InfoSec LAB

Walla_Web_8091

Created: 3 min read

Web

Nmap discovered a Web server on the target port 8091 The running service is lighttpd 1.4.53

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ curl -I -X OPTIONS http://$IP:8091/
HTTP/1.1 401 Unauthorized
Set-Cookie: PHPSESSID=p5an6juhfo2nmhube19ilkcl5l; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
WWW-Authenticate: Basic realm="RaspAP"
Content-type: text/html; charset=UTF-8
Content-Length: 15
Date: Thu, 27 Mar 2025 14:40:44 GMT
Server: lighttpd/1.4.53
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ curl -I http://$IP:8091/           
HTTP/1.1 401 Unauthorized
Set-Cookie: PHPSESSID=ekic7lp2v2vhb4a308dkrks77k; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
WWW-Authenticate: Basic realm="RaspAP"
Content-type: text/html; charset=UTF-8
Date: Thu, 27 Mar 2025 14:40:46 GMT
Server: lighttpd/1.4.53

Webroot It’s locked behind a Basic HTTP auth

RaspAP

Interesting thing is that Basic realm is set to RaspAP

Looking it up online reveals that RaspAP is a router application

Default Credential

Checking the official documentation reveals the default credential; admin:secret

Successfully authenticated The default credential worked

Version Information

Checking the about page reveals the version information; RaspAP v2.5

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ searchsploit RaspAP
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
RaspAP 2.6.6 - Remote Code Execution (RCE) (Authenticated)   | php/webapps/50224.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Checking for vulnerabilities revealed a RCE exploit for RaspAP 2.6.6 Given the instance is RaspAP v2.5, it could still work

Console

Under the System tab, there is a console available; CVE-2020-24572

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/walla]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:8091/FUZZ -ic -e .txt,.html,.php
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.179.97:8091/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
LICENSE                 [Status: 200, Size: 35146, Words: 5836, Lines: 674, Duration: 21ms]
_layouts                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
ajax                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
app                     [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 22ms]
config                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
dist                    [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 20ms]
favicon.ico             [Status: 200, Size: 1150, Words: 6, Lines: 4, Duration: 30ms]
includes                [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
index.php               [Status: 401, Size: 15, Words: 2, Lines: 2, Duration: 23ms]
installers              [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
locale                  [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 20ms]
templates               [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
~sys~                   [Status: 403, Size: 341, Words: 31, Lines: 12, Duration: 23ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1834 req/sec :: Duration: [0:00:56] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks