Web
Nmap discovered a Web server on the target port 80
The running service is Microsoft IIS httpd 10.0
Webroot
This appears to be a corporate intranet for the target organization
Burp Suite’s passive crawler picked up another file; support.html
support.html
Browsing to the support.html file, interesting information is revealed in the Nets And Alerts section
It appears that the target organization has disabled the NTLM authentication within the domain due to the recent security breach.
It also notes that this may cause problems for some programs that users use
Additionally, those 4 hyperlinks are mapped in the Burp Suite’s passive crawler, leading to different endpoints
Contacting IT support (supportrequest.html)
The supportrequest.html file outlines instructions for contacting IT support within the organization.
- Users are advised to dial the internal number “0866” for phone support.
- The use of an phone extension suggests that there may be an internal VoIP system within the domain
- For email inquiries, the designated address is
support@scramblecorp.com- The mentioned domain is NOT
scrm.local
- The mentioned domain is NOT
- Users are instructed to include network information by following specific steps outlined in a command prompt
- The username is exposed;
ksimpson- The
ksimpsonuser is potentially an admin user as this file is likely created by the IT department - The structure of username suggests a possible naming convention used by the target organization
- This information may be further leveraged to extract valid domain users
- The
- The username is exposed;
New user account form (newuser.html)
The newuser.html file contains a POST form to request a user account for a new employees
While functionality of the form is questionable, it does reveal the departments that the target organization has
HRSalesProductionAdministration
The form seems non-operational since it issues a GET request to the file itself, including a parameter and value that imply it is merely a demonstration
Report a problem with the sales orders app (salesorders.html)
The salesorders.html file highlights troubleshooting instructions for the Sales Orders app, a custom application supposedly used by the organization
- Users are advised to enable debug logging by clicking the
Editbutton before signing in, ticking theEnable debug loggingoption, and reproducing the issue.- Disclosed FQDN matches the FQDN of the target system
Portis set to4411, and version information is disclosed;1.0.3- This suggest that the unknown service on the target port
4411is the server application for this Sales Orders application
- This suggest that the unknown service on the target port
- Users are instructed to send the generated
ScrambleDebugLogfile, which is created in the app’s launch folder
Request a password reset (passwords.html)
The passwords.html file addresses the alternative process for password resets during the temporary unavailability of the self-service system.
While the self-service password reset system is temporarily unavailable, users are instructed to contact the IT support line for assistance. If no immediate support is available, users are encouraged to leave a message stating their username, and the password will be reset to match the username.
The file provides a clear evidence for the presence of a self-service password reset system. That being said, password reset will be made to match the requested user’s username.
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .html,.txt
________________________________________________
:: Method : GET
:: URL : http://10.10.11.168/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[status: 200, Size: 2313, Words: 91, Lines: 84, Duration: 97ms]
images [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 181ms]
index.html [status: 200, Size: 2313, Words: 91, Lines: 84, Duration: 186ms]
support.html [status: 200, Size: 2204, Words: 117, Lines: 89, Duration: 93ms]
images [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 86ms]
assets [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 86ms]
index.html [status: 200, Size: 2313, Words: 91, Lines: 84, Duration: 89ms]
support.html [status: 200, Size: 2204, Words: 117, Lines: 89, Duration: 87ms]
newuser.html [status: 200, Size: 2888, Words: 130, Lines: 107, Duration: 87ms]
images [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 90ms]
passwords.html [status: 200, Size: 1668, Words: 101, Lines: 61, Duration: 88ms]
assets [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 87ms]
index.html [status: 200, Size: 2313, Words: 91, Lines: 84, Duration: 89ms]
support.html [status: 200, Size: 2204, Words: 117, Lines: 89, Duration: 88ms]
passwords.html [status: 200, Size: 1668, Words: 101, Lines: 61, Duration: 90ms]
supportrequest.html [status: 200, Size: 2476, Words: 135, Lines: 90, Duration: 88ms]
newuser.html [status: 200, Size: 2888, Words: 130, Lines: 107, Duration: 89ms]
newuser.html [status: 200, Size: 2888, Words: 130, Lines: 107, Duration: 91ms]
:: Progress: [661641/661641] :: Job [1/1] :: 395 req/sec :: Duration: [0:25:52] :: Errors: 0 ::Fuzzing the web server does not return any additional file or directory
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/scrambled]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.scrm.local' -fs 2313
________________________________________________
:: Method : GET
:: URL : http://10.10.11.168/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.scrm.local
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 2313
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 343 req/sec :: Duration: [0:04:31] :: Errors: 0 ::Nothing found