InfoSec LAB

Flight_Web

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.52 ((Win64) OpenSSL/1.1.1m PHP/8.1.1)

Webroot It appears to be an airline website providing ticketing service

The Your Flight Planner section appears to contains a submission form, but it’s not operational

Wappalyzer identified technologies involved It’s written in PHP 8.1.1

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt,.php 
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.187/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
images                  [Status: 301, Size: 337, Words: 22, Lines: 10, Duration: 92ms]
css                     [Status: 301, Size: 334, Words: 22, Lines: 10, Duration: 91ms]
js                      [Status: 301, Size: 333, Words: 22, Lines: 10, Duration: 95ms]
licenses                [Status: 403, Size: 420, Words: 37, Lines: 12, Duration: 89ms]
phpmyadmin              [Status: 403, Size: 420, Words: 37, Lines: 12, Duration: 90ms]
webalizer               [Status: 403, Size: 420, Words: 37, Lines: 12, Duration: 88ms]
:: Progress: [661644/661644] :: Job [1/1] :: 334 req/sec :: Duration: [0:27:41] :: Errors: 20 ::

ffuf returned a few resources but they are locked behind 403

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/flight]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -t 800 -u http://$IP/ -H 'Host: FUZZ.flight.htb' -fs 7069
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.187/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.flight.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 800
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 7069
________________________________________________
school                  [status: 200, Size: 3996, Words: 1045, Lines: 91, Duration: 94ms]
progress: [114442/114442] :: Job [1/1] :: 388 req/sec :: Duration: [0:04:56] :: Errors: 21 ::

ffuf returned a single virtual host / sub-domain; school.flight.htb

The /etc/hosts file on Kali has been updated for local DNS resolution

Interactive Graph View

Backlinks