InfoSec LAB

Twiggy_Web_8000

Created: 3 min read

Web

Nmap discovered a Web server on the target port 8000 The running service is nginx 1.16.1

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ curl -I -X OPTIONS http://$IP:8000/
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 10 Mar 2025 22:04:51 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Set-Cookie: session_id=31c3a0d6305a8d9ed581495376aa688143f90fa2; expires=Tue, 11 Mar 2025 08:04:51 GMT; Path=/
X-Upstream: salt-api/3000-1

Webroot The X-Upstream header is set to salt-api/3000-1 It uses salt-api

Salt or SaltStack is an infrastructure as code software tool for configuration management. It is written in Python and published under the Apache License 2.0.

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -recursion -u http://$IP:8000/FUZZ -ic -fc 500
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.113.62:8000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 146, Words: 12, Lines: 1, Duration: 32ms]
login                   [Status: 200, Size: 43, Words: 6, Lines: 1, Duration: 34ms]
index                   [Status: 200, Size: 146, Words: 12, Lines: 1, Duration: 46ms]
events                  [Status: 401, Size: 753, Words: 155, Lines: 31, Duration: 44ms]
jobs                    [Status: 401, Size: 753, Words: 155, Lines: 31, Duration: 43ms]
stats                   [Status: 401, Size: 753, Words: 155, Lines: 31, Duration: 57ms]
logout                  [Status: 500, Size: 823, Words: 166, Lines: 31, Duration: 205ms]
keys                    [Status: 401, Size: 753, Words: 155, Lines: 31, Duration: 57ms]
run                     [Status: 200, Size: 146, Words: 12, Lines: 1, Duration: 46ms]
token                   [Status: 200, Size: 146, Words: 12, Lines: 1, Duration: 48ms]
:: Progress: [207630/207630] :: Job [1/1] :: 956 req/sec :: Duration: [0:06:37] :: Errors: 0 ::

ffuf revealed several API endpoints

login

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ curl -I -X OPTIONS http://$IP:8000/login
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 10 Mar 2025 22:31:24 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Set-Cookie: session_id=e02b5570185640dc839febf63ecd17a1ae895771; expires=Tue, 11 Mar 2025 08:31:24 GMT; Path=/
X-Upstream: salt-api/3000-1

The /login API endpoint supports both GET and POST requests

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ curl -i -X POST http://$IP:8000/login -d 'username=admin&password=admin'   
HTTP/1.1 401 Unauthorized
Server: nginx/1.16.1
Date: Mon, 10 Mar 2025 22:33:38 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 760
Connection: keep-alive
Access-Control-Expose-Headers: GET, POST
Vary: Accept-Encoding
Allow: GET, HEAD, POST
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Set-Cookie: session_id=aeb4d0a8580e2fc6c5c125505138a417fc14e43e; expires=Tue, 11 Mar 2025 08:33:38 GMT; Path=/
X-Upstream: salt-api/3000-1
 
<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"></meta>
    <title>401 Unauthorized</title>
    <style type="text/css">
    #powered_by {
        margin-top: 20px;
        border-top: 2px solid black;
        font-style: italic;
    }
 
    #traceback {
        color: red;
    }
    </style>
</head>
    <body>
        <h2>401 Unauthorized</h2>
        <p>Could not authenticate using provided credentials</p>
        <pre id="traceback"></pre>
    <div id="powered_by">
      <span>
        Powered by <a href="http://www.cherrypy.org">CherryPy 5.6.0</a>
      </span>
    </div>
    </body>
</html>

No data structure is known at this time, let alone the credential. Interestingly, there is a mention of a software; CherryPy 5.6.0

Vulnerabilities

Looking up salt-api/3000-1 online reveals a remote code execution vulnerability

Looking it up with CherryPy reveals another set of vulnerabilities; CVE-2020-25592 and CVE-2020-16846

Interactive Graph View

Backlinks