Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.41 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 12:56:49 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 3151
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 12:56:51 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Type: text/html; charset=UTF-8/Practice/Zipper/2-Enumeration/attachments/{C98B9417-7EED-42AF-B6A3-58B9DFE38FF8}.png)
Webroot
It claims that the web application performs an archiving operation of uploaded files with an encryption
File Upload
/Practice/Zipper/2-Enumeration/attachments/{C61725E6-FD86-4CAF-B52E-72E764601CDE}.png)
Uploading a testing JPG file sends a POST request to the index.php file
/Practice/Zipper/2-Enumeration/attachments/{DEF61048-4B6B-48D6-B15D-96ACA546010B}.png)
Upload was successful and a link is provided for download
/Practice/Zipper/2-Enumeration/attachments/{A092006F-C665-4DC4-859E-53FDBA15969D}.png)
Hovering over the link shows the location of the archive file; /uploads
The uploaded file is renamed following a structure; upload_ prefix with Unix timestamp
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ wget -q http://192.168.201.229/uploads/upload_1743944677.zipDownloaded the archive file for further analysis
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ exiftool upload_1743944677.zip
ExifTool Version Number : 13.10
File Name : upload_1743944677.zip
Directory : .
File Size : 24 kB
File Modification Date/Time : 2025:04:06 15:04:38+02:00
File Access Date/Time : 2025:04:06 15:08:09+02:00
File Inode Change Date/Time : 2025:04:06 15:08:09+02:00
File Permissions : -rw-rw-r--
File Type : ZIP
File Type Extension : zip
MIME Type : application/zip
Zip Required Version : 20
Zip Bit Flag : 0x0002
Zip Compression : Deflated
Zip Modify Date : 2025:04:06 13:04:38
Zip CRC : 0xb2ad71f2
Zip Compressed Size : 24009
Zip Uncompressed Size : 24969
Zip File Name : test.jpg
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ unzip upload_1743944677.zip
Archive: upload_1743944677.zip
inflating: test.jpg It would appear that there is no sign of encryption. Additionally, what software is being used for the archiving itself cannot be identified at this time.
Inclusion
/Practice/Zipper/2-Enumeration/attachments/{9BFB0940-AA62-42E4-8C62-450ED8F68653}.png)
/Practice/Zipper/2-Enumeration/attachments/{EC0EA5B2-D54D-4AAE-91C1-CE1FE6B1369B}.png)
Checking the source code of the index.php file reveals something interesting.
The Home button invokes index.php?file=home
The file parameter might be using the PHP include function, which could lead to LFI
Additionally, the extension is omitted, so it might be appended in the source code
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/zipper]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.201.229/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
home.php [Status: 200, Size: 3151, Words: 338, Lines: 77, Duration: 33ms]
index.php [Status: 200, Size: 3151, Words: 338, Lines: 77, Duration: 32ms]
style [Status: 200, Size: 155, Words: 24, Lines: 8, Duration: 20ms]
upload.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 33ms]
uploads [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 23ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1769 req/sec :: Duration: [0:00:57] :: Errors: 0 ::ffuf found several endpoints.
Notably, home.php and index.php files appear identical
/upload.php
/Practice/Zipper/2-Enumeration/attachments/{1F6C7FFD-0593-4741-8EE9-FFF0D5FC1BAB}.png)
This file might be used in the backend for the archiving operation
/uploads
/Practice/Zipper/2-Enumeration/attachments/{92A26ED0-1DC1-45BD-85E4-987827E9F0F8}.png)
Directly accessing the /uploads directory is forbidden