InfoSec LAB

Sea_Internal_Web

Created: 1 min read

Internal Web

The presence of the internal web application has been initially suggested by the network, and later confirmed by PEAS as well

www-data@sea:/var/www$ curl -i http://127.0.0.1:8080/
HTTP/1.0 401 Unauthorized
Host: 127.0.0.1:8080
Date: Sun, 11 Aug 2024 17:34:17 GMT
Connection: close
X-Powered-By: PHP/7.4.3-4ubuntu2.23
WWW-Authenticate: Basic realm="Restricted Area"
Content-type: text/html; charset=UTF-8
 
Unauthorized access

Sending a GET request to the web root returns 401 Interestingly, it uses WWW-Authenticate: Basic realm="Restricted Area"

Since there is a amay user’s session from the lateral movement, I could easily tunnel this internal web application via SSH

SSH Tunneling

┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ssh -L 8888:127.0.0.1:8080 amay@sea.htb -N -f
amay@sea.htb's password: mychemicalromance

Tunneled Kali’s port 8888 to the target socket 127.0.0.1:8080

Application

Heading over to http://127.0.0.1:8888 prompted for a credential

I was able to authenticate with the credential of amay user The internal web application is System Monitor in development It serves several features

System Management

Those system management feature uses specific endpoints

Analyze Log File

However, the Analyze Log File feature might be vulnerable to OS command injection as it specifies the file in the value

Interactive Graph View

Backlinks