Web

Scanning earlier revealed the web server on the target port 80 Web root of the target port 80 It’s the default Apache2 installation page

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://$IP/FUZZ -ic
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
music                   [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 29ms]
artwork                 [Status: 301, Size: 314, Words: 20, Lines: 10, Duration: 29ms]
sierra                  [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 29ms]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 28ms]
marga                   [Status: 301, Size: 312, Words: 20, Lines: 10, Duration: 30ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 1320 req/sec :: Duration: [0:17:15] :: Errors: 0 ::

ffuf discovered 4 directories;

/music/
/artwork/
/sierra/
/marga/

I will start enumerating them all

`/music/`

This is the webroot of the/music/ directory

fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://$IP/music/FUZZ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/music/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [Status: 200, Size: 12554, Words: 764, Lines: 356, Duration: 29ms]
contact.html            [Status: 200, Size: 6223, Words: 302, Lines: 178, Duration: 34ms]
main.html               [Status: 200, Size: 931, Words: 69, Lines: 18, Duration: 33ms]
blog.html               [Status: 200, Size: 6728, Words: 430, Lines: 174, Duration: 30ms]
category.html           [Status: 200, Size: 23863, Words: 1020, Lines: 659, Duration: 30ms]
artist.html             [Status: 200, Size: 20133, Words: 877, Lines: 508, Duration: 29ms]
:: Progress: [35325/35325] :: Job [1/1] :: 916 req/sec :: Duration: [0:00:30] :: Errors: 1 ::
 
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://$IP/music/FUZZ/ -ic
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/music/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
img                     [Status: 200, Size: 3337, Words: 190, Lines: 29, Duration: 166ms]
js                      [Status: 200, Size: 2893, Words: 178, Lines: 26, Duration: 2108ms]
css                     [Status: 200, Size: 1807, Words: 99, Lines: 21, Duration: 2740ms]
Source                  [Status: 200, Size: 2517, Words: 148, Lines: 24, Duration: 214ms]
:: Progress: [62284/62284] :: Job [1/1] :: 1327 req/sec :: Duration: [0:01:04] :: Errors: 3 ::

fuzzing the /music directory reveals a few files/sub-directories /music/Source/ seems most interesting to me

`/music/Source/`

Directory Indexing at /music/Source/, containing a few interesting files

I’ve checked them all but nothing interesting could be found

`/artwork/`

This is the webroot of the /artwork/ directory

fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-files-lowercase.txt -u http://$IP/artwork/FUZZ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/artwork/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [status: 200, Size: 14461, Words: 4026, Lines: 372, Duration: 29ms]
contact.html            [status: 200, Size: 8999, Words: 2524, Lines: 244, Duration: 29ms]
about.html              [status: 200, Size: 11156, Words: 2960, Lines: 293, Duration: 30ms]
main.html               [status: 200, Size: 931, Words: 69, Lines: 18, Duration: 29ms]
blog.html               [status: 200, Size: 11523, Words: 3338, Lines: 297, Duration: 29ms]
services.html           [status: 200, Size: 11749, Words: 3197, Lines: 308, Duration: 31ms]
readme.txt              [status: 200, Size: 410, Words: 47, Lines: 9, Duration: 29ms]
:: Progress: [35325/35325] :: Job [1/1] :: 1182 req/sec :: Duration: [0:00:30] :: Errors: 1 ::
 
 
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-directories.txt -u http://$IP/artwork/FUZZ/ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/artwork/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
fonts                   [status: 200, Size: 1157, Words: 76, Lines: 18, Duration: 30ms]
css                     [status: 200, Size: 3315, Words: 171, Lines: 28, Duration: 3141ms]
images                  [status: 200, Size: 5647, Words: 283, Lines: 40, Duration: 3190ms]
js                      [status: 200, Size: 5575, Words: 331, Lines: 38, Duration: 4151ms]
:: Progress: [62284/62284] :: Job [1/1] :: 1334 req/sec :: Duration: [0:00:51] :: Errors: 3 ::

Fuzzing the /artwork/ doesn’t reveal much

`/sierra/`

Web root of the /sierra/ directory

fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-files-lowercase.txt -u http://$IP/sierra/FUZZ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/sierra/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [status: 200, Size: 43029, Words: 14866, Lines: 589, Duration: 34ms]
contact.html            [status: 200, Size: 15853, Words: 5469, Lines: 288, Duration: 31ms]
blog.html               [status: 200, Size: 20477, Words: 8481, Lines: 334, Duration: 30ms]
service.html            [status: 200, Size: 22090, Words: 8827, Lines: 364, Duration: 30ms]
portfolio.html          [status: 200, Size: 13000, Words: 4229, Lines: 230, Duration: 32ms]
contact_process.php     [status: 200, Size: 0, Words: 1, Lines: 1, Duration: 46ms]
:: Progress: [35325/35325] :: Job [1/1] :: 1236 req/sec :: Duration: [0:00:29] :: Errors: 1 ::
 
