Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.38 ((Debian))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sun, 23 Feb 2025 16:14:47 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Tue, 27 Oct 2020 12:15:45 GMT
ETag: "ecd4-5b2a601a8f6ab"
Accept-Ranges: bytes
Content-Length: 60628
Vary: Accept-Encoding
Content-Type: text/html/Practice/UC404/2-Enumeration/attachments/{0E8FE901-B4C4-4FAC-8595-FB4D0A3725C4}.png)
Webroot
It’s AdminLTE 3 and appears to be a demo
/Practice/UC404/2-Enumeration/attachments/{F509C065-147B-4EAF-BB69-6BA89DA95773}.png)
3.1.0-pre
/Practice/UC404/2-Enumeration/attachments/{8EEF303F-3485-46E7-97C8-094D3A0139C3}.png)
Message button shows that there are other users, but not interactable
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.125.109/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 21ms]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 22ms]
.git [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 20ms]
LICENSE [Status: 200, Size: 1082, Words: 155, Lines: 21, Duration: 23ms]
build [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 22ms]
db [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 20ms]
demo [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 18ms]
dist [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 19ms]
docs [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 20ms]
pages [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 18ms]
plugins [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 18ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 21ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1785 req/sec :: Duration: [0:00:19] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.125.109/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
docs [Status: 200, Size: 4375, Words: 243, Lines: 34, Duration: 23ms]
icons [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 40ms]
pages [Status: 200, Size: 3098, Words: 187, Lines: 28, Duration: 25ms]
demo [Status: 200, Size: 3276, Words: 215, Lines: 29, Duration: 44ms]
plugins [Status: 200, Size: 12684, Words: 736, Lines: 73, Duration: 33ms]
db [Status: 200, Size: 4599, Words: 204, Lines: 51, Duration: 63ms]
dist [Status: 200, Size: 1302, Words: 88, Lines: 19, Duration: 19ms]
build [Status: 200, Size: 1500, Words: 100, Lines: 20, Duration: 21ms]
under_construction [Status: 200, Size: 2950, Words: 111, Lines: 76, Duration: 50ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1886 req/sec :: Duration: [0:02:47] :: Errors: 0 ::.gitdemodbunder_construction
/.git/
/Practice/UC404/2-Enumeration/attachments/{87C50F8C-4511-480C-A5ED-338A19C62078}.png)
The .git directory is present and accessible
/demo/
/Practice/UC404/2-Enumeration/attachments/{02C52240-B405-42E9-A2CC-838B9193CDF4}.png)
The demo directory contains a list of arbitrary files
┌──(myVenv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ curl -s http://$IP/demo/demo -o -
ELF>�$@�c@8 @@@@�888TXTX �]�] �] �` �]�] �] �TTTDDP�tdQQQQ�tdR�td�]�] �] XX/lib64/ld-linux-x86-64.so.2GNU GNU�
[...REDACTED...]
tblibc.so.6socket__res_initfflushstrcpyexitexeclinet_atonoptindstrrchr__longjmp_chkperrorconnect__fdelt_chkinet_ntoasignalstrncpytime__stack_chk_faillistenselectstrtolcallocstrlenstrstr__errno_locationbindreadmemcmpgetsockoptgetoptdup2shutdown__fprintf_chk__sigsetjmpgethostbyaddrfputcfputsmemcpysetsockoptstrcatstrcasecmprecvfromoptarggetservbynamestderralarmgethostbynamefwritesrandomcloseopenstrchrgetsocknameacceptsleep__strcpy_chk__cxa_finalize__sprintf_chk__h_errno_locationstrcmp__libc_start_maingetservbyport_ITM_deregisterTMCloneTable__gmon_start___Jv_RegisterClasses_ITM_registerTMCloneTableGLIBC_2.11GLIBC_2.3.4GL�u␦i2.14��]�%�]�%�]I�I�]I�].I�]P�a�a �_ �_ �_ �_ /�_ 9�_ >@b CHb D`b B` ` (` 0` 8` @` H`P` X`
Minimize-Costnc -h for helpcan't open %sinvalid port %sno connectionno destinationno port[s] to connect to%s [%s] %d (%s) open%s [%s] %d (%s)Error 0Unknown hostHost name lookup failureUnknown server errorDNS fwd/rev mismatch: %s != %sCan't parse %s as an IP address%s: forward host lookup failed: Warning: inverse host lookup failed for %s: %s: inverse host lookup failed: Warning: forward host lookup failed for %s: Warning: port-bynum mismatch, %d != %dloadports: bogus values %d, %dinvalid connection to [%s] from %s [%s] %dconnect to [%s] from %s [%s] %dudptest first write failed?! errno %doprint called with no open fd?![v1.10-41.1]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts
-g gateway source-routing hop point[s], up to 8
-G num source-routing pointer: 4, 8, 12, ...
