Web
Nmap discovered a Web server running on the target port 50000
The running service is Werkzeug httpd 1.0.1 (Python 3.6.8)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ curl -i http://192.168.218.117:50000/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 24
Server: Werkzeug/1.0.1 Python/3.6.8
Date: Tue, 04 Feb 2025 17:45:39 GMT
{'/generate', '/verify'}/Practice/Hetemit/2-Enumeration/attachments/{932D6FD5-2A86-4E06-A4D5-973A45AC7058}.png)
Webroot
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:50000/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.218.117:50000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
generate [Status: 200, Size: 16, Words: 1, Lines: 1, Duration: 63ms]
verify [Status: 200, Size: 8, Words: 1, Lines: 1, Duration: 26ms]
:: Progress: [20478/20478] :: Job [1/1] :: 840 req/sec :: Duration: [0:00:30] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:50000/generate/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.218.117:50000/generate/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 621 req/sec :: Duration: [0:06:18] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:50000/verify/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.218.117:50000/verify/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 809 req/sec :: Duration: [0:06:18] :: Errors: 0 ::/generate/verify
/generate
/Practice/Hetemit/2-Enumeration/attachments/{88D676DC-F5E3-41AC-8CFA-4B2A71FF52C7}.png)
email?
/Practice/Hetemit/2-Enumeration/attachments/{A04052A6-3361-4AF5-BD89-C9A605054C05}.png)
Interestingly, sending a POST request with the email=1 data returns what appears to be a hash string
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ echo -n '1' | sha256sum
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b -The backend calculates sha256sum of post data to the email parameter
/verify
/Practice/Hetemit/2-Enumeration/attachments/{A6573BE7-EC9F-456F-AC5D-70C1C3C84E67}.png)
code
/Practice/Hetemit/2-Enumeration/attachments/{F73933A1-74A0-4E97-9711-0CD31FBC442B}.png)
SSTI identified
The backend is Python
Moving on to the Exploitation phase