Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.56 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Sat, 05 Apr 2025 19:26:46 GMT
Server: Apache/2.4.56 (Debian)
Allow: OPTIONS,HEAD,GET,POST
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sat, 05 Apr 2025 19:26:49 GMT
Server: Apache/2.4.56 (Debian)
Last-Modified: Wed, 17 Aug 2022 18:42:09 GMT
ETag: "5ca-5e67438e9e240"
Accept-Ranges: bytes
Content-Length: 1482
Vary: Accept-Encoding
Content-Type: text/html/Practice/MZEEAV/2-Enumeration/attachments/{EE54AE60-F6CA-401B-906D-346464A42DC5}.png)
Webroot
It claims to be an online anti-virus engine that scans PE files
File Upload
/Practice/MZEEAV/2-Enumeration/attachments/{9F408259-3C2C-4C29-BDD3-5CB128D10C76}.png)
Checking the source code reveals that the file upload functionality works by sending a POST request to the upload.php file
/Practice/MZEEAV/2-Enumeration/attachments/{EC5A6825-C27E-4CBB-867E-B426840E2661}.png)
/Practice/MZEEAV/2-Enumeration/attachments/{79064DB5-40C4-4118-A410-F3213CBA14B7}.png)
/Practice/MZEEAV/2-Enumeration/attachments/{1E4E7D53-428D-4D4B-94A5-F9C609C12F74}.png)
/Practice/MZEEAV/2-Enumeration/attachments/{A101C058-5BDF-4C6F-995D-8CD5E0E72919}.png)
Testing file was uploaded successfully and the web application redirects to the /listing.php page
/Practice/MZEEAV/2-Enumeration/attachments/{1734711C-120A-4709-B6E7-215E91E70776}.png)
Which shows the last checked files including the testing file; test.jpg
It would appear that the uploaded testing file was renamed; file.tmp
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ md5sum ~/Pictures/test.jpg
253a8ec34a315b6a7c2828b847bc0a92 /home/kali/Pictures/test.jpgMD5 checksum matches. So no alteration to the file itself other than the filename
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.190.33/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
backups [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 23ms]
index.html [Status: 200, Size: 1482, Words: 350, Lines: 52, Duration: 18ms]
listing.php [Status: 200, Size: 1321, Words: 305, Lines: 36, Duration: 24ms]
upload [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 18ms]
upload.php [Status: 200, Size: 22, Words: 4, Lines: 2, Duration: 19ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1886 req/sec :: Duration: [0:00:48] :: Errors: 0 ::backups and upload directories
backups
/Practice/MZEEAV/2-Enumeration/attachments/{9C1BB524-D58F-45DF-B5F4-9BCE384ECA8F}.png)
The backup directory contains a ZIP archive
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ curl -s http://$IP/backups/backup.zip -o backup.zip Downloading it to Kali
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ file backup.zip
backup.zip: Zip archive data, at least v1.0 to extract, compression method=store
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ 7z l backup.zip
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
Scanning the drive for archives:
1 file, 330055 bytes (323 KiB)
Listing archive: backup.zip
--
Path = backup.zip
Type = zip
Physical Size = 330055
Date Time Attr Size Compressed Name
------------------- ----- ------------ ------------ ------------------------
2023-11-14 07:04:19 D.... 0 0 var/www/html
2022-08-18 09:15:17 D.... 0 0 var/www/html/upload
2022-08-17 20:43:36 ..... 308736 302156 var/www/html/upload/wget.exe
2022-08-17 20:43:36 ..... 66560 24585 var/www/html/upload/whoami.exe
2022-08-17 21:13:18 ..... 33 33 var/www/html/upload/index.html
2022-08-17 20:56:51 ..... 1398 685 var/www/html/listing.php
2022-08-17 21:38:14 ..... 851 430 var/www/html/upload.php
2022-08-17 20:42:09 ..... 1482 738 var/www/html/index.html
------------------- ----- ------------ ------------ ------------------------
2023-11-14 07:04:19 379060 328627 6 files, 2 folders
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ 7z x backup.zipThe backup.zip file contains the source code of the target web application
upload.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mzeeav]
└─$ cat var/www/html/upload.php
<?php
/* Get the name of the uploaded file */
$filename = $_FILES['file']['name'];
/* Choose where to save the uploaded file */
$tmp_location = "upload/file.tmp";
$location = "upload/".$filename;
/* Move the file temporary */
move_uploaded_file($_FILES['file']['tmp_name'], $tmp_location);
/* Check MagicBytes MZ PEFILE 4D5A*/
$F=fopen($tmp_location,"r");
$magic=fread($F,2);
fclose($F);
$magicbytes = strtoupper(substr(bin2hex($magic),0,4));
error_log(print_r("Magicbytes:" . $magicbytes, TRUE));
/* if its not a PEFILE block it - str_contains onlz php 8*/
//if ( ! (str_contains($magicbytes, '4D5A'))) {
if ( strpos($magicbytes, '4D5A') === false ) {
echo "Error no valid PEFILE\n";
error_log(print_r("No valid PEFILE", TRUE));
error_log(print_r("MagicBytes:" . $magicbytes, TRUE));
exit ();
}
rename($tmp_location, $location);
?>Besides renaming file to file.tmp and uploading it to the upload directory, it checks the file signature by checking the magicbytes of 4D5A, which is the DOS MZ executable and its descendants (including NE and PE)
This would be pretty easy to exploit.
upload
/Practice/MZEEAV/2-Enumeration/attachments/{551538D3-31E5-4981-8A1F-3FFF43262242}.png)
/Practice/MZEEAV/2-Enumeration/attachments/{32EBBE60-99F5-4510-AF7C-833C20BC3ABB}.png)
The uploaded files are stored in the upload directory, including the testing file above