-h this cruft
-i secs delay interval for lines sent, ports scanned
-k set keepalive option on socket
-l listen mode, for inbound connects
-n numeric-only IP addresses, no DNS
-o file hex dump of traffic
-p port local port number
-r randomize local and remote ports
-q secs quit after EOF on stdin and delay of secs
-s addr local source address -t answer TELNET negotiation -u UDP mode
-v verbose [use twice to be more verbose]
-w secs timeout for connects and final net reads
-C Send CRLF as line-ending
-z zero-I/O mode [used for scanning]port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp\-data').invalid hop pointer %d, must be multiple of 4 <= 28abc:e:g:G:hi:klno:p:q:rs:T:tuvw:zCNo address associated with
[...REDACTED...]The /demo/demo file is nc binary
/db/
/Practice/UC404/2-Enumeration/attachments/{363C6519-FA01-45F4-965F-7A510927B823}.png)
There is an adminer instance (4.7.7) at the db directory
/under_construction/
/Practice/UC404/2-Enumeration/attachments/{86797449-738E-4104-ABEA-D97E398C0939}.png)
There appears to be an unknown application running at the under_construction directory
Register
/Practice/UC404/2-Enumeration/attachments/Pasted-image-20250223175358.png)
Creating a testing account
/Practice/UC404/2-Enumeration/attachments/{A8380B72-2D73-4628-A9DA-3FBA294A0751}.png)
Signing in doesn’t appear to be working
Reset
/Practice/UC404/2-Enumeration/attachments/{7AD2A79D-97BF-4E27-A4DC-437B1B6B1E01}.png)
The /forgot.php endpoint supports password reset
Interestingly, this is the only PHP file
/Practice/UC404/2-Enumeration/attachments/{E83679D9-ECA4-4938-8952-7CCE860E0B94}.png)
/Practice/UC404/2-Enumeration/attachments/{147A73C9-72E0-4498-8E94-D71272431400}.png)
Checking the source code reveals an interesting comment;
- It would appear that there is a file,
sendmail.php, that handles the request - It also notes that there likely are blacklisted characters
- Then, there is a PHP error that it could not open the
sendmail.phpfile
/Practice/UC404/2-Enumeration/attachments/{8463F83C-CF40-4D58-B036-A4C1442C7B1E}.png)
The sendmail.php file doesn’t seem to exist
OS Command Injection
/Practice/UC404/2-Enumeration/attachments/{1903CAC6-4CB4-42BC-8E69-7C04ECE1977E}.png)
/Practice/UC404/2-Enumeration/attachments/{4EBE4C6B-387A-41A2-8E79-C4E860D5CCD6}.png)
After several trials and errors, OS command injection has been confirmed.
The termination character is &(%26)
Interestingly, it only works through the GET request
Fuzzing /under_construction/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/uc404]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/under_construction/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.125.109/under_construction/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.git [Status: 301, Size: 336, Words: 20, Lines: 10, Duration: 22ms]
LICENSE [Status: 200, Size: 1077, Words: 154, Lines: 22, Duration: 19ms]
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 3489ms]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 3493ms]
css [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 19ms]
img [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 22ms]
js [Status: 301, Size: 334, Words: 20, Lines: 10, Duration: 17ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1709 req/sec :: Duration: [0:00:21] :: Errors: 0 ::Fuzzing the under_construction directory reveals another .git directory
/under_construction/.git
/Practice/UC404/2-Enumeration/attachments/{35C69862-12C4-444B-9866-F55CD6BF484D}.png)
The /under_construction/.git directory is present and accessible