InfoSec LAB

Zab_Web_6789

Created: 5 min read

Web

Nmap discovered a Web server on the target port 6789 The running service is Tornado httpd 6.3.3

Tornado is a scalable, non-blocking web server and web application framework written in Python. It was developed for use by FriendFeed; the company was acquired by Facebook in 2009 and Tornado was open-sourced soon after.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ curl -I -X OPTIONS http://$IP:6789/ 
HTTP/1.1 405 Method Not Allowed
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Apr 2025 13:26:25 GMT
Content-Length: 87
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ curl -I http://$IP:6789/        
HTTP/1.1 405 Method Not Allowed
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Apr 2025 13:26:27 GMT
Content-Length: 87
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ curl -i http://$IP:6789/
HTTP/1.1 200 OK
Server: TornadoServer/6.3.3
Content-Type: text/html; charset=UTF-8
Date: Thu, 17 Apr 2025 13:27:11 GMT
Etag: "5cd94b3447ecdb08c83305d35fe119c49b183d5b"
Content-Length: 9054
 
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><link href="/favicon.ico" rel="icon"/><title>Mage</title><meta content="width=device-width, initial-scale=1.0, maximum-scale=5.0, user-scalable=0" name="viewport"/><meta name="next-head-count" content="4"/><script>
// Polyfill for requestIdleCallback and cancelIdleCallback only if not supported and for Safari
(function() {
function isSafari() {
var ua = navigator.userAgent;
return /Safari/.test(ua) && !/Chrome/.test(ua);
}
// Check if requestIdleCallback is not available or if the browser is Safari
if (!('requestIdleCallback' in window) || isSafari()) {
window.requestIdleCallback = function (callback, options) {
const timeout = options && options.timeout ? options.timeout : 50;
const start = Date.now();
return setTimeout(() => {
callback({
didTimeout: false,
timeRemaining: function () {
return Math.max(0, timeout - (Date.now() - start));
}
});
}, 1);
};
window.cancelIdleCallback = function (id) {
clearTimeout(id);
};
}
})();
</script><link rel="preload" href="/_next/static/css/18782af6d2c4e826.css" as="style"/><link rel="stylesheet" href="/_next/static/css/18782af6d2c4e826.css" data-n-g=""/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script><script src="/_next/static/chunks/webpack-0bc44da590c7cf85.js" defer=""></script><script src="/_next/static/chunks/framework-ea07653270784974.js" defer=""></script><script src="/_next/static/chunks/main-f39b6301263551db.js" defer=""></script><script src="/_next/static/chunks/pages/_app-13bf3b7dcef50c29.js" defer=""></script><script src="/_next/static/chunks/pages/index-00ff043e2b1e43f2.js" defer=""></script><script src="/_next/static/38-PtskJFUTYUpRhT1qF_/_buildManifest.js" defer=""></script><script src="/_next/static/38-PtskJFUTYUpRhT1qF_/_ssgManifest.js" defer=""></script><style data-styled="" data-styled-version="5.3.11">html{-webkit-box-sizing:border-box;box-sizing:border-box;-ms-overflow-style:scrollbar;}/*!sc*/
*,*::before,*::after{-webkit-box-sizing:inherit;box-sizing:inherit;}/*!sc*/
data-styled.g4[id="sc-global-czSCUT1"]{content:"sc-global-czSCUT1,"}/*!sc*/
.dionUf .Toastify__toast-container{margin-top:24px;padding:0 !important;width:500px !important;}/*!sc*/
.dionUf .Toastify__toast{border-radius:8px !important;font-family:Greycliff Medium,Helvetica Neue,Helvetica,sans-serif !important;font-size:14px !important;line-height:20px !important;margin-bottom:0 !important;margin-left:0 !important;margin-right:0 !important;margin-top:16px !important;min-height:0 !important;padding:16px !important;}/*!sc*/
.dionUf .Toastify__toast-body{margin:0 !important;}/*!sc*/
.dionUf .Toastify__toast--error{background:#FF1E59 !important;color:#FFFFFF !important;}/*!sc*/
.dionUf .Toastify__toast--info{background:#00A81A !important;color:#FFFFFF !important;}/*!sc*/
.dionUf .Toastify__toast--success{background:#00A81A !important;color:#FFFFFF !important;}/*!sc*/
.dionUf .Toastify__toast--warning{background:#DD9900 !important;color:#FFFFFF !important;}/*!sc*/
data-styled.g279[id="ToastWrapper-sc-1a33ph1-0"]{content:"dionUf,"}/*!sc*/
</style></head><body><div id="__next"><div class="" style="position:fixed;top:0;left:0;height:2px;background:transparent;z-index:99999999999;width:100%"><div class="" style="height:100%;background:#FF144D;transition:all 500ms ease;width:0%"><div style="box-shadow:0 0 10px #FF144D, 0 0 10px #FF144D;width:5%;opacity:1;position:absolute;height:100%;transition:all 500ms ease;transform:rotate(3deg) translate(0px, -4px);left:-10rem"></div></div></div><div id="command-center-root"></div><div></div><div></div><div></div><div class="ToastWrapper-sc-1a33ph1-0 dionUf"><div class="Toastify"></div></div></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{},"currentTheme":{"accent":{"alert":"#F6540B","blue":"#4877FF","blueLight":"rgba(72, 119, 255, 0.5)","contentDefaultTransparent":"rgba(174, 174, 174, 0.5)","cyan":"#65E3FF","cyanLight":"rgba(101, 227, 255, 