Web
Nmap discovered a web server on the target port 80
The running service is nginx 1.18.0
Webroot
There is a hyperlink to what appears to be a virtual host; tickets.keeper.htb
I can assume that the target domain is keeper.htb based on the context of the said virtual host above
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Clicking into the link leads to a login page at tickets.keeper.htb/rt/
it appears to be a ticketing system powered by best practical
looking it up online reveals that the application itself is
- written in Perl and
- called Request Tracker
- developed by best practical
The app is commonly abbreviated as RT
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ curl -s -i http://tickets.keeper.htb/
HTTP/1.1 200 OK
server: nginx/1.18.0 (Ubuntu)
content-type: text/html; charset=utf-8
connection: keep-alive
set-cookie: RT_SID_tickets.keeper.htb.80=2dd6d391feecf934a78310db30b70aa7; path=/rt; HttpOnly
date: Mon, 14 Aug 2023 10:45:15 GMT
cache-control: no-cache
pragma: no-cache
x-frame-options: DENYThe header seems rather interesting. It uses the custom RT_SID_tickets.keeper.htb.80 with path as well asHttpOnly
there is also x-frame-options, which is set to DENY
That appears to be the version information
4.4.4+dfsg-2ubuntu1
Default Credential
Checking the source code reveals the default credential for the web application
Testing it
Authenticated
The default credential worked
Looking into the admin panel, I found the user menu where it listed all the privileged users
Aside from the default user, root, there is somebody else named, Lise Nørgaard, with the username, lnorgaard
KeePass
The lnorgaard user has an active ticket; 300000
This seems to be it
This is the one assigned to the lnorgaard user
According to the History section, it shows that;
- the ticket was initiated and created by the
rootuser; with a subject of Issue with Keepass Client on Windows - the
lnorgaarduser removed the attachment for security purpose and the crash dump is saved to the user’s home directory
lnorgaard
Clicking into the lnorgaard user to see the details, I see that there is a comment, New user. Initial password set to Welcome2023!
That password, Welcome2023!, might still be valid
The credential is not valid for the web application
However, I should also test it against the SSH server
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://tickets.keeper.htb/FUZZ -ic -fc 302 -fw 95
________________________________________________
:: Method : GET
:: URL : http://tickets.keeper.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response words: 95
:: Filter : Response status: 302
________________________________________________
[status: 200, Size: 2309, Words: 247, Lines: 112, Duration: 365ms]
* fuzz: m
[status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 668ms]
* fuzz: rt
:: Progress: [220547/220547] :: Job [1/1] :: 59 req/sec :: Duration: [1:01:45] :: Errors: 0 ::There is /m
/m
It’s for mobile
Fuzzing for the rest
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.11.227/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
:: Progress: [220547/220547] :: Job [1/1] :: 409 req/sec :: Duration: [0:08:56] :: Errors: 0 ::Nothing found at 10.10.11.227
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ ffuf -x post -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://keeper.htb/FUZZ -ic
________________________________________________
:: Method : POST
:: URL : http://keeper.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 405, Size: 166, Words: 6, Lines: 8, Duration: 95ms]
* fuzz:
:: Progress: [220547/220547] :: Job [1/1] :: 387 req/sec :: Duration: [0:08:59] :: Errors: 0 ::Neither at keeper.htb
Sub-domain / Virtual Host Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.keeper.htb' -fs 149
________________________________________________
:: Method : GET
:: URL : http://10.10.11.227/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.keeper.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 149
________________________________________________
[Status: 200, Size: 4236, Words: 407, Lines: 154, Duration: 114ms]
* FUZZ: tickets
:: Progress: [114441/114441] :: Job [1/1] :: 427 req/sec :: Duration: [0:04:31] :: Errors: 0 ::There isn’t any additional virtual hosts as far as the wordlist covered