InfoSec LAB

Sandworm_Web_80

Created: 2 min read

Web

Nmap discovered a web server on the target port 80 The running service is nginx 1.18.0

┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ curl -s -i http://$IP/
HTTP/1.1 301 Moved Permanently
server: nginx/1.18.0 (Ubuntu)
date: Wed, 28 Jun 2023 11:43:27 GMT
content-type: text/html
content-length: 178
connection: keep-alive
location: https://ssa.htb/

Sending a GET request to the web root returns a 304, pointing to the web server on port 443

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .txt,.php,.html -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.218/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
:: Progress: [882188/882188] :: Job [1/1] :: 380 req/sec :: Duration: [0:39:49] :: Errors: 0 ::
 
┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://ssa.htb/FUZZ -ic -e .txt,.php,.html -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://ssa.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Extensions       : .txt .php .html 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
:: Progress: [882188/882188] :: Job [1/1] :: 338 req/sec :: Duration: [0:39:45] :: Errors: 0 ::

Nothing found

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/sandworm]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.ssa.htb' -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.218/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.ssa.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
:: Progress: [114441/114441] :: Job [1/1] :: 416 req/sec :: Duration: [0:04:35] :: Errors: 0 ::

Interactive Graph View

Backlinks