InfoSec LAB

Monster_Web_80

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ curl -I -X OPTIONS http://$IP/    
HTTP/1.1 200 OK
Date: Fri, 18 Apr 2025 17:37:05 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10
Allow: GET,POST,OPTIONS,HEAD,TRACE
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Fri, 18 Apr 2025 17:37:07 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10
Last-Modified: Tue, 24 Aug 2021 18:26:08 GMT
ETag: "5984-5ca524471f000"
Accept-Ranges: bytes
Content-Length: 22916
Content-Type: text/html

Webroot It appears to be a personal website showcasing a photofolio The web application is also hosted on port 443 over TLS

Wappalyzer identified technologies involved

About

The About section contains a possible username disclosure; wazowski

Contact

The Contact section includes a form submission but it appears to be dummy

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.156.180/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
Blog                    [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 24ms]
Index.html              [Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 38ms]
assets                  [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 35ms]
blog                    [Status: 301, Size: 342, Words: 22, Lines: 10, Duration: 38ms]
index.html              [Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 32ms]
:: Progress: [81912/81912] :: Job [1/1] :: 930 req/sec :: Duration: [0:03:13] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.156.180/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 30ms]
cgi-bin                 [Status: 403, Size: 1062, Words: 103, Lines: 43, Duration: 204ms]
icons                   [Status: 200, Size: 74798, Words: 7383, Lines: 1005, Duration: 203ms]
blog                    [Status: 200, Size: 4225, Words: 206, Lines: 98, Duration: 704ms]
assets                  [Status: 200, Size: 1605, Words: 184, Lines: 20, Duration: 122ms]
:: Progress: [207630/207630] :: Job [1/1] :: 881 req/sec :: Duration: [0:07:56] :: Errors: 0 ::

ffuf found an endpoint; /blog/

/blog/

The /blog/ endpoint claims to be MIke’s blog and is a default Monstra installation page

CSS is not loaded because links are pointing to a domain; monster.pg

Domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

Monstra

CSS is now loaded

Users

There are 2 users; admin and mike

Registration

Account registration does appear to be possible due to the captcha being not rendered properly

Authentication

Attempting to authenticate as the admin user with the password; wazowski

Successfully authenticated

File Upload

Interestingly, the file upload feature does not appear to work

Version Information

The version information is disclosed at the footer; Monstra 3.0.4

Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ searchsploit Monstra 3.0.4
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)                                    | php/webapps/51519.txt
Monstra CMS 3.0.4 - (Authenticated) Arbitrary File Upload / Remote Code Execution    | php/webapps/43348.txt
Monstra CMS 3.0.4 - Arbitrary Folder Deletion                                        | php/webapps/44512.txt
Monstra CMS 3.0.4 - Authenticated Arbitrary File Upload                              | php/webapps/48479.txt
Monstra cms 3.0.4 - Persitent Cross-Site Scripting                                   | php/webapps/44502.txt
Monstra CMS 3.0.4 - Remote Code Execution (Authenticated)                            | php/webapps/49949.py
Monstra CMS 3.0.4 - Remote Code Execution (RCE)                                      | php/webapps/52038.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)                                       | php/webapps/44855.py
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)                                       | php/webapps/44646.txt
Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)                   | php/webapps/45164.txt
------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Monstra 3.0.4 suffers from many vulnerabilities Moving onto the Exploitation phase

Interactive Graph View

Backlinks