Web
Nmap discovered a Web server on the target port 8008
The running service is nginx 1.18.0 (Ubuntu)
Webroot
- There is a single article made by
Kathryn Holland - The footer shows that the web app is powered by Ghost CMS
Wappalyzer identified technologies involved
User Validation
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ kerbrute userenum --dc dc01.ghost.htb -d GHOST.HTB ./users.txt -t 200 -v
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 07/15/24 - Ronnie Flathers @ropnop
2024/07/15 13:23:24 > Using KDC(s):
2024/07/15 13:23:24 > dc01.ghost.htb:88
2024/07/15 13:23:24 > [!] kathryn@GHOST.HTB - User does not exist
2024/07/15 13:23:24 > [+] VALID USERNAME: kathryn.holland@GHOST.HTB
2024/07/15 13:23:24 > [!] kholland@GHOST.HTB - User does not exist
2024/07/15 13:23:24 > Done! Tested 3 usernames (1 valid) in 0.044 secondsKerbrute confirmed that the kathryn.holland user is a valid domain account
The target organization appears to use a specific naming convention
Ghost CMS
Ghost is an open source Content management system platform written in JavaScript and distributed under the MIT License, designed to simplify the process of online publishing for individual bloggers as well as online publications.
Search Bar
Clicking the search button sends an API request
This is done this way, so that search result would show up on LIVE, but it leaks the API key in the process; 37395e9e872be56438c83aaca6
robots.txt
/ghost/
There is a metadata, ghost-admin/config/environment, with the URL-encoded content
The following is the decoded and formatted content;
{
"modulePrefix": "ghost-admin",
"environment": "production",
"cdnUrl": "",
"editorUrl": "",
"rootURL": "",
"locationType": "trailing-hash",
"EmberENV": {
"FEATURES": {},
"EXTEND_PROTOTYPES": {
"Date": false,
"Array": true,
"String": true,
"Function": false
},
"_APPLICATION_TEMPLATE_WRAPPER": false,
"_JQUERY_INTEGRATION": true,
"_TEMPLATE_ONLY_GLIMMER_COMPONENTS": true
},
"APP": {
"version": "5.78",
"name": "ghost-admin"
},
"ember-simple-auth": {},
"ember-websockets": {
"socketIO": true
},
"@sentry/ember": {
"disablePerformance": true,
"sentry": {}
},
"ember-cli-mirage": {
"usingProxy": false,
"useDefaultPassthroughs": true
},
"exportApplicationGlobal": false,
"ember-load": {
"loadingIndicatorClass": "ember-load-indicator"
},
"editorFilename": "koenig-lexical.umd.js",
"editorHash": "a9a58f16a8",
"adminXDemoFilename": "admin-x-demo.js",
"adminXDemoHash": "33d2c60ad0",
"adminXSettingsFilename": "admin-x-settings.js",
"adminXSettingsHash": "d07813452e"
}Forwarding..
It then sends an API request
403 with failed auth
This req appears to connect to the admin site
Redirected to the admin login page at /ghost/#/signin
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://$IP:8008/ -H 'Host: FUZZ.ghost.htb' -ic -mc all -fc 200
________________________________________________
:: Method : GET
:: URL : http://10.10.11.24:8008/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.ghost.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: all
:: Filter : Response status: 200
________________________________________________
intranet [Status: 307, Size: 3968, Words: 52, Lines: 1, Duration: 328ms]
:: Progress: [114437/114437] :: Job [1/1] :: 18 req/sec :: Duration: [0:01:28] :: Errors: 0 ::intranet.ghost.htb discovered This was initial found from the DNS enumeration