InfoSec LAB

Authority_Web_8443

Created: 2 min read

Web

Nmap discovered a web server on the target port 8443

Interestingly, the CN in the SSL certificate is set to what appears to be one of the default IP addresses of a Docker container; 172.16.2.118 It is very much possible that the web server is running inside a Docker container and proxied through the target system’s port 8443

The webroot points to an endpoint at /pwm

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ curl -i https://$IP:8443/ --insecure               
HTTP/2 200 
content-type: text/html;charset=ISO-8859-1
content-length: 82
date: Mon, 17 Jul 2023 14:09:00 GMT
 
 
 
 
 
 
<html><head><meta http-equiv="refresh" content="0;URL='/pwm'"/></head></html>

It can also be checked through curl

┌──(kali㉿kali)-[~/archive/htb/labs/authority]
└─$ curl -i https://$IP:8443/pwm --insecure
HTTP/2 302 
location: /pwm/
date: Mon, 17 Jul 2023 14:09:26 GMT

Then /pwm/

Navigating to the /pwm/ page, I am redirected to /pwm/private/login It shows that PWM is a Password Self Service and is currently in configuration mode

looking it up online reveals an open source project

Authentication seems to fail no matter the user input due to not being able to reach the LDAP server the error message contains the ldap connection string; ldaps://authority.authority.htb:636 as CN=svc_ldap,OU=Service Accounts,OU=CORP,DC=authority,DC=htb The application attempted to connect to the LDAPS server as the svc_ldap user, which is the corresponding service account

These 2 buttons leads to the same page at /pwm/private/config/login

This appears to be the authentication log both successful and failed There is another username, svc_pwm

I tried both weak/default credentials and none of them worked

Fuzzing

┌──(kali㉿kali)-[~/…/Development/Automation/Ansible/LDAP]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u https://$IP:8443/FUZZ -ic -fs 82
________________________________________________
 
 :: Method           : GET
 :: URL              : https://10.10.11.222:8443/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 82
________________________________________________
 
pwm                     [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 86ms]
[WARN] Caught keyboard interrupt (Ctrl-C)
 
┌──(kali㉿kali)-[~/…/Development/Automation/Ansible/LDAP]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://$IP:8443/PWM/FUZZ -ic  
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.222:8443/PWM/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
[WARN] Caught keyboard interrupt (Ctrl-C)

Nothing new found

Interactive Graph View

Backlinks