/{F8C96EF8-1FF7-424A-80D3-FF075AD0D59E}.png)
However, admin:admin works
General Information
/Practice/Hawat/2-Enumeration/attachments/{0E68279E-B6BE-44F8-977C-54A7639D6DE0}.png)
The instance’s version is 20.0.7
/Practice/Hawat/2-Enumeration/attachments/{6974550A-7D29-45EC-994B-9C85ED098D52}.png)
/Practice/Hawat/2-Enumeration/attachments/{03D3540E-B982-4B02-AD51-EC27A56034F2}.png)
/Practice/Hawat/2-Enumeration/attachments/{41D93D6A-9B51-4E4A-8D53-11DE374C6009}.png)
The target system’s environment can be checked through the administration page
File
/Practice/Hawat/2-Enumeration/attachments/Pasted-image-20250308163449.png)
The interesting bit is in the File tab as it contains what appears to be the source code of the issue tracker application that is running on the target port 17445. Downloading the archive for further analysis