Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.18
Webroot
It’s the default installation page for Apache
Fuzzing
┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.187.138/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 11321, Words: 3503, Lines: 376, Duration: 236ms]
content [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 35ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 38ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 223 req/sec :: Duration: [0:04:41] :: Errors: 256 ::ffuf discovered an endpoints;/content
/content/
The /content/ directory hosts SweetRice
Version Information
Vulnerabilities
┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ searchsploit sweetrice 1.5
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
SweetRice 1.5.1 - Arbitrary File Download | php/webapps/40698.py
SweetRice 1.5.1 - Arbitrary File Upload | php/webapps/40716.py
SweetRice 1.5.1 - Backup Disclosure | php/webapps/40718.txt
SweetRice 1.5.1 - Cross-Site Request Forgery | php/webapps/40692.html
SweetRice 1.5.1 - Cross-Site Request Forgery / PHP Code Execution | php/webapps/40700.html
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThere are many vulnerabilities affecting SweetRice 1.5.1.
The target instance being SweetRice 1.5.0, it’s likely vulnerable to all the exploits listed above
I will first try out the Backup Disclosure vulnerability Then, I will go for PHP Code Execution
Fuzzing /content/
┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/content/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.187.138/content/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 481ms]
_themes [Status: 301, Size: 324, Words: 20, Lines: 10, Duration: 84ms]
as [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 74ms]
attachment [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 80ms]
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 2084ms]
images [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 400ms]
inc [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 243ms]
js [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 120ms]
:: Progress: [20476/20476] :: Job [1/1] :: 137 req/sec :: Duration: [0:01:04] :: Errors: 126 ::ffuf found several other endpoints;
/content/as/content/inc
/content/as
This is the login page
I should be able to use the obtained credential;
Successfully authenticated