Web

Nmap discovered a Web server on the target port 8081 The running service is Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ curl -i http://$IP:8081/
HTTP/1.1 400 Bad Request
Date: Thu, 03 Apr 2025 04:28:20 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
Content-Length: 362
Connection: close
Content-Type: text/html; charset=iso-8859-1
 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
Reason: You're speaking plain HTTP to an SSL-enabled server port.<br />
 Instead use the HTTPS scheme to access this URL, please.<br />
</p>
</body></html>
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ curl -k -I -X OPTIONS https://$IP:8081/
HTTP/1.1 200 OK
Date: Thu, 03 Apr 2025 04:28:45 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 83
Content-Type: text/html; charset=UTF-8
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ curl -k -I https://$IP:8081/
HTTP/1.1 200 OK
Date: Thu, 03 Apr 2025 04:28:51 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Type: text/html; charset=UTF-8
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─openssl s_client -connect $IP:8081
Connecting to 192.168.144.57
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
verify error:num=10:certificate has expired
notAfter=Jun 22 19:28:25 2021 GMT
verify return:1
depth=0 C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
notAfter=Jun 22 19:28:25 2021 GMT
verify return:1
---
Certificate chain
 0 s:C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
   i:C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 22 19:28:25 2020 GMT; NotAfter: Jun 22 19:28:25 2021 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5jCCAs6gAwIBAgICO14wDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRQwEgYDVQQDDAtxdWFja2VyamFjazEfMB0GCSqGSIb3DQEJARYQcm9vdEBx
dWFja2VyamFjazAeFw0yMDA2MjIxOTI4MjVaFw0yMTA2MjIxOTI4MjVaMIGnMQsw
CQYDVQQGEwItLTESMBAGA1UECAwJU29tZVN0YXRlMREwDwYDVQQHDAhTb21lQ2l0
eTEZMBcGA1UECgwQU29tZU9yZ2FuaXphdGlvbjEfMB0GA1UECwwWU29tZU9yZ2Fu
aXphdGlvbmFsVW5pdDEUMBIGA1UEAwwLcXVhY2tlcmphY2sxHzAdBgkqhkiG9w0B
CQEWEHJvb3RAcXVhY2tlcmphY2swggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCfXg69mepV/KrHuYiKf9RKnNK9VxJW30pDY0UekIgspGwQbXDHMw6glQcW
WMBq8emEnRBxg6bgoVjfkZGezrPsF0LTOO7RXLqWTqdIg+PHqdSd9igshsVGRrYL
nQcoWERvXQWKOXliT4mozYLft+f9i1FwjNu+OtuhfQf2ZPt+mO4vCW3dFez/GVCy
Oa14nhLzkFojn8434YaKQyRop0rUtwsz7n8qVShyfCg6h8UDwdnjWu/z6UXXj83t
HQtiB9/H7E4+GnPD7ctyX5ri8M5ykeX/yXI4gcdaVByxDFM+kWidXhVbTNB0i9qT
pgwiSvlHcdm3xG0Zs+GqURqnKh6lAgMBAAGjGjAYMAkGA1UdEwQCMAAwCwYDVR0P
BAQDAgXgMA0GCSqGSIb3DQEBCwUAA4IBAQCIgEcbHF/IWSF0FZvdvG0QYTw2unL6
k46TP3uuQ+tAa7LMCjPdB86ZuoGaqDLkseOnnaS+nYwLNgX3wajHJNDhramHRCh1
mixGmxsOxdzuQd/hHnSyPf7tUZnvvhWE7upvSt9CuAp48Zm5gMwsruoE/StC8rHM
T7/7pcG7aT/72ppel4Cu7rq1F4sO+GCkzmKAL2iTUtwwua/I6UM0csxL+7Hvz9vQ
IKl+/g4t27fQWQGfnPZmsk5kD6t1wdG4BezLI8NU40YUltyd2q4JriKFVPJMv/Kq
huqloK1vibafthCxg2xbehcghB8L1fQ7wew9ylvfLtuYNDKlSjSux7IN
-----END CERTIFICATE-----
subject=C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
issuer=C=--, ST=SomeState, L=SomeCity, O=SomeOrganization, OU=SomeOrganizationalUnit, CN=quackerjack, emailAddress=root@quackerjack
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1688 bytes and written 564 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 1157C4B4950DA5A3308744DDBB089DBE8D06EA424CD154D37BFC5EBDA4D3C32A
    Session-ID-ctx:
    Master-Key: CF08E6AF0559DCC3E43D4E2FE66B60BAFA3DA27DB416559BEB4B258ADD58F646B74356FF24AB315C7C56D01C11AE201B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ba 71 c5 ff 16 cd 0d 71-26 6e 1d d9 91 f5 86 e7   .q.....q&n......
    0010 - 64 97 d2 ea 0f 67 62 f0-66 3f eb 03 e3 84 a5 54   d....gb.f?.....T
    0020 - 3f 4b ed 56 aa 38 05 09-69 43 6e 85 e0 b8 dc 53   ?K.V.8..iCn....S
    0030 - 5f 4d 07 f7 31 af c3 cf-41 5d 6a b7 b5 65 b0 9d   _M..1...A]j..e..
    0040 - c8 82 52 f5 4f c7 97 49-cb a0 0a 37 58 a3 60 fc   ..R.O..I...7X.`.
    0050 - 41 86 1b c6 03 f6 77 58-4f 61 ae 4a 1c 0b 96 64   A.....wXOa.J...d
    0060 - 35 32 e7 4d 0a 2c b6 6c-1d c6 7c 49 a2 1c 4b a0   52.M.,.l..|I..K.
    0070 - 38 6c 0b 06 ac ab 0b e9-6c f8 45 75 18 f5 9b c6   8l......l.Eu....
    0080 - c5 11 6a 1a a4 9c 79 de-9a d6 82 83 8d 6c 68 49   ..j...y......lhI
    0090 - 16 de a0 22 2a b6 d7 25-d5 7e c4 a6 82 a0 46 4a   ..."*..%.~....FJ
    00a0 - 5b 69 99 f9 af c0 7d 8d-c4 2d 12 0b ef c3 f3 7e   [i....}..-.....~
    00b0 - 35 b5 12 b7 96 af 37 82-c1 a5 36 8a b1 bb 9f c3   5.....7...6.....
 
