InfoSec LAB

Mentor_Web

Created: 2 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Apache httpd 2.4.52

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ curl -s http://$IP/ -I
HTTP/1.1 302 Found
date: Wed, 27 Dec 2023 09:38:47 GMT
server: Apache/2.4.52 (Ubuntu)
location: http://mentorquotes.htb/
content-type: text/html; charset=iso-8859-1

Webroot returns 302, pointing to a domain at mentorquotes.htb

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

mentorquotes.htb appears to be hosting a personal blog with a collection of quotes

Wappalyzer identified technologies involved It’s a Flask(2.0.3) application written in Python 3.6.9

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://mentorquotes.htb/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://mentorquotes.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 5506, Words: 1618, Lines: 167, Duration: 521ms]
server-status           [Status: 403, Size: 281, Words: 20, Lines: 10, Duration: 104ms]
:: Progress: [1273821/1273821] :: Job [1/1] :: 227 req/sec :: Duration: [1:04:21] :: Errors: 0 ::

Nothing found

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -t 200 -u http://$IP/ -H 'Host: FUZZ.mentorquotes.htb' -ic -fc 302 -mc all
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.193/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.mentorquotes.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: all
 :: Filter           : Response status: 302
________________________________________________
api                     [status: 404, Size: 22, Words: 2, Lines: 1, Duration: 83ms]
:: Progress: [114438/114438] :: Job [1/1] :: 8064 req/sec :: Duration: [0:00:14] :: Errors: 0 ::

ffuf found a single virtual host / sub-domain; api.mentorquotes.htb

The /etc/hosts file on Kali has been updated

Interactive Graph View

Backlinks