Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.29
Webroot
Wappalyzer identified technologies involved
It’s built on PHP
Fuzzing
┌──(kali㉿kali)-[~/archive/thm/rootme]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.183.226/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 5426ms]
.htpasswd [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 9544ms]
css [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 87ms]
js [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 158ms]
panel [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 237ms]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10, Duration: 234ms]
uploads [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 236ms]
:: Progress: [20476/20476] :: Job [1/1] :: 134 req/sec :: Duration: [0:00:59] :: Errors: 87 ::ffuf found 2 interesting directories;
/panel/uploads
/panel
Looks to be a standard file upload feature
/uploads
The /uploads directory contains the uploaded files
I tried a bunch and found out what worked