Web
Nmap discovered a Web server on the target port 8000
The running service is WSGIServer 0.2 (Python 3.10.6)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ curl -I -X OPTIONS http://$IP:8000/
HTTP/1.1 200 OK
Date: Fri, 04 Apr 2025 16:33:45 GMT
Server: WSGIServer/0.2 CPython/3.10.6
Content-Type: application/json
Vary: Accept, Origin
Allow: GET, OPTIONS
Content-Length: 228
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ curl -I http://$IP:8000/
HTTP/1.1 405 Method Not Allowed
Date: Fri, 04 Apr 2025 16:33:47 GMT
Server: WSGIServer/0.2 CPython/3.10.6
Content-Type: application/json
Vary: Accept, Origin
Allow: GET, OPTIONS
Content-Length: 41
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ curl -i http://$IP:8000/
HTTP/1.1 200 OK
Date: Fri, 04 Apr 2025 16:34:35 GMT
Server: WSGIServer/0.2 CPython/3.10.6
Content-Type: text/html; charset=utf-8
Vary: Accept, Origin
Allow: GET, OPTIONS
Content-Length: 2530
<!DOCTYPE html><html lang=en><head><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1"><link rel=icon href=/favicon.ico><title>Gerapy</title><link href=/static/css/chunk-10b2edc2.79f68610.css rel=prefetch><link href=/static/css/chunk-12e7e66d.8f856d8c.css rel=prefetch><link href=/static/css/chunk-39423506.2eb0fec8.css rel=prefetch><link href=/static/css/chunk-3a6102b3.0fe5e5eb.css rel=prefetch><link href=/static/css/chunk-4a7237a2.19df386b.css rel=prefetch><link href=/static/css/chunk-531d1845.b0b0d9e4.css rel=prefetch><link href=/static/css/chunk-582dc9b0.d60b5161.css rel=prefetch><link href=/static/css/chunk-5cd9d886.3dbe65b9.css rel=prefetch><link href=/static/css/chunk-736ea204.b9207071.css rel=prefetch><link href=/static/css/chunk-74cc1e94.c8be3c1c.css rel=prefetch><link href=/static/js/chunk-10b2edc2.2177f918.js rel=prefetch><link href=/static/js/chunk-12e7e66d.81b687df.js rel=prefetch><link href=/static/js/chunk-193b04f2.2d5472f1.js rel=prefetch><link href=/static/js/chunk-2d0a3191.bf64fc6c.js rel=prefetch><link href=/static/js/chunk-2d0e450e.3b0645c1.js rel=prefetch><link href=/static/js/chunk-39423506.0991e2ac.js rel=prefetch><link href=/static/js/chunk-3a6102b3.b8de0426.js rel=prefetch><link href=/static/js/chunk-4a7237a2.c87062ce.js rel=prefetch><link href=/static/js/chunk-531d1845.bcfd1cad.js rel=prefetch><link href=/static/js/chunk-55d43787.51c83f15.js rel=prefetch><link href=/static/js/chunk-55d4e541.00e829c1.js rel=prefetch><link href=/static/js/chunk-582dc9b0.1813595d.js rel=prefetch><link href=/static/js/chunk-5cd9d886.545ea914.js rel=prefetch><link href=/static/js/chunk-736ea204.11157dea.js rel=prefetch><link href=/static/js/chunk-74cc1e94.7f0ef74a.js rel=prefetch><link href=/static/js/chunk-8cbdea46.e9e70c1a.js rel=prefetch><link href=/static/css/app.5805a989.css rel=preload as=style><link href=/static/css/chunk-vendors.8f471f8e.css rel=preload as=style><link href=/static/js/app.21167fa2.js rel=preload as=script><link href=/static/js/chunk-vendors.e1925d78.js rel=preload as=script><link href=/static/css/chunk-vendors.8f471f8e.css rel=stylesheet><link href=/static/css/app.5805a989.css rel=stylesheet></head><body><noscript><strong>We're sorry but client doesn't work properly without JavaScript enabled. Please enable it to continue.</strong></noscript><div id=app></div><script src=/static/js/chunk-vendors.e1925d78.js></script><script src=/static/js/app.21167fa2.js></script></body></html> /Practice/Levram/2-Enumeration/attachments/{84AAC4B3-42A2-4754-9076-33D3434CEF7D}.png)
Webroot
Redirected a Gerapy login page
Gerapy is an Open-source Distributed Crawler Management Framework Based on Scrapy, Scrapyd, Django and Vue.js Source code is available for review
Default Credential
/Practice/Levram/2-Enumeration/attachments/{77F8DB99-4021-4EBE-9D57-E91290A8293E}.png)
/Practice/Levram/2-Enumeration/attachments/{4F30E16D-5CD9-41D6-8F4B-A520AF828946}.png)
Default credential works; admin:admin
Version Information
/Practice/Levram/2-Enumeration/attachments/{91903197-9BF7-453A-B8E2-39636992ED22}.png)
The version information is disclosed at the footer; 0.9.7
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ searchsploit Gerapy 0.9.7
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated) | python/remote/50640.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsGerapy version 0.9.7 suffers from a RCE vulnerability; CVE-2021-43857
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:8000/FUZZ -ic -e .html,.txt
________________________________________________
:: Method : GET
:: URL : http://192.168.206.24:8000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 83ms]
:: Progress: [61434/61434] :: Job [1/1] :: 283 req/sec :: Duration: [0:04:14] :: Errors: 0 ::/admin
/Practice/Levram/2-Enumeration/attachments/{9C97EDC7-4B54-4F97-AB1E-74A44D0CABD3}.png)
Redirected to a login page for Django administration
/Practice/Levram/2-Enumeration/attachments/Pasted-image-20250404185134.png)
/Practice/Levram/2-Enumeration/attachments/{A0A8AA2C-E895-4309-B21F-029541D52CF7}.png)
The default credential works