Web
Nmap discovered a Web server on the target port 80
The running service is nginx 1.10.3
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Server: nginx/1.10.3
Date: Wed, 05 Mar 2025 09:52:44 GMT
Content-Type: text/html
Content-Length: 58936
Last-Modified: Tue, 02 Jun 2020 04:48:29 GMT
Connection: keep-alive
ETag: "5ed5da1d-e638"
Accept-Ranges: bytes/Practice/Shifty/2-Enumeration/attachments/{7F7017DB-993A-4C8B-8F98-8D2AAF82B751}.png)
Webroot
It appears to be an online store for a coffee brand
/Practice/Shifty/2-Enumeration/attachments/{54036AC5-B1B3-4F22-B7F8-D83F9976EA26}.png)
/Practice/Shifty/2-Enumeration/attachments/{E91FA36C-6633-4237-A6E1-8D2361B1BCC7}.png)
It seems that the web application is built on a CMS template; gatsby-starter-decap-cms
Form Submission
/Practice/Shifty/2-Enumeration/attachments/{0EC19CF9-E4AB-4A24-B660-BD2EE2C51FC7}.png)
The /contact/example endpoint shows 2 form submissions
Basic contact form
/Practice/Shifty/2-Enumeration/attachments/{E6153F18-7B57-4ED2-AF2C-9A25FF6515E1}.png)
/Practice/Shifty/2-Enumeration/attachments/{2B83C270-0549-4E39-9AED-FA2374741441}.png)
/Practice/Shifty/2-Enumeration/attachments/{C026AE15-D60C-4DDC-8C95-96717D43CF33}.png)
While it appears somewhat functioning, it’s likely just a demo
Form with file upload
/Practice/Shifty/2-Enumeration/attachments/{48AC7404-51A4-4528-B600-7E4CB89CDAC9}.png)
/Practice/Shifty/2-Enumeration/attachments/{3DC3CACB-D5E9-4353-B0F0-98AC847F87A4}.png)
/Practice/Shifty/2-Enumeration/attachments/{1DBB9CE5-F0E5-4348-81A3-528EAD591F14}.png)
The file upload feature does appear to work as well, but the server returns 405 and redirects to the Thank you page
Admin
/Practice/Shifty/2-Enumeration/attachments/{38EBEF16-F120-4F4E-B725-01C4B18BF278}.png)
There is also an admin page; /admin/
/Practice/Shifty/2-Enumeration/attachments/{E0683E67-CCBA-49BD-911A-0F7AAB6CF10B}.png)
That leads to Netlify CMS
/Practice/Shifty/2-Enumeration/attachments/{CB60B562-DF02-4D90-B7F6-EBF8B2716211}.png)
/Practice/Shifty/2-Enumeration/attachments/{D1829202-F57D-4CF1-91DF-9552C50CD490}.png)
Clicking into the Login with Netlify Identity button above sends a GET request to the /.netlify/identity/settings file, which likely contains a configuration profile
/Practice/Shifty/2-Enumeration/attachments/{627363FD-CB24-493D-8A64-9D7BEC47C441}.png)
However, it would appear that the web app has not been configured to use the Netlify CMS backend
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.219.59/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
404 [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 24ms]
about [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 51ms]
admin [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 26ms]
blog [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 25ms]
contact [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 26ms]
img [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 24ms]
products [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 26ms]
static [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 24ms]
tags [Status: 301, Size: 185, Words: 6, Lines: 8, Duration: 25ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1398 req/sec :: Duration: [0:00:13] :: Errors: 0 ::N/A