0.3)","cyanTransparent":"rgba(101, 227, 255, 0.12)","dbt":"#fc6949","dbtDark":"rgba(252, 105, 73, 0.3)","dbtLight":"rgba(252, 105, 73, 0.5)","info":"#00ABFF","infoTransparent":"rgba(0, 171, 255, 0.5)","negative":"#FF1E59","negativeTransparent":"rgba(255, 30, 89, 0.3)","pink":"#FF4FF8","pinkLight":"rgb(255, 79, 248, 0.5)","positive":"#00A81A","primaryTransparent":"rgba(155, 108, 167, 0.5)","purple":"#7D55EC","purpleLight":"rgba(125, 85, 236, 0.5)","rose":"#D1A2AB","roseLight":"rgba(209, 162, 171, 0.5)","sky":"#6AA1E0","skyLight":"rgba(106, 161, 224, 0.5)","teal":"#00B4CC","tealLight":"rgba(0, 180, 204, 0.5)","warning":"#DD9900","warningTransparent":"rgba(221, 153, 0, 0.5)","yellow":"#FFCC19","yellowLight":"rgba(255, 204, 25, 0.5)"},"background":{"blackTransparent":"rgba(0, 0, 0, 0.6)","blackTransparentDark":"rgba(0, 0, 0, 0.8)","chartBlock":"#2E3036","codeArea":"#1E1F24","codeTextarea":"#000000","content":"#1B1C20","danger":"#FFD0DB","dark":"#B1B8C3","dashboard":"#18181C","dashboardTransparent":"rgba(24, 24, 28, 0.1)","header":"#1B1B1B","menu":"#0F4CFF","muted":"#F9FAFC","navigation":"#EDEDED","output":"#2E3036","page":"#1E1F24","panel":"#232429","panelTransparent":"rgba(35, 36, 41, 0.7)","popup":"#27292E","row":"#2C2C2C","row2":"#51535C","scrollbarThumb":"rgba(100, 100, 100, 0.5)","scrollbarThumbHover":"rgba(255, 255, 255, 0.3)","scrollbarTrack":"#2E3036","success":"#8ADE00","successLight":"rgb(138, 222, 0, 0.3)","table":"#292A2F","tag":"#3A4550"},"borders":{"button":"#454850","contrast":"#FFFFFF","danger":"#FF144D","dark":"#000000","darkLight":"#2E3036","info":"#FFCC19","light":"#2F3034","medium":"#1C1C1C","medium2":"#141414","success":"#2FCB52"},"brand":{"earth100":"#C6EEDB","earth200":"#9DDFBF","earth300":"#6BBF96","earth400":"#37A46F","earth400Transparent":"rgba(55, 164, 111, 0.4)","earth500":"#00954C","energy100":"#FFF4BA","energy200":"#FFED92","energy300":"#FFE662","energy400":"#FFDA19","energy400Transparent":"rgba(255, 218, 25, 0.04)","energy500":"#F6C000","fire100":"#FFD7E0","fire200":"#FFA3B9","fire300":"#FF547D","fire400":"#FF144D","fire400Transparent":"rgba(255, 20, 77, 0.4)","fire500":"#EB0032","stone100":"#F3E6D7","stone200":"#E3D4C2","stone400":"#BFA78B","stone500":"#AF8859","water100":"#BDCEFF","water200":"#81A1FF","water300":"#517DFF","water400":"#2A60FE","water400Transparent":"rgba(42, 96, 254, 0.4)","water500":"#0F4CFF","wind100":"#EEEAFF","wind200":"#CCC1F4","wind300":"#A698DD","wind400":"#6B50D7","wind400SuperTransparent":"rgba(107, 80, 215, 0.12)","wind400Transparent":"rgba(107, 80, 215, 0.4)","wind500":"#4E32BC"},"chart":{"backgroundPrimary":"#7D55EC","backgroundSecondary":"#FF144D","backgroundTertiary":"#86E2FF","button1":"#4877FF","button2":"#FFCC19","button3":"#8ADE00","button4":"#FF4FF8","button5":"#B98D95","lines":"#9B6CA7","primary":"#6B50D7","secondary":"#FF144D","tertiary":"#2A60FE"},"content":{"active":"#FFFFFF","default":"#AEAEAE","disabled":"rgba(255, 255, 255, 0.3)","inverted":"#2C2C2C","muted":"#787A85"},"elevation":{"visualizationAccent":"#996CFF","visualizationAccentAlt":"#C1ACF7"},"feature":{"active":"rgba(250, 248, 254, 0.14)","disabled":"rgba(201, 206, 218, 0.12)"},"icons":{"neutral":"#787878"},"interactive":{"activeBorder":"#060606","blackBackgroundTransparent":"rgba(0, 0, 0, 0.5)","checked":"#060606","dangerBorder":"#FF144D","defaultBackground":"#36383F","defaultBackgroundTransparent":"rgba(54, 56, 63, 0.5)","defaultBorder":"#ffffff1a","disabledBorder":"#B1B8C3","focusBackground":"#B1B8C3","focusBorder":"#86E2FF","hoverBackground":"#4E4E4E","hoverBackgroundTransparent":"rgba(78, 78, 78, 0.5)","hoverBlackBackgroundTransparent":"rgba(0, 0, 0, 0.7)","hoverBorder":"#B9BFCA","hoverOverlay":"rgba(255, 255, 255, 0.1)","linkPrimary":"#1752FF","linkPrimaryHover":"#4877FF","linkPrimaryLight":"#5982ff","linkSecondary":"#6B50D7","linkSecondaryDisabled":"#C4B9EF","linkText":"#6AA1E0","linkTextLight":"#9ECBFF","purple":"#885EFF","rowHoverBackground":"rgba(0, 0, 0, 0.1)","transparent":"rgba(255, 255, 255, 0)"},"loader":{"color":"#EB0032","colorInverted":"#8ADE00"},"logo":{"color":"#FFFFFF"},"monotone":{"black":"#060606","blackTransparent":"rgba(0, 0, 0, 0.6)","gray":"#B1B8C3","grey100":"#F2F2F2","grey200":"#D5D7DC","grey300":"#B4B8C0","grey400":"#70747C","grey500":"#51535C","purple":"#6B50D7","white":"#FFFFFF","whiteTransparent":"rgba(255, 255, 255, 0.6)"},"neutral":{"n100":"#E7E8EA","n200":"#D8DADE","n300":"#CBCCD0","n400":"#BCBEC4","n500":"#AEB0B6"},"progress":{"negative":"#FF144D","positive":"#6B50D7"},"shadow":{"base":"12px 40px 120px rgba(0, 0, 0, 0.3)","frame":"0px 10px 40px rgba(0, 0, 0, 0.26)","menu":"4px 10px 20px rgba(6, 6, 6, 0.12)","popup":"10px 20px 40px rgba(0, 0, 0, 0.2)","small":"0px, 4px, rgba(0, 0, 0, 0.25)","window":"0px 10px 60px rgba(0, 0, 0, 0.7)"},"status":{"negative":"#FF144D","positive":"#24B400"},"text":{"fileBrowser":"#787A85"}}},"page":"/","query":{},"buildId":"38-PtskJFUTYUpRhT1qF_","nextExport":true,"isFallback":false,"appGip":true,"scriptLoader":[]}</script></body></html>

