InfoSec LAB

FriendZone_Web_80

Created: 2 min read

Web

Nmap discovered a web server running on the target port 80 The service is Apache httpd 2.4.29

After enumerating for DNS, navigating to the web root reveals something interesting.

Webroot It reveals another domain; friendzoneportal.red ^2ed702 I will take this to the DNS enumeration and attempt another zone transfer for enumeration

Zone transfer has been completed and continuing the web server enumeration

Proxy

Almost all the web traffics are either not available over HTTP or being re-directed to the web server on port 443 over SSL.

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ curl http://friendzone.red 
    curl http://administrator1.friendzone.red                                 
    curl http://hr.friendzone.red
    curl http://uploads.friendzone.red
    curl http://friendzoneportal.red
    curl http://admin.friendzoneportal.red
    curl http://files.friendzoneportal.red
    curl http://imports.friendzoneportal.red
    curl http://vpn.friendzoneportal.red
[...]
<title>Friend Zone Escape software</title>
 
<center><h2>Have you ever been friendzoned ?</h2></center>
 
<center><img src="fz.jpg"></center>
 
<center><h2>if yes, try to get out of this zone ;)</h2></center>
 
<center><h2>Call us at : +999999999</h2></center>
 
<center><h2>Email us at: info@friendzoneportal.red</h2></center>

Those that aren’t available on the port 80 just simply point to the base web root image, which is that fz.jpg

friendzone.red

administrator1.friendzone.red

hr.friendzone.red

uploads.friendzone.red

friendzoneportal.red

admin.friendzoneportal.red

files.friendzoneportal.red

imports.friendzoneportal.red

vpn.friendzoneportal.red

Fuzzing

While it would appear that there is no sub-domain here at the port 80, I will still try to enumerate the base web root by fuzzing it.

┌──(kali㉿kali)-[~/archive/htb/labs/friendzone]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://friendzone.red:80/FUZZ -ic -e .txt,.php,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://friendzone.red:80/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [Status: 200, Size: 324, Words: 26, Lines: 13, Duration: 34ms]
wordpress               [Status: 301, Size: 320, Words: 20, Lines: 10, Duration: 28ms]
robots.txt              [Status: 200, Size: 13, Words: 2, Lines: 2, Duration: 30ms]

ffuf found the following; /wordpress/ and /robots.txt

/wordpress/

There is directory indexing at the /wordpress/ directory, but it’s just empty

/robots.txt

Yeah. I don’t think that there is going to be anything here at the port 80

Interactive Graph View

Backlinks