Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.29 ((Ubuntu))

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ curl -I -X OPTIONS http://$IP/                                                                                               
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 12:58:22 GMT
Server: Apache/2.4.29 (Ubuntu)
Allow: HEAD,GET,POST,OPTIONS
Content-Length: 0
Content-Type: text/html
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 12:58:31 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Tue, 26 Jan 2021 15:06:35 GMT
ETag: "2aa6-5b9cf002d0c8d"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html

It’s the default installation page for Apache

It also discloses the web root directory; /var/www/html

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.104.131/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess               [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
.htpasswd               [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 29ms]
internal                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 24ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
svn                     [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 27ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1408 req/sec :: Duration: [0:00:14] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.104.131/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 32ms]
svn                     [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 23ms]
internal                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 137ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
:: Progress: [207630/207630] :: Job [1/1] :: 49 req/sec :: Duration: [0:02:27] :: Errors: 0 ::
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ -ic -e .php,.txt,.html
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.104.131/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 29ms]
index.html              [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 27ms]
.html                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
svn                     [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 30ms]
internal                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 26ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
:: Progress: [830520/830520] :: Job [1/1] :: 1449 req/sec :: Duration: [0:09:47] :: Errors: 0 ::

/svn
/internal/

`/svn`

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ curl -I http://$IP/svn                     
HTTP/1.1 401 Unauthorized
Date: Sun, 09 Mar 2025 13:20:58 GMT
Server: Apache/2.4.29 (Ubuntu)
WWW-Authenticate: Basic realm="Subversion Repository"
Content-Type: text/html; charset=iso-8859-1

The /svn endpoint is locked behind the basic HTTP authentication

Bypass Attempt

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ byp4xx -t 128 -L --all http://$IP/svn
    __                 __ __           
   / /_  __  ______   / // / _  ___  __
  / __ \/ / / / __ \ / // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ //__  __/>  <_>  <  
/_.___/\__, / .___/   /_/ /_/|_/_/|_|  
      /____/_/                        
by: @lobuhisec 
 
===== http://192.168.104.131/svn =====
==VERB TAMPERING==
==HEADERS==
==USER AGENTS==
==EXTENSIONS==
==DEFAULT CREDS==
==CASE SENSITIVE==
svN: 404
sVn: 404
Svn: 404
==MID PATHS==
==END PATHS==
==BUG BOUNTY TIPS==
/svn//: 401
/svn??: 401
/./svn/./: 401
/.;/svn/.;/: 404
/svn..;: 404
/svn/.randomstring: 401
/%2e/svn: 401
/.;/svn: 404
/svn/: 401
/svn?: 401
/svn..;/: 404
/;foo=bar/svn: 401<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.104.131 Port 80</address>
</body></html>
404
/%ef%bc%8fsvn: 401<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.104.131 Port 80</address>
</body></html>
404

Bypassing failed

The Issue

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ hydra -L /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt -P /usr/share/wordlists/fasttrack.txt -I -t 64 http-get://$IP/svn:A=basic:F=401
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-09 15:37:51
[DATA] max 64 tasks per 1 server, overall 64 tasks, 4454 login tries (l:17/p:262), ~70 tries per task
[DATA] attacking http-get://192.168.104.131:80/svn:A=basic:F=401
[80][http-get] host: 192.168.104.131   login: admin   password: admin
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-03-09 15:38:04

It turns out that the admin:admin credential is actually valid

The admin:admin credential was the first default credential to attempt The initial attempt was dismissed because the web sever responded with 403, making me believe that everything under the /svn/ directory would result in 403

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ curl -I http://$IP/svn        
HTTP/1.1 401 Unauthorized
Date: Sun, 09 Mar 2025 14:40:40 GMT
Server: Apache/2.4.29 (Ubuntu)
WWW-Authenticate: Basic realm="Subversion Repository"
Content-Type: text/html; charset=iso-8859-1

It was rather confusing because the web server responses with 401 if authentication is not made via the Authorization header

Fuzzing `/svn` directory

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -H 'Authorization: Basic YWRtaW46YWRtaW4=' -u http://$IP/svn/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.104.131/svn/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Header           : Authorization: Basic YWRtaW46YWRtaW4=
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
användare               [Status: 500, Size: 235, Words: 13, Lines: 8, Duration: 27ms]
dev                     [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 123ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1481 req/sec :: Duration: [0:00:14] :: Errors: 0 ::

While användare resulted in code 500, the other hidden endpoint was identified; /dev

`/dev/`

Heading over to the /svn/dev/ directory reveals a Subversion repository It also leaks the version information; Apache Subversion version 1.9.7(r1800392) Enumerating..

