Web

Nmap discovered a Web server on the target port 443 The running service is Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)

While browsing via the IPv4 address returns a 404, providing the FQDN returns a web application that appears to be designed for professional medical training

Wappalyzer reveals web technologies involved It’s hosted with WordPress and IIS It also appears to use MySQL as a backend DB

wpscan

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ wpscan --url https://atsserver.acute.local --server iis --force --disable-tls-checks --wp-content-dir / -e u
 
[+] URL: https://atsserver.acute.local/ [10.10.11.145]
[+] Started: Tue Nov  7 14:03:04 2023
 
Interesting Finding(s):
 
[+] Headers
 | Interesting Entries:
 |  - server: Microsoft-IIS/10.0
 |  - x-powered-by: ASP.NET
 | Found By: Headers (Passive Detection)
 | Confidence: 100%
 
Fingerprinting the version - Time: 00:00:27 <===================================================> (700 / 700) 100.00% Time: 00:00:27
[+] WordPress version 5.8.2 identified (Insecure, released on 2021-11-10).
 | Found By: Emoji Settings (Passive Detection)
 |  - https://atsserver.acute.local/, Match: 'wp-includes\/js\/wp-emoji-release.min.js?ver=5.8.2'
 
[i] The main theme could not be detected.
 
[+] Enumerating Users (via Passive and Aggressive Methods)
 Brute Forcing Author IDs - Time: 00:00:04 <======================================================> (10 / 10) 100.00% Time: 00:00:04
 
[i] No Users Found.
 
[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
 
[+] Finished: Tue Nov  7 14:03:39 2023
[+] Requests Done: 727
[+] Cached Requests: 49
[+] Data Sent: 172.208 KB
[+] Data Received: 1.093 MB
[+] Memory used: 158.586 MB
[+] Elapsed time: 00:00:35

While wpscan found the version information, WordPress version 5.8.2, user data doesn’t seem to be available for enumeration

Burp Suite’s Passive Crawler

Additionally, the Burp Suite’s passive crawler identified many endpoints, although they appear rather dummy as majority of them just return 404 Interestingly, there is a Word Document file, New_Starter_CheckList_v7.docx

About

Checking the static /about.html file shows exactly that. The hyperlink located at the right-top corner is mapped to the aforementioned Word document file

Users

Moreover, the section below reveals a list of potential users; Aileen Wallace, Charlotte Hall, Evan Davies, Ieuan Monks, Joshua Morgan, and Lois Hopkins

New_Starter_CheckList_v7.docx

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ wget -q --no-check-certificate https://atsserver.acute.local/New_Starter_CheckList_v7.docx

Downloading the Word document file

While the New_Starter_CheckList_v7.docx file is indeed a form prepared for new starters, it reveals a few important information I will go through them all

Dummy Endpoints

The endpoints above don’t exist as they returns 404

The same goes for those above

Default Credential

The default password appears to be Passwrod1!

PowerShell Web Access (PSWA)

There appears to be an endpoint for PSWA, with a session named dc_manage with a few restrictions

Remote

The hyperlink leads to an endpoint at /Acute_Staff_Access

Which redirects to a valid PSWA endpoint that was [[#[PowerShell Web Access](https //learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831611(v=ws.11)) (PSWA)|mentioned]] above earlier This appears to be the entry point

Lois

While Lois seems to be a legitimate user, the user also appear to be an admin user

Metadata

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ file New_Starter_CheckList_v7.docx
New_Starter_CheckList_v7.docx: Microsoft Word 2007+
 
┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ exiftool New_Starter_CheckList_v7.docx 
ExifTool Version Number         : 12.67
File Name                       : New_Starter_CheckList_v7.docx
Directory                       : .
File Size                       : 35 kB
File Modification Date/Time     : 2021:12:22 01:39:10+01:00
File Access Date/Time           : 2023:11:07 14:17:36+01:00
File Inode Change Date/Time     : 2023:11:07 14:17:22+01:00
File Permissions                : -rw-r--r--
File Type                       : DOCX
File Type Extension             : docx
MIME Type                       : application/vnd.openxmlformats-officedocument.wordprocessingml.document
Zip Required Version            : 20
Zip Bit Flag                    : 0x0006
Zip Compression                 : Deflated
Zip Modify Date                 : 1980:01:01 00:00:00
Zip CRC                         : 0x079b7eb2
Zip Compressed Size             : 428
Zip Uncompressed Size           : 2527
Zip File Name                   : [Content_Types].xml
Creator                         : FCastle
Description                     : Created on Acute-PC01
Last Modified By                : Daniel
Revision Number                 : 8
Last Printed                    : 2021:01:04 15:54:00Z
Create Date                     : 2021:12:08 14:21:00Z
Modify Date                     : 2021:12:22 00:39:00Z
Template                        : Normal.dotm
Total Edit Time                 : 2.6 hours
Pages                           : 3
Words                           : 886
Characters                      : 5055
Application                     : Microsoft Office Word
Doc Security                    : None
Lines                           : 42
Paragraphs                      : 11
Scale Crop                      : No
Heading Pairs                   : Title, 1
Titles Of Parts                 : 
Company                         : University of Marvel
Links Up To Date                : No
Characters With Spaces          : 5930
Shared Doc                      : No
Hyperlinks Changed              : No
App Version                     : 16.0000

Checking the metadata of the Word document reveals a few important information;

FCastle is the creator and likely a valid username
- This also may suggest the naming convention
Acute-PC01 is likely a host where the file was originated from
Daniel might be another user

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://atsserver.acute.local/FUZZ -ic 
________________________________________________
 :: Method           : GET
 :: URL              : https://atsserver.acute.local/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [220547/220547] :: Job [1/1] :: 210 req/sec :: Duration: [0:15:53] :: Errors: 0 ::

Unfortunately, nothing returned from fuzzing

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/acute]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u https://$IP/ -H 'Host: FUZZ.acute.local'
________________________________________________
 :: Method           : GET
 :: URL              : https://10.10.11.145/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.acute.local
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 95 req/sec :: Duration: [0:26:51] :: Errors: 0 ::

Unable to find any additional virtual host or sub-domain as far as the wordlist covers

InfoSec LAB

Explorer

Acute_Web

Web