Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.29
While it doesn’t seem to have any virtual host configured, the web application appears to be a copy of Google
It also has a user, MrR3boot, logged in
While the Search function sends out a POST request with the data, it doesn’t seem to return anything
I also have tested it for some basic SQLi with no avail
The Analytics button, however, leads to a file; analytics.php
Analytics.php
It does appear to be an analytics application as it shows the average of startup density by cities
Interestingly, it supports Connect and Open features
It’s deadend
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-big.txt -u https://$IP/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : https://10.10.10.162/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 200, Size: 5152, Words: 543, Lines: 217, Duration: 125ms]
* fuzz: index.php
[status: 200, Size: 397607, Words: 79777, Lines: 15332, Duration: 119ms]
* fuzz: analytics.php
[WARN] Caught keyboard interrupt (Ctrl-C)
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-big.txt -u https://mango.htb/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : https://mango.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 200, Size: 5152, Words: 543, Lines: 217, Duration: 113ms]
* fuzz: index.php
[status: 200, Size: 397607, Words: 79777, Lines: 15332, Duration: 109ms]
* fuzz: analytics.php
[WARN] Caught keyboard interrupt (Ctrl-C)
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-big.txt -u https://staging-order.mango.htb/FUZZ -ic -e .txt,.php
________________________________________________
:: Method : GET
:: URL : https://staging-order.mango.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Extensions : .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 200, Size: 5152, Words: 543, Lines: 217, Duration: 100ms]
* fuzz: index.php
[status: 200, Size: 397607, Words: 79777, Lines: 15332, Duration: 113ms]
* fuzz: analytics.php
[WARN] Caught keyboard interrupt (Ctrl-C)Nothing found
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/mango]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u https://$IP/ -H 'Host: FUZZ.mango.htb' -fc 403 -fs 5152
________________________________________________
:: Method : GET
:: URL : https://10.10.10.162/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.mango.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 403
:: Filter : Response size: 5152
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 274 req/sec :: Duration: [0:08:22] :: Errors: 0 ::Nothing found