Web
Nmap discovered a Web server on the target port 8080
The running service is WEBrick httpd 1.4.2 (Ruby 2.6.6 (2020-03-31))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/peppo]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Content-Length: 459
X-Request-Id: 8ee1384d-1f25-4745-84b9-4bed2f7678d5
X-Runtime: 0.001006
Server: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
Date: Sat, 29 Mar 2025 20:04:50 GMT
Connection: Keep-Alive
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/peppo]
└─$ curl -I http://$IP:8080/
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: text/html; charset=utf-8
Etag: W/"e642c235c373f6fe42ac653e92b46ea7"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 3b3b29e8-19c3-4072-846e-7b04c45782a8
X-Runtime: 0.014315
Content-Length: 0
Server: WEBrick/1.4.2 (Ruby/2.6.6/2020-03-31)
Date: Sat, 29 Mar 2025 20:04:53 GMT
Connection: Keep-Alive
Set-Cookie: _redmine_session=UHRiUloyZU1zSkdWUXJYSm1FYlViR2VWZVhUaWZRMXFMdDhNNkRmbVpQeDNETFFRS3lkNVE4NUMyTmEyUlNCeis5YS9maGI4UXNqTmlvT3ZGZFNoYmg4UHZSRHlvVkcwaUVWRkdabjZPQkt0S203SkRCWmxPWjdCSS9kTlFHWUdUb1JPcEtUQkVrQUFDc2lJc3VOaHNBM1Z6S29OeWU0eWFRQzZ1aGxKZXVxbEluV2NiZE5BSUNsRmJWT280VDdCLS01aUVqY2VUK3ltblVQQU5wK1VNMkR3PT0%3D--df81d9587fcf9084acda36a25971e5a759acc860; path=/; HttpOnly/Practice/Peppo/2-Enumeration/attachments/{BA87DF20-4855-4037-88D1-8876BB9B20D8}.png)
Webroot
It’s a Redmine instance
/Practice/Peppo/2-Enumeration/attachments/{5970B354-8BA9-4BE3-9897-691B5679A813}.png)
Wappalyzer identified technologies involved
/Practice/Peppo/2-Enumeration/attachments/Pasted-image-20250329210840.png)
Redmine is a free and open source, web-based project management and issue tracking tool. It allows users to manage multiple projects and associated subprojects. It features per project wikis and forums, time tracking, and flexible, role-based access control. It includes a calendar and Gantt charts to aid visual representation of projects and their deadlines. Redmine integrates with various version control systems and includes a repository browser and diff viewer.
Project / Activity
/Practice/Peppo/2-Enumeration/attachments/{404513CD-3125-406E-B7D7-FFD57F4D5D26}.png)
No project
/Practice/Peppo/2-Enumeration/attachments/{096D7066-2165-4E64-B566-5312EBD50637}.png)
No activity
Registration
/Practice/Peppo/2-Enumeration/attachments/{18329AD5-94EE-434B-ABBE-EB067E41B9F8}.png)
/Practice/Peppo/2-Enumeration/attachments/{62322091-2071-4EEC-91CC-398D65489FE3}.png)
Creating a testing account
It requires approval
Authentication
/Practice/Peppo/2-Enumeration/attachments/{3AE4C217-7380-4E4B-AFBC-F030E77CEB39}.png)
However, signing in doesn’t appear possible unless the registration gets approval by administrator
N/A
Default Credential
/Practice/Peppo/2-Enumeration/attachments/{C285CB7B-9B23-4800-80D5-3E16C06E34AF}.png)
An online resource revealed the default credential for Redmine; admin:admin
/Practice/Peppo/2-Enumeration/attachments/{B13B438B-7FFD-40F8-A97F-ED7667582CA3}.png)
/Practice/Peppo/2-Enumeration/attachments/{8EE51DC5-53D1-4E16-A0F9-DD2ED8B09BE5}.png)
Redirected to the password reset page as the password has expired
Resetting it to qwer1234
/Practice/Peppo/2-Enumeration/attachments/{BDD0E449-3949-439F-9478-FF9B75A65637}.png)
Successfully authenticated as the admin user
Administration
/Practice/Peppo/2-Enumeration/attachments/{3CF10422-38D9-43FF-965A-2AF2B67EC1FC}.png)
The version is 4.1.1.stable
It uses;
MiniMagickImageMagickRuby on Rails 5.2.4.2SQLiteSCMSubversion 1.10.4Mercurial 4.8.2Bazaar 2.8.0Git 2.20.1
Users
/Practice/Peppo/2-Enumeration/attachments/{AE84D133-5217-4051-B2A8-AD2EAB39D326}.png)
The admin user is the sole user
General
/Practice/Peppo/2-Enumeration/attachments/{A9D848A3-61B0-4250-89F2-31E93C6C8B5D}.png)
Checking the general setting reveals that the web app itself is running on the localhost:3000 socket, and likely proxied through WEBrick httpd
SCM
/Practice/Peppo/2-Enumeration/attachments/{812B722C-3D84-405C-81BF-16C17D0A8D0B}.png)
The repository setting reveals that it might be possible to enable the host filesystem as SCM
Enabling Filesystem
/Practice/Peppo/2-Enumeration/attachments/Pasted-image-20250329214018.png)
Just did that
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/peppo]
└─$ searchsploit redmine
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
Redmine 0.8.6 - Cross-Site Request Forgery (Add Admin) | multiple/webapps/10424.txt
Redmine 1.0.1/1.1.1 - 'projects/hg-hellowword/news/' Cross-Site Scripting | php/webapps/35572.txt
Redmine SCM Repository - Arbitrary Command Execution (Metasploit) | linux/remote/41695.rb
Redmine SCM Repository 0.9.x/1.0.x - Arbitrary Command Execution (Metasploit) | linux/webapps/16889.rb
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsSearching for vulnerabilities reveal a Metasploit module for arbitrary command execution via SCM repository Not sure if it is applicable to the current context