InfoSec LAB

Lantern_Web_3000

Created: 3 min read

Web

Nmap discovered a Web server on the target port 3000 The running service is Kestrel

┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ curl -i http://$IP:3000/                                      
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Date: Mon, 19 Aug 2024 10:23:42 GMT
Server: Kestrel
Cache-Control: no-cache, no-store, max-age=0
Transfer-Encoding: chunked
 
 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <base href="/" />
    <link rel="stylesheet" href="css/bootstrap/bootstrap.min.css" />
    <link href="css/site.css" rel="stylesheet" />
    <link href="PreProd.styles.css" rel="stylesheet" />
 
    <link href="https://fonts.gstatic.com" rel="preconnect">
    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i|Nunito:300,300i,400,400i,600,600i,700,700i|Poppins:300,300i,400,400i,500,500i,600,600i,700,700i" rel="stylesheet">
    <!-- Vendor CSS Files -->
 
    <link href="css/bootstrap-icons.css" rel="stylesheet">
 
    <!-- Template Main CSS File -->
    <link href="css/style.css" rel="stylesheet">
 
 
    <!--Blazor:{"sequence":1,"type":"server","prerenderId":"fa7ea5e6983f44c6a328bd3562bf61bd","descriptor":"CfDJ8BUo1ePf0MxMocV2v0oTDZGfxmncZzWoi7EhYPRI1k27ELAo4pk4i2Jp0Ar9gZ4RJAVWSE3QjyVq9Lzgx9euz8Yx2wNNsezLt8QUS8txU/weVbkCz3ow3E6ujxCQana62ZVimTR11siwLbH3ZCfojufnHlFdItRjLWN36vDgoxi8BGtXgAavmJnWHA0TfNGPK8XRQBMDBG4htp0coHCkwJznQbGIoeA32nhsMlPxGiRf0dn1WkSgHU6vRLPmkbGi0A8u4cZauBRHPByJzIDCBg6oht5S2HqhUR26/OloTh0HDyVE9jXAM6XSwoOD9v9r2LqSpJW7MEZYBFf6g0KDpShS9FJJYeDMjb3/bbgymsl8n\u002BsM7Uz8bC3JWSIFnW5xdyF740mh5MBty8UNPACM4BTdbIkV/xUubkhOwHwXtzCq"}--><!--Blazor:{"prerenderId":"fa7ea5e6983f44c6a328bd3562bf61bd"}-->
</head>
<body>
    
 
 
    <!--Blazor:{"sequence":0,"type":"server","descriptor":"CfDJ8BUo1ePf0MxMocV2v0oTDZHoDR0EpjXbbCKz9lwfAp6xKmn4yjPi6bu5DtR/9mkiKQj3LWLO2Q5nfSio16O2WOWxTwvDX4HOCfzT8txxg9Pg1OW5djfX5g1dWSC5aNtniCWAtez8oi/3T/GV4QwAvzrmMAQxpiLfHraex62zJLjVWMjjVVUN5u0plwxfhkzK2qNrGVVAyYCv2/bEazkPnv4DSFmTXaUqETxXPJefv9Y4Lzrp8tMy5GAqwf2i75YLi2yK/8UtZoSWPUbY3Ki\u002BaxAUfnf3ibHMOYQMPjjgQlMN8AAITHilQAyT1ETH5kpLhkxA82J\u002BX12m\u002BK6hlElFFMf057H0YbokHxwDpua0LBkg"}-->
 
 
 
    <div id="blazor-error-ui">
        
        
            An unhandled exception has occurred. See browser dev tools for details.
        
        <a href="" class="reload">Reload</a>
        <a class="dismiss">🗙</a>
    </div>
 
    <script src="_framework/blazor.server.js"></script>
 
    <script>
        window.downloadFileFromStream = async (fileName, contentStreamReference) => {
            const arrayBuffer = await contentStreamReference.arrayBuffer();
            const blob = new Blob([arrayBuffer]);
            const url = URL.createObjectURL(blob);
            const anchorElement = document.createElement('a');
            anchorElement.href = url;
            anchorElement.download = fileName ?? '';
            anchorElement.click();
            anchorElement.remove();
            URL.revokeObjectURL(url);
        }
    </script>
 
</body>
</html>

The Web server is Kestrel, hosting aBlazor web application

Wappalyzer confirms it

Login Page

It redirects to the login page

Attempting to test the authentication reveals that the web application doesn’t even make a request to the backend.

It would seems that there is a client-side script.

Which is an obfuscated script that connects to the backend, and it corresponds to the original script It’s located under the _framework directory

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://$IP:3000/FUZZ -ic  -fw 334
________________________________________________
 :: Method           : GET
 :: URL              : http://10.129.81.94:3000/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 334
________________________________________________
error                   [Status: 200, Size: 1490, Words: 340, Lines: 38, Duration: 199ms]
favicon.ico             [Status: 200, Size: 5430, Words: 9, Lines: 1, Duration: 185ms]
:: Progress: [20476/20476] :: Job [1/1] :: 798 req/sec :: Duration: [0:00:25] :: Errors: 0 ::

Nothing notable found

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/lantern]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP:3000/ -H 'Host: FUZZ.lantern.htb' -ic -mc all -fw 334
________________________________________________
 :: Method           : GET
 :: URL              : http://10.129.81.94:3000/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.lantern.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response words: 334
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 1015 req/sec :: Duration: [0:02:54] :: Errors: 2118 ::

Nothing found

Interactive Graph View

Backlinks