Web
Nmap discovered a web server on the target port 9001
The service running is Medusa httpd 1.12 (Supervisor process manager)
Webroot
It requires the basic HTTP authentication
supervisor process manager is a management application that monitors processes on UNIX-like operating systems. Its administrative panel can be access over HTTP and secured with the basic HTTP authentication by default.
i was googling default credential for supervisor process manager and came across the official documentation
the official documentation doesn’t seem to provide any default credential but it had an example containing one
I will just give it a shot
To my surprise, I was able to login with the credential from one of the examples in the official documentation.
I can see 3 running scripts here; memory, processes, and uptime
The footer also reveals the version information
While Supervisor 4.2.0 doesn’t have any known critical vulnerabilities, I should be able to get some enumeration done as the application interacts directly with the system processes
memory
While I don’t seem to be able to run the last two command to check both output and error of the process, I seem to be able restart/stop and clear log
Clicking into the memory button leads to /tail.html?processname=memory, revealing details about the process
The information shown is very ambiguous
processes
Same thing with the 2nd process. I am unable to check both output and error of the process as they just seem to be loading forever
Clicking into the Processes button leads to /tail.html?processname=processes, revealing the system processes that the application is monitoring
/usr/libexec/httpd -u -X -s -i 127.0.0.1 -I 3000 -L weather /usr/local/webapi/weather.lua -U _httpd -b /var/wwwI can see the process that is responsible for the web server running on the port 80, it is indeed running the weather application that I enumerated earlier.
the application itself is running on the 127.0.0.1:3000 socket and proxied over HTTP
It also confirms that the application is running off a LUA script
It’s also running with the privileges of the _httpd user.
the /usr/libexec/httpd binary is bozohttpd that is mostly used in NetBSD systems
the -l flag in bozohttpd indicates a prefix and script
In this case, it’s set to weather and the /usr/local/webapi/weather.lua file
This means that the web server is set to run the LUA script above if the prefix with name of function is called
This explains why I was able to access the application through /weather/forecast
uptime
The uptime process is no different that the other 2
It just shows output of the uptime command. That’s all.