Webroot Redirected to an endpoint at /overview?tab=today This is a mage-ai instance

Mage is a hybrid framework for transforming and integrating data. It combines the best of both worlds: the flexibility of notebooks with the rigor of modular code. - Extract and synchronize data from 3rd party sources. - Transform data with real-time and batch pipelines using Python, SQL, and R. - Load data into your data warehouse or data lake using our pre-built connectors. - Run, monitor, and orchestrate thousands of pipelines without losing sleep. Plus hundreds of enterprise-class features, infrastructure innovations, and magical surprises. Source code is available for review

Version Information

The version information is disclosed at the header; 0.9.75

Vulnerabilities

Looking it up online for known vulnerabilities reveals a critical vulnerability; Insecure Default Authentication Setup Leading to Zero-Click RCE, which has been assigned; CVE-2025-2129

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:6789/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210:6789/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
favicon.ico             [Status: 200, Size: 15406, Words: 11, Lines: 1, Duration: 257ms]
files                   [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 29ms]
manage                  [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 29ms]
oauth                   [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 31ms]
overview                [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 26ms]
pipelines               [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 68ms]
settings                [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 27ms]
sign-in                 [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 26ms]
templates               [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 30ms]
terminal                [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 26ms]
triggers                [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 25ms]
:: Progress: [61434/61434] :: Job [1/1] :: 1438 req/sec :: Duration: [0:00:45] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:6789/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210:6789/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
images                  [Status: 403, Size: 34, Words: 4, Lines: 1, Duration: 27ms]
settings                [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 25ms]
manage                  [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 29ms]
fonts                   [Status: 403, Size: 34, Words: 4, Lines: 1, Duration: 25ms]
pipelines               [Status: 200, Size: 9054, Words: 326, Lines: 38, Duration: 26ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1503 req/sec :: Duration: [0:02:35] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks