InfoSec LAB

MonitorsThree_Web

Created: 4 min read

Web

Nmap discovered a Web server on the target port 80 The running service is nginx 1.18.0

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -i http://$IP/                                                              
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:10:14 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: http://monitorsthree.htb/
 
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

Sending a GET request to the web root results in 301 to a domain; monitorsthree.htb

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

Webroot It claims to offer an enterprise-grade networking solution

Possible usernames at the Review section of the index.php file;

  • Glenn Jones
  • Nicola Johnson

The Burp Suite’s Passive Crawler identified a few interesting endpoints;

  • /admin/
  • /js/
  • login.php

Login Page

The login.php file contains a login page There is also the Forgot password? button, which leads to /forgot_password.php

Forgot Password

The /forgot_password.php endpoint provides a password reset feature, which can be leveraged for username enumeration based on the error message

SQLi

Additionally, the username parameter is vulnerable to SQLi

Admin Page

403

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://monitorsthree.htb/admin/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://monitorsthree.htb/admin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
assets                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 35ms]
:: Progress: [20476/20476] :: Job [1/1] :: 3021 req/sec :: Duration: [0:00:03] :: Errors: 0 ::

assets

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://monitorsthree.htb/admin/assets/FUZZ -ic 
________________________________________________
 :: Method           : GET
 :: URL              : http://monitorsthree.htb/admin/assets/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
css                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 36ms]
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 29ms]
js                      [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 30ms]
locales                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 38ms]
swf                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 34ms]
:: Progress: [20476/20476] :: Job [1/1] :: 3076 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -I http://monitorsthree.htb/admin/assets/css/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:55:21 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
 
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -I http://monitorsthree.htb/admin/assets/images/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:55:27 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
 
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -I http://monitorsthree.htb/admin/assets/js/    
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:55:28 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
 
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -I http://monitorsthree.htb/admin/assets/locales/
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:55:33 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
 
┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ curl -I http://monitorsthree.htb/admin/assets/swf/    
HTTP/1.1 403 Forbidden
Server: nginx/1.18.0 (Ubuntu)
Date: Sun, 25 Aug 2024 13:55:35 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

all 403

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://monitorsthree.htb/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://monitorsthree.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
admin                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 42ms]
css                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 34ms]
fonts                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 32ms]
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 37ms]
js                      [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 32ms]
:: Progress: [20476/20476] :: Job [1/1] :: 4166 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

Nothing new found

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.monitorsthree.htb' -ic -mc all -fs 13560
________________________________________________
 :: Method           : GET
 :: URL              : http://10.129.178.64/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.monitorsthree.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response size: 13560
________________________________________________
cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 54ms]
:: Progress: [114437/114437] :: Job [1/1] :: 961 req/sec :: Duration: [0:02:17] :: Errors: 0 ::

cacti.monitorsthree.htb found

Interactive Graph View

Backlinks