Web
Nmap discovered a web server on the target port 80
The service running is Microsoft IIS httpd 10.0
Webroot
It appears to be providing a banking service. Hence the name of the domain, egotistical-bank
The header has a few buttons that lead to different files
The passive crawler in Burp Suite picked that right up
/about.html
While the about.html file seems pretty self-explanatory, there is a section down that showcases the employees of the organization
Although I do not know of the naming convention that the organization uses, these are potential usernames worth saving
/blog.html
The blog.html file contains some generic articles made by the admin user
/contact.html
The contact.html file contains a form
Submitting a testing form through a POST request fails with code 405
Although I can get a proper response by switching it over to a GET request, I don’t see anything exceptional
/single.html
The single.html file is rather interesting because of 3 things
There is a search bar
and another potential user
and there is a comment section with 2 comments by other users and a form
Testing
The search function doesn’t seem to work as the web server just throws back a 405
Same goes for the comment
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://sauna.egotistical-bank.local/FUZZ -ic -e .php,.txt,.html
________________________________________________
:: Method : GET
:: URL : http://sauna.egotistical-bank.local/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
images [status: 301, Size: 166, Words: 9, Lines: 2, Duration: 29ms]
index.html [status: 200, Size: 32797, Words: 15329, Lines: 684, Duration: 30ms]
about.html [status: 200, Size: 30954, Words: 14043, Lines: 641, Duration: 29ms]
contact.html [status: 200, Size: 15634, Words: 7370, Lines: 326, Duration: 30ms]
blog.html [status: 200, Size: 24695, Words: 11588, Lines: 471, Duration: 29ms]
css [status: 301, Size: 163, Words: 9, Lines: 2, Duration: 27ms]
fonts [status: 301, Size: 165, Words: 9, Lines: 2, Duration: 26ms]
single.html [status: 200, Size: 38059, Words: 20403, Lines: 685, Duration: 27ms]:: Progress: [882188/882188] :: Job [1/1] :: 1454 req/sec :: Duration: [0:10:25] :: Errors: 0 ::No additional files/directories found
┌──(kali㉿kali)-[~/archive/htb/labs/sauna]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.egotistical-bank.local' -fs 32797
________________________________________________
:: Method : GET
:: URL : http://10.10.10.175/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.egotistical-bank.local
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 32797
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 1327 req/sec :: Duration: [0:01:25] :: Errors: 0 ::No additional virtual hosts / sub-domains found