InfoSec LAB

SpiderSociety_Web

Created: 3 min read

Web

Nmap discovered a Web server running on the port 80 of the 192.168.210.214 host. The running service is Apache httpd 2.4.58 ((Ubuntu)).

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spidersociety]
└─$ curl -I -X OPTIONS http://$IP/                                                                                              
HTTP/1.1 200 OK
Date: Thu, 26 Jun 2025 15:12:24 GMT
Server: Apache/2.4.58 (Ubuntu)
Allow: HEAD,GET,POST,OPTIONS
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spidersociety]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Thu, 26 Jun 2025 15:12:26 GMT
Server: Apache/2.4.58 (Ubuntu)
Last-Modified: Mon, 14 Apr 2025 17:53:25 GMT
ETag: "10dd-632c0ba8b247c"
Accept-Ranges: bytes
Content-Length: 4317
Vary: Accept-Encoding
Content-Type: text/html

Webroot

Login

For some reason, the Login button leads to the 404.htmlfile.

Contact Us

Domain disclosure at the Contact Us section; spidersociety.offsec.lab

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution.

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spidersociety]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt  -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.210.214/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess.html          [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.txt           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd               [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.txt           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htaccess.php           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.html          [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htpasswd.php           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htaccess               [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
404.html                [Status: 200, Size: 1391, Words: 449, Lines: 49, Duration: 20ms]
images                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 20ms]
index.html              [Status: 200, Size: 4317, Words: 1230, Lines: 106, Duration: 21ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1960 req/sec :: Duration: [0:00:49] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/spidersociety]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.210.214/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 4317, Words: 1230, Lines: 106, Duration: 20ms]
images                  [Status: 200, Size: 2456, Words: 124, Lines: 24, Duration: 22ms]
icons                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 49ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 22ms]
libspider               [Status: 200, Size: 3752, Words: 1337, Lines: 122, Duration: 22ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1980 req/sec :: Duration: [0:01:50] :: Errors: 0 ::

/libspider/

/libspider/ Endpoint

There is a login page at the /libspider/ endpoint

It’s a PHP application

Authentication

Testing a default credential, admin:admin, works

FTP Credential

Checking the source code reveals that the first 2 buttons, View Reports and Missions, are just JavaScript alert(), whereas the Communications button invokes the custom fetchCredentials() function which makes a GET request to the fetch-credentials.php file that returns a FTP backup credential.

Like so. ss_ftpbckuser:ss_WeLoveSpiderSociety_From_Tech_Dept5937! is the FTP backup credential. Validating it against the target FTP server.

Interactive Graph View

Backlinks