InfoSec LAB

vmdak_Web_9443

Created: 4 min read

Web

Nmap discovered a Web server on the target port 9443 The running service is Apache httpd 2.4.58 ((Ubuntu))

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ curl -k -I -X OPTIONS https://vmdak.local:9443/
HTTP/1.1 200 OK
Date: Wed, 09 Apr 2025 17:34:48 GMT
Server: Apache/2.4.58 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 5473
Content-Type: text/html; charset=UTF-8
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ curl -k -I https://vmdak.local:9443/        
HTTP/1.1 200 OK
Date: Wed, 09 Apr 2025 17:34:52 GMT
Server: Apache/2.4.58 (Ubuntu)
Content-Type: text/html; charset=UTF-8

Webroot Prison Management System

Default Credential

Project website shows the default credential; admin:admin123

Successfully authenticated

Leave Management

Checking the Leave Management tab reveals a set of CLEARTEXT credential; malcom:RonnyCache001

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ searchsploit Prison Management System 
------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                    |  Path
------------------------------------------------------------------ ---------------------------------
Prison Management System - SQL Injection Authentication Bypass    | php/webapps/52017.txt
------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

Checking for vulnerabilities reveals a SQLi to bypass authentication; CVE-2024-33288

It would appear that the target Prison Management System instance suffers from multiple vulnerabilities;

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://vmdak.local:9443/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : https://vmdak.local:9443/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
Admin                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 23ms]
css                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 27ms]
fonts                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 22ms]
image                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 28ms]
images                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 28ms]
inc                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 27ms]
index.php               [Status: 200, Size: 5473, Words: 1487, Lines: 129, Duration: 21ms]
js                      [Status: 301, Size: 315, Words: 20, Lines: 10, Duration: 21ms]
lib                     [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 22ms]
plugin                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 22ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1626 req/sec :: Duration: [0:00:59] :: Errors: 0 ::
 
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://vmdak.local:9443/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : https://vmdak.local:9443/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 5473, Words: 1487, Lines: 129, Duration: 23ms]
images                  [Status: 200, Size: 1978, Words: 110, Lines: 22, Duration: 23ms]
icons                   [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 25ms]
image                   [Status: 200, Size: 2454, Words: 128, Lines: 24, Duration: 23ms]
css                     [Status: 200, Size: 3704, Words: 183, Lines: 30, Duration: 23ms]
lib                     [Status: 200, Size: 952, Words: 64, Lines: 17, Duration: 44ms]
database                [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 28ms]
js                      [Status: 200, Size: 4050, Words: 207, Lines: 32, Duration: 23ms]
inc                     [Status: 200, Size: 1341, Words: 90, Lines: 19, Duration: 25ms]
fonts                   [Status: 200, Size: 3147, Words: 173, Lines: 26, Duration: 23ms]
plugin                  [Status: 200, Size: 942, Words: 64, Lines: 17, Duration: 37ms]
server-status           [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 29ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1428 req/sec :: Duration: [0:02:32] :: Errors: 0 ::

N/A

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/vmdak]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u https://$IP:9443/ -H 'Host: FUZZ.vmdak.local' -ic -mc all -fs 5473
________________________________________________
 :: Method           : GET
 :: URL              : https://192.168.125.103:9443/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.vmdak.local
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response size: 5473
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 1298 req/sec :: Duration: [0:01:41] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks