Web
Nmap discovered a Web server on the target port 80
The running service is Skipper Proxy
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ curl -i http://$IP/
HTTP/1.1 302 Found
Content-Length: 225
Content-Type: text/html; charset=utf-8
Date: Mon, 19 Aug 2024 09:58:04 GMT
Location: http://lantern.htb/
Server: Skipper Proxy
<!doctype html>
<html lang=en>
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to the target URL: <a href="http://lantern.htb/">http://lantern.htb/</a>. If not, click the link.Skipper Proxy is being used to redirect requests to the domain; lantern.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Webroot
It appears to be providing an IT solution
The Testimonials section contains 3 possible users; john doe, maria garcia, and mason miller
Vacancie
The Vacancies button leads to the vacancies endpoint
It showcases available positions
At the bottom, there is a file upload feature
This doesn’t seem as interesting
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://lantern.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://lantern.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 12049, Words: 4549, Lines: 225, Duration: 602ms]
submit [Status: 405, Size: 153, Words: 16, Lines: 6, Duration: 2239ms]
vacancies [Status: 200, Size: 10713, Words: 4106, Lines: 238, Duration: 1552ms]
:: Progress: [1273819/1273819] :: Job [1/1] :: 186 req/sec :: Duration: [0:29:58] :: Errors: 0 ::Nothing new found
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.lantern.htb' -ic -mc all -fs 225
________________________________________________
:: Method : GET
:: URL : http://10.129.81.94/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.lantern.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 225
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 240 req/sec :: Duration: [0:30:48] :: Errors: 2 ::Nothing found
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ searchsploit skipper
-------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------------------------- ---------------------------------
X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) | multiple/remote/51111.txt
-------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThere is a SSRF vulnerability for Skipper Proxy < 0.13.237
While the version information has not been identified, I will test it out