Web

Nmap discovered a Web server on the target port 9999 The running service is nginx 1.10.3 (Ubuntu)

Webroot is a default Nginx installation page Notable point here is that it includes a virtual host WITH a typo; forlic.htb It seems that it’s supposed to be frolic.htb, but admin user might have made an error Additionally, the URL points to the Web server on the target port 1880

Nonetheless, the “erroneous” virtual host has been appended to the /etc/hosts file on Kali for local DNS resolution

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:9999/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.111:9999/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 136ms]
    * FUZZ: admin
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 99ms]
    * FUZZ: backup
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 132ms]
    * FUZZ: dev
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 97ms]
    * FUZZ: loop
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 122ms]
    * FUZZ: test
 
:: Progress: [20476/20476] :: Job [1/1] :: 352 req/sec :: Duration: [0:00:54] :: Errors: 0 ::

ffuf returned 5 directories

admin
backup
dev
loop
test

admin

It’s a some kind of a login page

Checking the source code reveals that it executes the validate() function onclick The script is located at js/login.js

js/login.js

While there is a CLEARTEXT credential hard-coded into the source code, this appears to be a distraction or “rabbit hole” Upon successful authentication, it redirects user to the success.html file

admin/success.html

while the content of the success.html file seems extremely vague and arbitrary, it is actually a programming language called, ook!

additionally, it can easily be decoded online The decoded content is Nothing here check /asdiSIAJJ0QWE9JAS That appears to be a directory

/asdiSIAJJ0QWE9JAS

Upon navigating to the /asdiSIAJJ0QWE9JAS directory, it shows a base64 string

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ echo 'UEsDBBQACQAIAMOJN00j/lsUsAAAAGkCAAAJABwAaW5kZXgucGhwVVQJAAOFfKdbhXynW3V4CwABBAAAAAAEAAAAAF5E5hBKn3OyaIopmhuVUPBuC6m/U3PkAkp3GhHcjuWgNOL22Y9r7nrQEopVyJbsK1i6f+BQyOES4baHpOrQu+J4XxPATolb/Y2EU6rqOPKD8uIPkUoyU8cqgwNE0I19kzhkVA5RAmveEMrX4+T7al+fi/kY6ZTAJ3h/Y5DCFt2PdL6yNzVRrAuaigMOlRBrAyw0tdliKb40RrXpBgn/uoTjlurp78cmcTJviFfUnOM5UEsHCCP+WxSwAAAAaQIAAFBLAQIeAxQACQAIAMOJN00j/lsUsAAAAGkCAAAJABgAAAAAAAEAAACkgQAAAABpbmRleC5waHBVVAUAA4V8p1t1eAsAAQQAAAAABAAAAABQSwUGAAAAAAEAAQBPAAAAAwEAAAAA' | base64 -d                                      
PK     É7M#�[�i	index.phpUT	�|�[�|�[ux
                                          ^D�J�s�h�)�P�n
                                                        ��Ss�Jw�܎�4��ُk�z��UȖ�+X��P��ᶇ��л�x_�N�[���S��8����J2S�*�DЍ}�8dTQk������j_�����'xc��ݏt��75Q�
           ���k,4��b)�4F��	��������&q2o�WԜ�9P#�[�iPK      É7M#�[�i	��index.phpUT�|�[ux
                                                                                           PKO

The conversion result shows a binary data, with PK in the header This indicates that the binary data is in fact an PKZIP archive

index.php

┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ cat index.php        
4b7973724b7973674b7973724b7973675779302b4b7973674b7973724b7973674b79737250463067506973724b7973674b7934744c5330674c5330754b7973674b7973724b7973674c6a77720d0a4b7973675779302b4b7973674b7a78645069734b4b797375504373674b7974624c5434674c53307450463067506930744c5330674c5330754c5330674c5330744c5330674c6a77724b7973670d0a4b317374506973674b79737250463067506973724b793467504373724b3173674c5434744c53304b5046302b4c5330674c6a77724b7973675779302b4b7973674b7a7864506973674c6930740d0a4c533467504373724b3173674c5434744c5330675046302b4c5330674c5330744c533467504373724b7973675779302b4b7973674b7973385854344b4b7973754c6a776743673d3d0d0a

