Web
Nmap discovered a Web server on the target port 5000
The running service is Werkzeug httpd 3.0.1 (Python 3.12.3)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wallpaperhub]
└─$ curl -I -X OPTIONS http://$IP:5000/
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.12.3
Date: Tue, 15 Apr 2025 11:01:32 GMT
Content-Type: text/html; charset=utf-8
Allow: OPTIONS, GET, HEAD
Content-Length: 0
Connection: close
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wallpaperhub]
└─$ curl -I http://$IP:5000/
HTTP/1.1 200 OK
Server: Werkzeug/3.0.1 Python/3.12.3
Date: Tue, 15 Apr 2025 11:01:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 1132
Connection: close/Practice/WallpaperHub/2-Enumeration/attachments/{5422501B-6E5E-438A-A1D1-3C936CF358C4}.png)
Webroot
/Practice/WallpaperHub/2-Enumeration/attachments/{E2531332-098E-461A-A7EF-D9270712207A}.png)
It’s a Flask application; Flask 3.0.1
Authentication
/Practice/WallpaperHub/2-Enumeration/attachments/{A58E2BB4-6CD4-4F82-88A6-176E255775A1}.png)
There is a login page at the /login endpoint
However, no credential is known at this time
Registration
/Practice/WallpaperHub/2-Enumeration/attachments/{20B1E586-2DA2-4ECF-BDC5-AAFDFC8DDF87}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{4E222725-4B8C-491F-8705-F5943388613C}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{B69A1FCB-CFC3-4C9C-8C95-DA34D9FB98E5}.png)
Creating a testing account
/Practice/WallpaperHub/2-Enumeration/attachments/{0495EDB9-0390-45C8-85CB-B720A7CC333A}.png)
The server offers what appears to be a JWT
Dashboard
/Practice/WallpaperHub/2-Enumeration/attachments/{DBD43459-4076-42EA-A72E-E51A17FC5E60}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{E880B510-9EDB-4EA5-A005-BE1B73F823E2}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{6CE8FC77-1255-4E7C-8CBC-E2949E256C3B}.png)
Logging in
Uploading Wallpaper
/Practice/WallpaperHub/2-Enumeration/attachments/{7DDECE9B-2192-4C35-9A45-895FAF8A0602}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{6C7342C3-3CDF-4FB1-B97C-46C6719187D9}.png)
wallpaper can be uploaded at the /upload-wallpaper endpoint
It sends a POST request to the endpoint
/Practice/WallpaperHub/2-Enumeration/attachments/{98CD03D2-76C5-441C-B5C7-8E00BEDFE607}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{41543E68-116D-43D5-9E28-48431935DAC9}.png)
Interestingly, the web app responses with a session cookie in the session parameter
Downloading Wallpaper
/Practice/WallpaperHub/2-Enumeration/attachments/{73B60175-6BB1-42D6-A7A9-CB42AB0C049E}.png)
Uploaded file can be viewed at the /my-uploads endpoint
/Practice/WallpaperHub/2-Enumeration/attachments/{0BE14AFB-540E-4AA3-9413-6C8093C70665}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{BBDE5731-B904-43D4-9B51-6B8962B7EA5B}-1.png)
As well as the /gallery endpoint
/Practice/WallpaperHub/2-Enumeration/attachments/{3E482FFB-F743-48F9-8BF9-D863EFCBD29C}.png)
Attempting to download uploaded file reveals that uploaded files appears to get renamed and stored to the /download directory
/Practice/WallpaperHub/2-Enumeration/attachments/{8BB9BF99-B674-4FFF-8488-1DB868A4D7C9}.png)
But then looking at the actual downloaded file reveals that the web app only appends a prefix; wallpapers_
This would meant that /download/397f4e8d-7f9f-4dc1-803a-36a3c1dabf87 is an identification that points to the actual file
Testing for LFI
/Practice/WallpaperHub/2-Enumeration/attachments/{65A1A46B-62E8-4F42-8836-6C755CE5B0E0}.png)
/Practice/WallpaperHub/2-Enumeration/attachments/{264E6D8E-33EE-4DAB-85EA-AF6779384541}.png)
Testing the file upload feature for LFI
/Practice/WallpaperHub/2-Enumeration/attachments/{09D81359-12AC-4CB2-9BFA-AF50A27D9ECC}.png)
It went through. There is no input validation.
/Practice/WallpaperHub/2-Enumeration/attachments/{4C4339A1-1B1E-460B-9FE0-2FE239309D4F}.png)
Downloading the file
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wallpaperhub]
└─$ cat ~/Downloads/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
wp_hub:x:1001:1001::/home/wp_hub:/bin/bashLFI confirmed
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wallpaperhub]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:5000/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.106.204:5000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
dashboard [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 41ms]
gallery [Status: 200, Size: 13842, Words: 5094, Lines: 313, Duration: 46ms]
login [Status: 200, Size: 933, Words: 138, Lines: 28, Duration: 34ms]
logout [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 21ms]
register [Status: 200, Size: 847, Words: 133, Lines: 27, Duration: 35ms]
settings [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 26ms]
subscriptions [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 26ms]
:: Progress: [61434/61434] :: Job [1/1] :: 632 req/sec :: Duration: [0:01:38] :: Errors: 0 ::N/A