Web

Nmap discovered a Web server on the target port 80 The running service is Apache/2.4.38 (Debian)

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ curl -I -X OPTIONS http://$IP/           
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 12:18:56 GMT
Server: Apache/2.4.38 (Debian)
Allow: OPTIONS,HEAD,GET,POST
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ curl -I http://$IP/        
HTTP/1.1 200 OK
Date: Tue, 29 Apr 2025 12:18:59 GMT
Server: Apache/2.4.38 (Debian)
Last-Modified: Thu, 17 Sep 2020 15:23:38 GMT
ETag: "29cd-5af83f7e950ce"
Accept-Ranges: bytes
Content-Length: 10701
Vary: Accept-Encoding
Content-Type: text/html

Webroot It’s the default Apache installation page

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.128/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
LICENSE.txt             [Status: 200, Size: 3119, Words: 431, Lines: 64, Duration: 18ms]
captcha.php             [Status: 200, Size: 92, Words: 7, Lines: 1, Duration: 65ms]
core                    [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 20ms]
docs                    [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 24ms]
example.php             [Status: 200, Size: 9522, Words: 2492, Lines: 155, Duration: 29ms]
favicon.ico             [Status: 200, Size: 1150, Words: 8, Lines: 1, Duration: 21ms]
index.html              [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 19ms]
index.php               [Status: 200, Size: 6175, Words: 1179, Lines: 169, Duration: 22ms]
libs                    [Status: 301, Size: 317, Words: 20, Lines: 10, Duration: 20ms]
manual                  [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 21ms]
popup.php               [Status: 200, Size: 28, Words: 6, Lines: 1, Duration: 24ms]
print.php               [Status: 200, Size: 28, Words: 6, Lines: 1, Duration: 22ms]
rss.php                 [Status: 200, Size: 105, Words: 15, Lines: 2, Duration: 34ms]
search.php              [Status: 200, Size: 5310, Words: 210, Lines: 6, Duration: 29ms]
skins                   [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 27ms]
snippet.php             [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
uploads                 [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1923 req/sec :: Duration: [0:00:54] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.239.128/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
                        [Status: 200, Size: 10701, Words: 3427, Lines: 369, Duration: 20ms]
docs                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 43ms]
uploads                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 20ms]
skins                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
core                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
manual                  [Status: 200, Size: 626, Words: 14, Lines: 13, Duration: 24ms]
libs                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 19ms]
cdata                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 22ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1550 req/sec :: Duration: [0:01:56] :: Errors: 0 ::

/index.php

`/index.php`

Heading over to the /index.php endpoint reveals a login page of a CuteNews instance

Version Information

Version information is disclosed; 2.1.2

Vulnerabilities

┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/bbscute]
└─$ searchsploit CuteNews 2.1.2
------------------------------------------------------------- ---------------------------------
 Exploit Title                                               |  Path
------------------------------------------------------------- ---------------------------------
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion                     | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload         | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution                       | php/webapps/48800.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

4 vulnerabilities identified for CuteNews 2.1.2, including CVE-2019-11447

InfoSec LAB

Explorer

BBScute_Web_80

Web

Fuzzing

`/index.php`

Version Information

Vulnerabilities

Interactive Graph View

Table of Contents

Backlinks