`/internal/` Directory

403 on the /internal/ directory

Bypass Attempt

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ byp4xx -t 128 -L --all http://$IP/internal 
    __                 __ __           
   / /_  __  ______   / // / _  ___  __
  / __ \/ / / / __ \ / // /_| |/_/ |/_/
 / /_/ / /_/ / /_/ //__  __/>  <_>  <  
/_.___/\__, / .___/   /_/ /_/|_/_/|_|  
      /____/_/                        
by: @lobuhisec 
 
===== http://192.168.104.131/internal =====
==VERB TAMPERING==
==HEADERS==
==USER AGENTS==
==EXTENSIONS==
==DEFAULT CREDS==
==CASE SENSITIVE==
inTernal: 404
Internal: 404
internaL: 404
inteRnal: 404
interNal: 404
iNternal: 404
intErnal: 404
internAl: 404
==MID PATHS==
==END PATHS==
==BUG BOUNTY TIPS==
/%2e/internal: curl: (2) no URL specified
curl: try 'curl --help' or 'curl --manual' for more information
 
/internal//: 403
/.;/internal: 404
/internal/: 403
/%ef%bc%8finternal: 404
/internal..;: 404
/./internal/./: 403
/internal/.randomstring: 404
/internal?: 403
/internal??: 403
/internal..;/: 403<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.104.131 Port 80</address>
</body></html>
404
/;foo=bar/internal: 403<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.104.131 Port 80</address>
</body></html>
404
/.;/internal/.;/: 403<!DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL was not found on this server.</p>
<hr>
<address>Apache/2.4.29 (Ubuntu) Server at 192.168.104.131 Port 80</address>
</body></html>
404

Bypassing failed

Fuzzing `/internal/` Directory

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -recursion -u http://$IP/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.104.131/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 44ms]
svn                     [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 24ms]
internal                [Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/FUZZ
 
                        [Status: 200, Size: 10918, Words: 3499, Lines: 376, Duration: 26ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
users                   [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 37ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/users/FUZZ
 
static                  [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/FUZZ
 
submissions             [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 33ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/submissions/FUZZ
 
internal                [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/internal/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/users/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
templates               [Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/users/templates/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/FUZZ
 
images                  [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/images/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
css                     [Status: 301, Size: 332, Words: 20, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/css/FUZZ
 
js                      [Status: 301, Size: 331, Words: 20, Lines: 10, Duration: 25ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/js/FUZZ
 
vendor                  [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 59ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/FUZZ
 
fonts                   [Status: 301, Size: 334, Words: 20, Lines: 10, Duration: 24ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/fonts/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/submissions/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 35ms]
report1                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 30ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/internal/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/users/templates/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 42ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/images/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
icons                   [Status: 301, Size: 341, Words: 20, Lines: 10, Duration: 51ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/images/icons/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/css/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/js/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 29ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
bootstrap               [Status: 301, Size: 345, Words: 20, Lines: 10, Duration: 26ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/bootstrap/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
jquery                  [Status: 301, Size: 342, Words: 20, Lines: 10, Duration: 26ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/jquery/FUZZ
 
animate                 [Status: 301, Size: 343, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/animate/FUZZ
 
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/fonts/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
ubuntu                  [Status: 301, Size: 341, Words: 20, Lines: 10, Duration: 40ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/fonts/ubuntu/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 28ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/images/icons/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/bootstrap/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
css                     [Status: 301, Size: 349, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/bootstrap/css/FUZZ
 
js                      [Status: 301, Size: 348, Words: 20, Lines: 10, Duration: 26ms]
[INFO] Adding a new job to the queue: http://192.168.104.131/internal/static/vendor/bootstrap/js/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/jquery/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 39ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/animate/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 34ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/fonts/ubuntu/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 37ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 51ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/bootstrap/css/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 32ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
[INFO] Starting queued job on target: http://192.168.104.131/internal/static/vendor/bootstrap/js/FUZZ
 
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 27ms]
                        [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
:: Progress: [207630/207630] :: Job [19/19] :: 1515 req/sec :: Duration: [0:02:34] :: Errors: 0 ::

ffuf mapped the large amount of the web server, however none of them are accessible, except for /internal/submissions/report1

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ curl -i http://$IP/internal/submissions/report1            
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 14:09:41 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Sun, 09 Mar 2025 14:08:01 GMT
ETag: "0-62fe962373a32"
Accept-Ranges: bytes
Content-Length: 0

Which is empty

InfoSec LAB

Explorer

Phobos_Web

Web

Fuzzing

`/svn`

Bypass Attempt

The Issue

Fuzzing `/svn` directory

`/dev/`

`/internal/` Directory

Bypass Attempt

Fuzzing `/internal/` Directory

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Phobos_Web

Web

Fuzzing

/svn

Bypass Attempt

The Issue

Fuzzing /svn directory

/dev/

/internal/ Directory

Bypass Attempt

Fuzzing /internal/ Directory

Interactive Graph View

Table of Contents

Backlinks

`/svn`

Fuzzing `/svn` directory

`/dev/`

`/internal/` Directory

Fuzzing `/internal/` Directory