InfoSec LAB

Reconstruction_Web

Created: 3 min read

Web

Nmap discovered a Web server on the target port 8080 The running service is Werkzeug httpd 1.0.1 (Python 3.6.9)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ curl -I http://$IP:8080
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 1952
Server: Werkzeug/1.0.1 Python/3.6.9
Date: Thu, 06 Feb 2025 22:03:04 GMT

Webroot It appear to be a blog

hello-world

Clicking into the Hello World! article returns a verbose error It would appear that the Flask application has debugging enabled. The web application is running off the /var/www/blog/app.py file

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://$IP:8080/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.209.103:8080/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
login                   [Status: 200, Size: 2297, Words: 545, Lines: 76, Duration: 38ms]
data                    [Status: 302, Size: 253, Words: 22, Lines: 4, Duration: 41ms]
logout                  [Status: 200, Size: 2011, Words: 486, Lines: 67, Duration: 41ms]
create                  [Status: 302, Size: 257, Words: 22, Lines: 4, Duration: 40ms]
drafts                  [Status: 302, Size: 257, Words: 22, Lines: 4, Duration: 36ms]
hello-world             [Status: 500, Size: 36329, Words: 4585, Lines: 535, Duration: 49ms]
:: Progress: [1185241/1185241] :: Job [1/1] :: 719 req/sec :: Duration: [0:30:09] :: Errors: 0 ::

Some of those endpoints were found in the PCAP files found in the FTP server

login

Password found in one of the PCAP files; 1edfa9b54a7c0ec28fbc25babb50892e

Authenticated

It would appear that I can make a post on this blog

create

Attempting to test for SSTI fails It looks like there is a misconfiguration to write to the backend DB It would appear that the target application uses PeeWee

data

It seems to display the /hello-world/ endpoint

However, when supplying random hex bytes as demonstrated in one of the PCAP files, the web server responses with an unknown header, X-Error, that is not even listed in the Wikipedia

X-Error: Incorrect padding

Looking it up online reveals that the issue is in the base64 padding

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ echo -n blahblah | base64 
YmxhaGJsYWg=

Supplying a base64-encoded payload reveals an interesting error; [Errno 2] No such file or directory: 'blahblah' This seems to suggest Directory Traversal or potential LFI

Directory Traversal

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/reconstruction]
└─$ echo -n "/etc/passwd" | base64
L2V0Yy9wYXNzd2Q=

Directory Traversal confirmed

Debugging Console

However, it’s locked behind pin code Given I am able to read file via directory traversal discovered above, I can bypass the console lock

Interactive Graph View

Backlinks