InfoSec LAB

Medjed_Web_8000

Created: 3 min read

Web

Nmap discovered a Web server on the target port 8000 The running service is BarracudaServer.com (Windows)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -I -X OPTIONS http://$IP:8000/
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2025 16:42:32 GMT
Server: BarracudaServer.com (Windows)
Connection: Keep-Alive
Allow: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
DAV: 1, 2
MS-Author-Via: DAV
Content-Length: 0
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -I http://$IP:8000/        
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2025 16:42:36 GMT
Server: BarracudaServer.com (Windows)
Connection: Keep-Alive
Last-Modified: Tue, 19 Feb 2013 19:58:47 GMT
Content-Length: 8295

Webroot Redirected to what appears to be an initialization page for BarracudaDrive Server; /Config-Wizard/wizard/SetAdmin.lsp It appears to be a mirror instance of web server on the target port 44330

Initialization

Invalid email address It might be checking the structure

using the example.com domain

It would appear that the initialization process has been completed

Web File Server

BarracudaDrive features a web file server that is essentially a WebDAV server

Heading over to the filesystem(/fs), it shows 2 drives; C and D Mounting the current directory using a WebDAV session URL is possible through the highlighted button

and it pops open a window displaying the WebDAV session URL; http://192.168.156.127:8000/fs/433632d267f96d88/

WebDAV

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ cadaver 
dav:!> open http://192.168.156.127:8000/fs/433632d267f96d88/
dav:/fs/433632d267f96d88/>

Using cadaver WebDAV client, i can connect to the WebDAV session URL above

dav:/fs/433632d267f96d88/> cd ..
Authentication required for Web File Server on server `192.168.156.127':
Username: admin
Password: 
dav:/fs/> ls
Listing collection `/fs/': succeeded.
Coll:   C                                      0  Jan  1  1970
Coll:   D                                      0  Jan  1  1970

Authentication was required, so I did it

dav:/fs/> cd C
dav:/fs/C/> ls
Listing collection `/fs/C/': succeeded.
Coll:   $Recycle.Bin                           0  Nov  3  2020
Coll:   $WinREAgent                            0  Dec  2  2021
Coll:   Documents and Settings                 0  Oct 16  2020
Coll:   FTP                                    0  Nov  3  2020
Coll:   PerfLogs                               0  Dec  7  2019
Coll:   Program Files (x86)                    0  Dec  2  2021
Coll:   Program Files                          0  Dec  2  2021
Coll:   ProgramData                            0  Dec  7  2021
Coll:   RailsInstaller                         0  Nov  3  2020
Coll:   Recovery                               0  Dec  2  2021
Coll:   Ruby26-x64                             0  Nov  3  2020
Coll:   Sites                                  0  Nov  3  2020
Coll:   System Volume Information              0  Oct 16  2020
Coll:   Users                                  0  Dec  2  2021
Coll:   Windows                                0  Apr  8  2022
Coll:   bd                                     0  Apr 11 21:20
Coll:   xampp                                  0  Oct 17  2020
        DumpStack.log.tmp                   8192  Aug  2  2024
        output.txt                          2696  Apr 11 21:19
        pagefile.sys                   738197504  Aug  2  2024
        swapfile.sys                   268435456  Aug  2  2024

Now I have access to the target system’s C drive This would be the entry point since I can directly upload files to the target system.

Version Information

The version information is disclosed at the /rtl/about.lsp endpoint

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ searchsploit BarracudaDrive 6.5
-------------------------------------------------- ---------------------------------
 Exploit Title                                    |  Path
-------------------------------------------------- ---------------------------------
BarracudaDrive v6.5 - Insecure Folder Permissions | windows/local/48789.txt
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

The exploit is for local privilege escalation

Interactive Graph View

Backlinks