InfoSec LAB

APT_Web

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Microsoft IIS httpd 10.0

Webroot Gigantic Hosting It appears to be providing a web hosting service

While the main landing page appears to be the index.html file, there are a few other files to go through

about.html

The about.html file contains the generic IPSUM

clients.html

The same goes with the clients.html file

month

news.html

There is an ambiguous writing at the news.html file

services.html

The services.html file also contains generic information

support.html

The support.html file contains a contact form

Attempting to test out the contact form shows an interesting result

It sends out a POST request to the contact-post.html file at a host, 10.13.38.16 WITHOUT any data

The web server for obvious reason, cannot reach the remote host; 10.13.38.16 I would conclude this particular feature as not functional

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.213/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 150, Words: 9, Lines: 2, Duration: 198ms]
    * FUZZ: images
 
[Status: 301, Size: 147, Words: 9, Lines: 2, Duration: 159ms]
    * FUZZ: css
 
[Status: 301, Size: 146, Words: 9, Lines: 2, Duration: 117ms]
    * FUZZ: js
 
[Status: 301, Size: 149, Words: 9, Lines: 2, Duration: 99ms]
    * FUZZ: fonts
 
:: Progress: [220547/220547] :: Job [1/1] :: 311 req/sec :: Duration: [0:09:41] :: Errors: 0 ::

ffuf found nothing new

Virtual Host / Sub-domain Discovery

Testing with the discovered domain; HTB.LOCAL

┌──(kali㉿kali)-[~/archive/htb/labs/apt]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.htb.local' -fw 3211
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.213/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.htb.local
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response words: 3211
________________________________________________
 
:: Progress: [114441/114441] :: Job [1/1] :: 335 req/sec :: Duration: [0:07:39] :: Errors: 0 ::

ffuf returns nothing

Interactive Graph View

Backlinks