InfoSec LAB

SPX_Web

Created: 3 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.52 (Ubuntu)

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Tue, 08 Apr 2025 13:51:26 GMT
Server: Apache/2.4.52 (Ubuntu)
Set-Cookie: filemanager=442i6r9gvk0376laf4a5maipa5; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Tue, 08 Apr 2025 13:51:28 GMT
Server: Apache/2.4.52 (Ubuntu)
Set-Cookie: filemanager=7h08qfr2hkhn46hm0i0hgjfj4v; path=/
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8

Webroot It’s an instance of Tiny File Manager

  • While Source code is available for review, the project doesn’t appear to be maintained as much.
    • Thus, it’s highly probable that it may contain several vulnerabilities.
  • Default credentials failed

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.138.108/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
index.php               [Status: 200, Size: 12045, Words: 3566, Lines: 93, Duration: 25ms]
phpinfo.php             [Status: 200, Size: 74785, Words: 3547, Lines: 859, Duration: 26ms]
:: Progress: [81912/81912] :: Job [1/1] :: 2040 req/sec :: Duration: [0:00:54] :: Errors: 0 ::

phpinfo.php

phpinfo.php

The phpinfo.php file is available

SPX Configuration

Scrolling down to the SPX section, it is revealed that the SPX is enabled in the target web application The version information is also disclosed; 0.4.15

SPX

SPX is a profiling extension for PHP that allows you to profile your PHP scripts and get detailed insights into their performance. It differentiates itself from other similar extensions by being totally free, simple to use, and capable of collecting a wide range of metrics. With SPX, you can easily profile your scripts by setting an environment variable or using a web UI, without the need for manually instrumenting your code or using a dedicated browser extension.

Checking the official documentation reveals that there is a control panel available at the ?SPX_KEY=dev&SPX_UI_URI=/ endpoint by default. The key has already been identified; a2a90ca2f9f0ea04d267b16fb8e63800

Successfully navigated to the SPX control panel

Enabling those features

All the requests gets captured for review

Vulnerabilities

The version information was disclosed in the phpinfo.php file

Checking for vulnerabilities online reveals an article about a path traversal vulnerability; CVE-2024-42007

Interactive Graph View

Backlinks