InfoSec LAB

Zab_Web_80

Created: 5 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.52 ((Ubuntu))

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ curl -I -X OPTIONS http://$IP/     
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2025 13:26:13 GMT
Server: Apache/2.4.52 (Ubuntu)
Allow: HEAD,GET,POST,OPTIONS
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Thu, 17 Apr 2025 13:26:16 GMT
Server: Apache/2.4.52 (Ubuntu)
Last-Modified: Wed, 05 Mar 2025 12:06:04 GMT
ETag: "29af-62f9736b2e73e"
Accept-Ranges: bytes
Content-Length: 10671
Vary: Accept-Encoding
Content-Type: text/html

Webroot It’s a default Apache installation page

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
index.html              [Status: 200, Size: 10671, Words: 3496, Lines: 364, Duration: 26ms]
javascript              [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 24ms]
local.txt               [Status: 200, Size: 33, Words: 1, Lines: 2, Duration: 27ms]
pipelines               [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 50ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1369 req/sec :: Duration: [0:01:07] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 10671, Words: 3496, Lines: 364, Duration: 27ms]
icons                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
javascript              [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
zabbix                  [Status: 200, Size: 1541, Words: 57, Lines: 16, Duration: 132ms]
pipelines               [Status: 200, Size: 750, Words: 52, Lines: 16, Duration: 26ms]
server-status           [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
:: Progress: [207630/207630] :: Job [1/1] :: 408 req/sec :: Duration: [0:02:26] :: Errors: 0 :
  • local.txt
  • pipelines
  • zabbix

/local.txt

N/A

/pipelines/

Empty for now

/zabbix/

There appears to be a Zabbix instance running on the /zabbix/ endpoint However, it shows that it’s under maintenance.

Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services. Zabbix collects and displays basic metrics. Source code is available for review

Fuzzing /zabbix/

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/zabbix/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210/zabbix/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
assets                  [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 24ms]
audio                   [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 35ms]
data                    [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 25ms]
favicon.ico             [Status: 200, Size: 32988, Words: 13, Lines: 3, Duration: 25ms]
fonts                   [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 27ms]
js                      [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 25ms]
locale                  [Status: 301, Size: 326, Words: 20, Lines: 10, Duration: 25ms]
modules                 [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 25ms]
robots.txt              [Status: 200, Size: 974, Words: 153, Lines: 23, Duration: 25ms]
robots.txt              [Status: 200, Size: 974, Words: 153, Lines: 23, Duration: 24ms]
widgets                 [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 27ms]
:: Progress: [61434/61434] :: Job [1/1] :: 1428 req/sec :: Duration: [0:00:59] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zab]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/zabbix/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.210/zabbix/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 1541, Words: 57, Lines: 16, Duration: 29ms]
modules                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
data                    [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
assets                  [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
audio                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
local                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
app                     [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
js                      [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
include                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
conf                    [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
vendor                  [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
widgets                 [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 25ms]
fonts                   [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 26ms]
locale                  [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 24ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1666 req/sec :: Duration: [0:02:25] :: Errors: 0 ::

Based on the fuzzing result, it’s in the ui directory

/zabbix/composer.json

N/A

Interactive Graph View

Backlinks