InfoSec LAB

Caption_Web_8080

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80

Webroot There is a GitBucket instance running

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP:8080/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.129.186.48:8080/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
assets                  [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 406ms]
new                     [Status: 401, Size: 0, Words: 1, Lines: 1, Duration: 1694ms]
root                    [Status: 200, Size: 7429, Words: 1379, Lines: 167, Duration: 2224ms]
search                  [Status: 200, Size: 7132, Words: 1136, Lines: 155, Duration: 2077ms]
signin                  [Status: 200, Size: 6868, Words: 1128, Lines: 142, Duration: 1999ms]
signout                 [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 4510ms]
:: Progress: [20476/20476] :: Job [1/1] :: 73 req/sec :: Duration: [0:04:00] :: Errors: 1 ::

ffuf found the following 2 endpoints;

  • new
  • root

/new

┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ curl -I http://$IP:8080/new/
HTTP/1.1 401 Unauthorized
Date: Sat, 14 Sep 2024 21:50:59 GMT
Set-Cookie: JSESSIONID=node0ybqz4tew4affkt76otf35nwa276285.node0; Path=/; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 0

401

Redirected to the login page

/root

The /root page represents the root user who is administrator

Authentication

Testing root:root

Successfully authenticated

Repositories

The root user has 2 private repositories;

  • Logservice
  • Caption-Portal
Logservice

Logservice is

Caption-Portal

Caption-Portal appears to be the web application running on the target port 80 No notable information found

Version

The instance is GitBucket 4.40.0 Additionally, it reveals a system user; margo The backend is H2

Database Viewer

There is the Database viewer section, where I can directly interact with the backend DB via SQL query

The current database is called DATA

The current user is a SA(System Administrator) user This would mean that I can make system-wide code execution Moving on to Exploitation phase

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP:8080/ -H 'Host: FUZZ.caption.htb' -ic -mc all -fw 1180
________________________________________________
 :: Method           : GET
 :: URL              : http://10.129.186.48:8080/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.caption.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response words: 1180
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 82 req/sec :: Duration: [0:23:17] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks