Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.56 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 09:27:21 GMT
Server: Apache/2.4.56 (Debian)
Allow: GET,HEAD
Cache-Control: no-cache, private
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 09:27:24 GMT
Server: Apache/2.4.56 (Debian)
Cache-Control: no-cache, private
Set-Cookie: XSRF-TOKEN=eyJpdiI6ImgzRFFHRU9kU2pWZnBiS1VTb0ExZUE9PSIsInZhbHVlIjoiS0xoZjVNd3A5Y293Z1Q1WEFUTWY4NnN6ZTkrMzkvWEE1ek44RXhiWnZ0Qi9tZkVwV0tndzFLZnhLWkdGcWhEcVZ0aE5XTlRpbytVYjJOSGs4WDNzaHovUmFEM1RtTE9rRjhhVW5EWFptQXRmbFFQQUlqczhvb3dWTFhSV3lyMGEiLCJtYWMiOiJiODQyOTlhOGY0YjcyNTExMjViMTk3ODUzNjhlMmMwMDM0OGYyYTMyY2RjZmVlZGExNjQ3YTA4OGI0MTlmZDBjIn0%3D; expires=Sun, 06-Apr-2025 11:27:24 GMT; Max-Age=7200; path=/; samesite=lax
Set-Cookie: lavita_session=eyJpdiI6IldBUEVpRUVZTkh3eTlzVmlPdVplZFE9PSIsInZhbHVlIjoiVU1DaWpsTE5SQTVOSlJRUWczdUVTcG53L2NGdm54cUhtend3TUVuWktyUjFQdWVEZ2JoVlNHQ3RqL1h5MTRNZUNkWHo3YlJDSSs4Tmh3RDBoYVdnaGIvWktLaEhOU0ZDSXVTWDBkc045NGR0eitYL1diTzlwRmFzOS94OEZ0KzUiLCJtYWMiOiI5ZWI4NDk0NjQzYTM0M2FjY2NhMDA3NmQ1NzUwMDc3ZGYzYWUxYjVkMjI3YjM5NzBhMWI3YzhkMTAyODU1NmJkIn0%3D; expires=Sun, 06-Apr-2025 11:27:24 GMT; Max-Age=7200; path=/; httponly; samesite=lax
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8/Practice/LaVita/2-Enumeration/attachments/{D06F9859-E106-4132-ADFB-34BE19F4DC90}.png)
Webroot
/Practice/LaVita/2-Enumeration/attachments/{0F1A64AF-725C-431F-BB21-C581B1AD47BD}.png)
Possible username disclosures at the team section
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.201.38/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
cgi-bin/ [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 29ms]
css [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 59ms]
favicon.ico [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 44ms]
home [Status: 302, Size: 354, Words: 60, Lines: 12, Duration: 111ms]
images [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 34ms]
index.php [Status: 200, Size: 15138, Words: 4294, Lines: 329, Duration: 108ms]
javascript [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 18ms]
js [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 33ms]
login [Status: 200, Size: 4916, Words: 2152, Lines: 115, Duration: 123ms]
logout [Status: 405, Size: 835, Words: 133, Lines: 23, Duration: 111ms]
register [Status: 200, Size: 4981, Words: 2031, Lines: 116, Duration: 40ms]
robots.txt [Status: 200, Size: 24, Words: 2, Lines: 3, Duration: 30ms]
robots.txt [Status: 200, Size: 24, Words: 2, Lines: 3, Duration: 34ms]
:: Progress: [81912/81912] :: Job [1/1] :: 394 req/sec :: Duration: [0:04:26] :: Errors: 0 ::ffuf discovered several endpoints
/cgi-bin
/Practice/LaVita/2-Enumeration/attachments/{82E4C75B-DD67-4902-8BAC-2AECB59FC30E}-1.png)
404 error but it disclosed the backend; Laravel 8.4.0
/login
/Practice/LaVita/2-Enumeration/attachments/{6D53C5D0-E870-4661-9A12-C837571B8FBE}.png)
No credential is known at this time
/register
/Practice/LaVita/2-Enumeration/attachments/{4F8AE926-3AEF-4C3A-AD90-C3350967B722}.png)
Creating a testing account
/home
/Practice/LaVita/2-Enumeration/attachments/{132AB36E-4868-443E-B31B-F6B9B760EF13}.png)
Redirected to the /home endpoint after a successful registeration
The dashboard seems to support debugging as well as image upload
Debugging
/Practice/LaVita/2-Enumeration/attachments/{17F549FB-0C43-4DB6-B58A-834C56373296}.png)
/Practice/LaVita/2-Enumeration/attachments/{99CFF0DD-DDAB-421F-A531-F28D465D7EF5}.png)
/Practice/LaVita/2-Enumeration/attachments/{30C6624E-C15F-4B9E-AE19-289293759BC0}.png)
This appears to be the Laravel’s debug mode
/profiles
/Practice/LaVita/2-Enumeration/attachments/{98DB0E79-6525-4597-9BAA-7E5B239D831E}.png)
Although the debugging is enabled, the /profiles endpoint is not available
/_ignition/execute-solution
/Practice/LaVita/2-Enumeration/attachments/{D08BBA83-2D1A-44A0-96C7-6DA0D7FADB48}.png)
However, the /_ignition/execute-solution endpoint is available.
It also leaks the web root directory; /var/www/html/lavita
Image Upload
/Practice/LaVita/2-Enumeration/attachments/{E687E412-C83A-44E1-9A81-0D4C733AF049}.png)
/Practice/LaVita/2-Enumeration/attachments/{EB4EB6E9-62D5-44DA-B733-540D711CC445}.png)
/Practice/LaVita/2-Enumeration/attachments/{399B0453-73D9-4216-AB66-0DC377CA7BD5}.png)
/Practice/LaVita/2-Enumeration/attachments/Pasted-image-20250406120208.png)
The image upload feature doesn’t appear to work as the ImageList section shows empty
/Practice/LaVita/2-Enumeration/attachments/{E89D839C-F452-407C-AAB8-DB98C9DE6FA1}.png)
It’s not in the /images directory as well
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita]
└─$ searchsploit Laravel 8.4
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
Laravel 8.4.2 debug mode - Remote code execution | php/webapps/49424.py
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThere is a RCE exploit available for Laravel 8.4.2 with the debug mode
Given the target Laravel instance is 8.4.0 and the debug mode is available, the exploit might still be achievable