Web
Nmap discovered a Web server on the target port 1337
The running service is nginx 1.16.1
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ curl -I http://$IP:1337/
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 03 Mar 2025 14:47:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.40/Practice/Splodge/2-Enumeration/attachments/Pasted-image-20250303154905.png)
Webroot
/Practice/Splodge/2-Enumeration/attachments/Pasted-image-20250303155150.png)
It’s a custom PHP application that appears to execute system commands
/Practice/Splodge/2-Enumeration/attachments/Pasted-image-20250303155107.png)
It does so via the cmd parameter
Fuzzing for OS Command Injection
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ ffuf -c -w /usr/share/wordlists/Auto_Wordlists/wordlists/command_injection.txt -u http://$IP:1337/index.php?cmd=FUZZ -ic -fc 403 -fs 1739,1689
________________________________________________
:: Method : GET
:: URL : http://192.168.219.108:1337/index.php?cmd=FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/Auto_Wordlists/wordlists/command_injection.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 1739,1689
:: Filter : Response status: 403
________________________________________________
ls [Status: 200, Size: 1700, Words: 352, Lines: 52, Duration: 31ms]
pwd [Status: 200, Size: 1717, Words: 352, Lines: 52, Duration: 23ms]
:: Progress: [8715/8715] :: Job [1/1] :: 934 req/sec :: Duration: [0:00:05] :: Errors: 0 ::Fuzzing for OS command injection fails Those commands might be hard-coded into the source code, instead of being dynamic
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:1337/FUZZ -ic -fc 403 -e .php -fs 1689
________________________________________________
:: Method : GET
:: URL : http://192.168.219.108:1337/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
:: Filter : Response size: 1689
________________________________________________
:: Progress: [40956/40956] :: Job [1/1] :: 1562 req/sec :: Duration: [0:00:30] :: Errors: 0 ::
──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP:1337/FUZZ/ -ic -fc 403 -fs 1689
________________________________________________
:: Method : GET
:: URL : http://192.168.219.108:1337/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
:: Filter : Response size: 1689
________________________________________________
:: Progress: [220546/220546] :: Job [1/1] :: 1694 req/sec :: Duration: [0:02:24] :: Errors: 0 ::N/A