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-directories.txt -u http://$IP/sierra/FUZZ/ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/sierra/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
img                     [status: 200, Size: 4780, Words: 269, Lines: 36, Duration: 40ms]
js                      [status: 200, Size: 2854, Words: 179, Lines: 26, Duration: 206ms]
fonts                   [status: 200, Size: 2117, Words: 123, Lines: 22, Duration: 34ms]
css                     [status: 200, Size: 1792, Words: 100, Lines: 21, Duration: 1683ms]
vendors                 [status: 200, Size: 2176, Words: 136, Lines: 23, Duration: 33ms]
:: Progress: [62284/62284] :: Job [1/1] :: 1350 req/sec :: Duration: [0:00:50] :: Errors: 3 ::

Fuzzing the /sierra/ reveals an interesting file; /sierra/contact_processes.php However its size shows 0, meaning that the file exist but it won’t load anything

`/marga/`

This is /marga/

fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-files-lowercase.txt -u http://$IP/marga/FUZZ -ic
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/marga/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
index.html              [status: 200, Size: 18191, Words: 4915, Lines: 432, Duration: 33ms]
contact.html            [status: 200, Size: 10894, Words: 2902, Lines: 259, Duration: 30ms]
about.html              [status: 200, Size: 13933, Words: 3853, Lines: 337, Duration: 33ms]
main.html               [status: 200, Size: 931, Words: 69, Lines: 18, Duration: 33ms]
blog.html               [status: 200, Size: 14516, Words: 4419, Lines: 368, Duration: 36ms]
services.html           [status: 200, Size: 11984, Words: 3118, Lines: 277, Duration: 31ms]
readme.txt              [status: 200, Size: 410, Words: 47, Lines: 9, Duration: 33ms]
.git                    [status: 301, Size: 317, Words: 20, Lines: 10, Duration: 29ms]
project.html            [status: 200, Size: 10004, Words: 2618, Lines: 249, Duration: 32ms]
.gitignore              [status: 200, Size: 31, Words: 1, Lines: 3, Duration: 30ms
:: Progress: [35325/35325] :: Job [1/1] :: 1366 req/sec :: Duration: [0:00:29] :: Errors: 1 ::
 
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-directories.txt -u http://$IP/marga/FUZZ/ -ic 
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.10.171/marga/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
 
images                  [status: 200, Size: 5983, Words: 304, Lines: 42, Duration: 38ms]
js                      [status: 200, Size: 5123, Words: 305, Lines: 36, Duration: 39ms]
fonts                   [status: 200, Size: 1353, Words: 88, Lines: 19, Duration: 31ms]
css                     [status: 200, Size: 3517, Words: 181, Lines: 29, Duration: 4598ms]
:: Progress: [62284/62284] :: Job [1/1] :: 1335 req/sec :: Duration: [0:00:53] :: Errors: 3 ::

ffuf found a Git directory; /marga/.git/

`/marga/.git/`

Directory Indexing at /marga/.git/, containing some files and directories

This is a configuration file; /marga/.git/config Based on the context, this whole directory /marga/ was cloned through git as a website template. It is likely the case for the all the directories above

Burp Suite Passive Crawler

Upon checking the Burp Crawler, I see that it found a new file, which was never revealed from the fuzzing

Testing the crawling from the scratch again The Burp Crawler mapping above shows the file, /ona. It was crawled from the/music/ directory

I can confirm that by checking the source code of /music/

OpenNetAdmin

I set up the proxy and sent a GET request to /ona I am intercepting the request

/ona returns a 301 to a location; /ona/

This is the /ona/ directory. It appears to be an overseeing application Notice the version information; v18.1.1

It also mentions that I can try the main help index with an external hyperlink It leads to opennetadmin.com

It’s OpenNetAdmin;

is a powerful free IPAM(IP Address Management) system to track your IP network
can be configured to track Each subnet, host, and IP via a centralized AJAX enabled web interface
provide A full CLI interface for scripting and bulk work

┌──(kali㉿kali)-[~/archive/htb/labs/openadmin]
└─$ searchsploit opennetadmin 18
----------------------------------------------- ---------------------------------
 Exploit Title                                 |  Path
----------------------------------------------- ---------------------------------
OpenNetAdmin 18.1.1 - Command Injection Exploi | php/webapps/47772.rb
OpenNetAdmin 18.1.1 - Remote Code Execution    | php/webapps/47691.sh
----------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

OpenNetAdmin 18.1.1 is vulnerable to RCE Moving on to the Exploitation phase

InfoSec LAB

Explorer

OpenAdmin_Web

Web

Fuzzing

`/music/`

fuzzing

`/music/Source/`

`/artwork/`

fuzzing

`/sierra/`

fuzzing

`/marga/`

fuzzing

`/marga/.git/`

Burp Suite Passive Crawler

OpenNetAdmin

Interactive Graph View

Table of Contents

Backlinks