    Start Time: 1743654589
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: no
---

Redirected to a rConfig login page at /login.php

rConfig is a Network Configuration Management solution that helps businesses automate and streamline network operations. It ensures Compliance & Security Auditing by tracking changes and enforcing policies across devices. With Bulk Configuration Deployment & Updates, users can efficiently manage large-scale networks. The platform supports Multi-Vendor Network Automation, enabling seamless integration with various network devices. Additionally, it provides Real-Time Network Change Monitoring & Alerts to enhance security and operational efficiency. Source code is available for review

Default credential does not work

Version Information

The version information is disclosed at the footer; 3.9.4

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ searchsploit rConfig 3.9.4
-------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                        |  Path
-------------------------------------------------------------------------------------- ---------------------------------
rConfig 3.9 - 'searchColumn' SQL Injection                                            | php/webapps/48208.py
rConfig 3.9.4 - 'search.crud.php' Remote Command Injection                            | php/webapps/48241.py
rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution              | php/webapps/48261.py
Rconfig 3.x - Chained Remote Code Execution (Metasploit)                              | linux/remote/48223.rb
-------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

It would appear that the target rConfig instance suffers from multiple vulnerabilities;

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP:8081/FUZZ -ic -e .txt,.html,.php
________________________________________________
 :: Method           : GET
 :: URL              : https://192.168.144.57:8081/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.txt           [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htaccess               [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd               [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd.html          [Status: 403, Size: 216, Words: 15, Lines: 9, Duration: 18ms]
.htaccess.html          [Status: 403, Size: 216, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd.txt           [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htaccess.php           [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
.htpasswd.php           [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 19ms]
LICENSE.txt             [Status: 200, Size: 35147, Words: 5836, Lines: 675, Duration: 18ms]
README                  [Status: 200, Size: 1039, Words: 130, Lines: 25, Duration: 20ms]
categories.php          [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 28ms]
cgi-bin/.html           [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 35ms]
cgi-bin/                [Status: 403, Size: 210, Words: 15, Lines: 9, Duration: 35ms]
css                     [Status: 301, Size: 240, Words: 14, Lines: 8, Duration: 20ms]
dashboard.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 26ms]
devices.php             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 27ms]
favicon.ico             [Status: 200, Size: 5430, Words: 15, Lines: 12, Duration: 18ms]
images                  [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 17ms]
includes                [Status: 301, Size: 245, Words: 14, Lines: 8, Duration: 31ms]
index.php               [Status: 200, Size: 83, Words: 4, Lines: 2, Duration: 19ms]
js                      [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 20ms]
ldap                    [Status: 301, Size: 241, Words: 14, Lines: 8, Duration: 18ms]
lib                     [Status: 301, Size: 240, Words: 14, Lines: 8, Duration: 19ms]
login.php               [Status: 200, Size: 5881, Words: 1708, Lines: 113, Duration: 30ms]
scheduler.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 27ms]
search.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 26ms]
settings.php            [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 27ms]
snippets.php            [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 32ms]
updater.php             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 29ms]
useradmin.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 36ms]
useraccount.php         [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
vendors.php             [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 28ms]
:: Progress: [81912/81912] :: Job [1/1] :: 2083 req/sec :: Duration: [0:00:41] :: Errors: 0 ::
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/quackerJack]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP:8081/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : https://192.168.144.57:8081/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
cgi-bin                 [Status: 403, Size: 210, Words: 15, Lines: 9, Duration: 22ms]
                        [Status: 200, Size: 83, Words: 4, Lines: 2, Duration: 25ms]
images                  [Status: 403, Size: 209, Words: 15, Lines: 9, Duration: 18ms]
icons                   [Status: 200, Size: 74409, Words: 7427, Lines: 1007, Duration: 23ms]
css                     [Status: 403, Size: 206, Words: 15, Lines: 9, Duration: 19ms]
includes                [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 20ms]
lib                     [Status: 403, Size: 206, Words: 15, Lines: 9, Duration: 19ms]
js                      [Status: 403, Size: 205, Words: 15, Lines: 9, Duration: 19ms]
ldap                    [Status: 403, Size: 207, Words: 15, Lines: 9, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 2000 req/sec :: Duration: [0:01:52] :: Errors: 0 ::

N/A

InfoSec LAB

Explorer

Quackerjack_Web_8081

Web

Version Information

Vulnerabilities

Fuzzing

Interactive Graph View

Table of Contents

Backlinks