Web
Nmap discovered a Web server on the target port 8080
The running service is nginx 1.16.1
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/splodge]
└─$ curl -I http://$IP:8080/
HTTP/1.1 200 OK
Server: nginx/1.16.1
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Powered-By: PHP/5.6.40
Cache-Control: no-cache, private
Date: Mon, 03 Mar 2025 15:25:26 GMT
Set-Cookie: XSRF-TOKEN=eyJpdiI6IjNlSVBOUUVnNTBXNGV0QlhGRE5TM0E9PSIsInZhbHVlIjoiWFpZcFVPQ29seTVhMzA2amdLNWRSSjQ5SXpQblFWb1pOdFJPNHoyclNSbjBKMml4Z3NKcVNDQ0RlbVg4T1UwdUtZcVpxYXN5SU1cLzhYSlwvbmVLdXJmQT09IiwibWFjIjoiZTI4OWQ2OGNjY2EyZTBiNzc3Y2RlMGFlMmViYjZmZWE0ZTNhNDIxNzA2Y2U2YTZlNGY1YzYyZDkyZjFhOGFhOCJ9; expires=Mon, 03-Mar-2025 17:25:26 GMT; Max-Age=7200; path=/
Set-Cookie: laravel_session=eyJpdiI6IlF1djdaQmIxNDdna2c3UlEzdTlXK2c9PSIsInZhbHVlIjoiMVRWMDU5QUJRT0dkTnYyU1hzSXFKTGQ1aTVvekRsczVyUU1FUUYxa2x2VUdScDRzZW1RY3pGZ3NaMEhocVk3VVBSZ2ZoaXpxNlB4Uzg1b01ZbzV6a1E9PSIsIm1hYyI6IjdiNTllNWI3NGI4NDFmZjNkZTM4MTViZDg2ZDBhMWIzYmFlN2YwZWJkOGQ1ZjI4MWQwNmEwOGM1MTNlZmY1YzcifQ%3D%3D; expires=Mon, 03-Mar-2025 17:25:26 GMT; Max-Age=7200; path=/; httponly/Practice/Splodge/2-Enumeration/attachments/Pasted-image-20250303162640.png)
Webroot
/Practice/Splodge/2-Enumeration/attachments/{90C184F8-9A71-4CFC-AB01-465F38AAC810}-2.png)
While it appears to be a blog, the application is built on Laravel
This appears to be the application of the source code found in the .git directory present in other web server
Admin Panel
/Practice/Splodge/2-Enumeration/attachments/{BBBA9882-034B-429B-BD1E-527555686917}.png)
/Practice/Splodge/2-Enumeration/attachments/{46BA9B9B-6FCC-4150-B29E-71226CD5CCC8}.png)
/Practice/Splodge/2-Enumeration/attachments/{82924CC5-438D-49A3-A4B7-53FACA7295C6}.png)
Attempting to access the /admin page, redirects to a login page at /login
/Practice/Splodge/2-Enumeration/attachments/{FC8D1B48-D198-4489-A4EF-049E269A7BE5}.png)
/Practice/Splodge/2-Enumeration/attachments/{F79F62BF-DE37-406D-A11F-F6C9C1CB8F50}.png)
Using the found credential works; “
According to the source code, the admin page uses AdminController, and
Profanity Filter
/Practice/Splodge/2-Enumeration/attachments/{3FC38E35-267A-43C7-A9AE-F36301FC2BD4}.png)
/Practice/Splodge/2-Enumeration/attachments/{C92001D8-37B9-4481-A318-0171190E46C3}.png)
As enumerated by reading the source code, the Profanity Filter feature here replaces the filter keyword with the replacement
Setting up a regex filter,\test\, should replace any string containing test with replaced!
/Practice/Splodge/2-Enumeration/attachments/Pasted-image-20250303175934.png)
/Practice/Splodge/2-Enumeration/attachments/{9412EC04-7931-4EED-B1F2-0CF007CC9106}.png)
It works on the comment feature
However, it uses the potentially dangerous PHP’s preg_replace function to replace filter keyword with the replacement