InfoSec LAB

Luanne_Web_80

Created: 2 min read

Web

Nmap discovered a web server on the target port 80 The service running is nginx 1.19.0

Nmap scan also found a presence of robots.txt, which points to /weather

Webroot The index page requires the basic HTTP authentication

one interesting thing is that the index page has an external link pointing to the 127.0.0.1:3000 socket That must be the actual application proxied over HTTP

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .php,.txt,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.218/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [Status: 200, Size: 612, Words: 79, Lines: 26, Duration: 33ms]
robots.txt              [Status: 200, Size: 78, Words: 11, Lines: 3, Duration: 29ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1325 req/sec :: Duration: [0:11:23] :: Errors: 0 ::

ffuf found nothing

robots.txt

Navigating to the /robots.txt file reveals, /weather It also notes that it returns 404 yet harvesting cities.

/weather

/weather indeed returns a 404

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://$IP/weather/FUZZ -ic -e .php,.txt,.html
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.218/weather/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .php .txt .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
forecast                [status: 200, Size: 90, Words: 12, Lines: 2, Duration: 37ms]
:: Progress: [882188/882188] :: Job [1/1] :: 1383 req/sec :: Duration: [0:11:05] :: Errors: 0 ::

Fuzzing /weather reveals /weather/forecast

/weather/forecast

/weather/forecast contains a JSON data It suggests to specify a city and it seems that I can list available cities using the ‘city=list’ parameter

Providing the ‘city=list’ parameter indeed returns a few cities

Querying cities returns weather information. This suggests that it is a weather forecasting application that uses JSON data

I found something interesting while I was testing the parameter for potential injection I sent in a single quotation mark, and I got an error. It seems that application is running off a LUA script located at /usr/local/webapi/weather.lua

I might be able to perform an injection through here.

Interactive Graph View

Backlinks