More obfuscation in hexadecimal

┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ cat index.php | xxd -r -p
KysrKysgKysrKysgWy0+KysgKysrKysgKysrPF0gPisrKysgKy4tLS0gLS0uKysgKysrKysgLjwr
KysgWy0+KysgKzxdPisKKysuPCsgKytbLT4gLS0tPF0gPi0tLS0gLS0uLS0gLS0tLS0gLjwrKysg
K1stPisgKysrPF0gPisrKy4gPCsrK1sgLT4tLS0KPF0+LS0gLjwrKysgWy0+KysgKzxdPisgLi0t
LS4gPCsrK1sgLT4tLS0gPF0+LS0gLS0tLS4gPCsrKysgWy0+KysgKys8XT4KKysuLjwgCg==

Even more obfuscation in base64 now

┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ cat index.php | xxd -r -p | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+base64: invalid input

The output result is even more hideous as base64 complains likely due to input error

┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ cat index.php | xxd -r -p | tr -d '\r\n' | base64 -d
+++++ +++++ [->++ +++++ +++<] >++++ +.--- --.++ +++++ .<+++ [->++ +<]>+
++.<+ ++[-> ---<] >---- --.-- ----- .<+++ +[->+ +++<] >+++. <+++[ ->---
<]>-- .<+++ [->++ +<]>+ .---. <+++[ ->--- <]>-- ----. <++++ [->++ ++<]>
++..<

Cleaning was required as there were whitespace and newline characters Just like the earlier encounter, this is in a programming language called, Brainfuck

idkwhatispass While the decoding result above is just depressing, this could be a password. So I will keep this in mind

backup

backup/password.txt

imnothuman

backup/user.txt

admin

backup/loop/

403

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/big.txt -u http://$IP:9999/backup/loop/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.111:9999/backup/loop/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 301, Size: 194, Words: 7, Lines: 8, Duration: 247ms]
    * fuzz: loop
 
:: Progress: [20476/20476] :: Job [1/1] :: 383 req/sec :: Duration: [0:00:54] :: Errors: 0 ::

ffuf found another loop directory This seems to suggest that there are loops within this backup/loop directory

loops

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ curl http://10.10.10.111:9999/backup/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop/loop                               
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.10.3 (Ubuntu)</center>
</body>
</html>

There are so many “loops” within the backup/loop directory This just seems to be a rabbit hole. Bailing out

dev

403

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:9999/dev/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.10.111:9999/dev/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 194, Words: 7, Lines: 8, Duration: 99ms]
    * FUZZ: backup
[Status: 200, Size: 5, Words: 1, Lines: 2, Duration: 102ms]
    * FUZZ: test
:: Progress: [20476/20476] :: Job [1/1] :: 305 req/sec :: Duration: [0:00:57] :: Errors: 0 ::

ffuf found 2 entries;

backup
test

dev/backup

dev/backup points to another directory; /playsms

playsms

Upon navagating to the /playsms directory, I got redirected to a login page for playSMS

playSMS is an open-source web-based platform that provides SMS (Short Message Service) gateway capabilities. playSMS allows users to send and receive SMS messages from a web interface, making it a versatile tool for businesses and individuals who want to manage and automate text messaging. playSMS offers features like contact management, message scheduling, and integration with various SMS service providers, making it a flexible solution for SMS communication needs.

I will try out the extracted credential from the lengthy de-obfuscation earlier; admin:idkwhatispass

Successfully authenticated

Vulnerabilities

While the version information has been identified, playSMS contains many vulnerabilities across different versions one of them being a very common one; [[Frolic_CVE-2017-9101#[CVE-2017-9101](https //nvd.nist.gov/vuln/detail/CVE-2017-9101)|CVE-2017-9101]]

dev/test

┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ curl http://$IP:9999/dev/test     
test

Nothing here

loop

The loop directory seems to be co-responding to the “loops” found in the backup/loop directory

test

The /test directory shows the phpinfo() page

InfoSec LAB

Explorer

Frolic_Web_9999

Web

Fuzzing

admin

js/login.js

admin/success.html

/asdiSIAJJ0QWE9JAS

Archive

index.php

backup

backup/password.txt

backup/user.txt

backup/loop/

Fuzzing

loops

dev

Fuzzing

dev/backup

playsms

Vulnerabilities

dev/test

loop

test

Interactive Graph View

Table of Contents

Backlinks