Web
Nmap discovered a Web server on the target port 80
The running service is Apache httpd 2.4.52
┌──(kali㉿kali)-[~/archive/htb/labs/permx]
└─$ curl -i http://$IP
HTTP/1.1 302 Found
Date: Mon, 08 Jul 2024 13:29:54 GMT
Server: Apache/2.4.52 (Ubuntu)
Location: http://permx.htb
Content-Length: 277
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://permx.htb">here</a>.</p>
<hr>
<address>Apache/2.4.52 (Ubuntu) Server at 10.10.11.23 Port 80</address>
</body></html>Webroot redirects to a domain; permx.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Webroot
The website claims to be an online learning platform
Wappalyzer identified technologies involved
Burp Suite’s passive crawler picked up hard-coded endpoints.
All those pages are static pages that don’t contain any notable information
/team.html & /testimonial.html
The /team.html endpoint contains 4 potential users;
noahelsieralphmia
The /testimonial.html endpoint also contains 4 possible users;
emmasarahjamesjohny
/contact.html
The contact form is not functional
Fuzzing
┌──(kali㉿kali)-[~/…/htb/labs/permx/CVE-2024-6387]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -t 200 -u http://permx.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://permx.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 37ms]
img [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 327ms]
css [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 22ms]
lib [Status: 301, Size: 304, Words: 20, Lines: 10, Duration: 25ms]
js [Status: 301, Size: 303, Words: 20, Lines: 10, Duration: 26ms]
server-status [Status: 403, Size: 274, Words: 20, Lines: 10, Duration: 42ms]
:: Progress: [1273820/1273820] :: Job [1/1] :: 188 req/sec :: Duration: [0:07:49] :: Errors: 0 ::Nothing found
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/…/htb/labs/permx/CVE-2024-6387]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 200 -u http://$IP/ -H 'Host: FUZZ.permx.htb' -ic -mc all -fc 302
________________________________________________
:: Method : GET
:: URL : http://10.10.11.23/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.permx.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: all
:: Filter : Response status: 302
________________________________________________
www [Status: 200, Size: 36182, Words: 12829, Lines: 587, Duration: 37ms]
lms [Status: 200, Size: 19347, Words: 4910, Lines: 353, Duration: 67ms]
:: Progress: [114437/114437] :: Job [1/1] :: 190 req/sec :: Duration: [0:00:44] :: Errors: 0 ::ffuf discovered 2 virtual hosts / sub-domains;
- [[PermX_Web_www.permx.htb#wwwpermxhtb|www.permx.htb]]
- lms.permx.htb
The /etc/hosts file on Kali has been updated