Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.2.14 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Mon, 24 Mar 2025 16:54:33 GMT
Server: Apache/2.2.14 (Ubuntu)
Allow: GET,HEAD,POST,OPTIONS
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Mon, 24 Mar 2025 16:54:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Wed, 09 Nov 2011 11:30:14 GMT
ETag: "21137-4b-4b14b9c8d6823"
Accept-Ranges: bytes
Content-Length: 75
Vary: Accept-Encoding
Content-Type: text/html/Practice/ZenPhoto/2-Enumeration/attachments/{214DC877-D246-4361-ACE6-FF80E401D9B7}.png)
Webroot
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.132.41/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 24ms]
.htpasswd [Status: 403, Size: 291, Words: 21, Lines: 11, Duration: 3264ms]
cgi-bin/ [Status: 403, Size: 290, Words: 21, Lines: 11, Duration: 20ms]
index [Status: 200, Size: 75, Words: 2, Lines: 5, Duration: 19ms]
test [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 19ms]
server-status [Status: 403, Size: 295, Words: 21, Lines: 11, Duration: 5028ms]
:: Progress: [20478/20478] :: Job [1/1] :: 70 req/sec :: Duration: [0:00:16] :: Errors: 0 ::/test/
/test/
/Practice/ZenPhoto/2-Enumeration/attachments/{1C3CD298-CDAC-4112-AD25-5F5BCAE922A8}.png)
The /test/ endpoint hosts Zenphoto
/Practice/ZenPhoto/2-Enumeration/attachments/{CC515311-B9EC-4E22-96A1-0495E33BA1DC}.png)
Source code leaks the version information; 1.4.1.4
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zenphoto]
└─$ searchsploit zenphoto 1.4.1.4
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
ZenPhoto 1.4.1.4 - 'ajax_create_folder.php' Remote Code Execution | php/webapps/18083.php
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsZenPhoto 1.4.1.4 suffers from a RCE vulnerability