Web
Nmap discovered a web server running on the target port 443
The running service is nginx 1.18.0
Webroot
It appears to be an online shop providing vegatables
According to Wappalyzer, the web app is written in Java
It uses JSESSIONID.
while the web app is confirmed to be a java application, it is likely generated by Servlet containers like Tomcat or Jetty
There is a section below that showcases reviews.
Jomono is a potential username
Since there isn’t much going on with the website itself, I will go ahead and start fuzzing
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/seal]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://seal.htb/FUZZ -ic -e .jsp,.txt,.html
________________________________________________
:: Method : GET
:: URL : https://seal.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .jsp .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 19737, Words: 7425, Lines: 519, Duration: 94ms]
images [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 96ms]
admin [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 94ms]
icon [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 94ms]
css [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 94ms]
js [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 93ms]
manager [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 99ms]ffuf found 2 interesting directories; /admin/ and /manager/
/admin/
I got a 404 on the /admin/ directory.
Yet it reveals the information regarding the web engine; Apache Tomcat 9.0.31
As expected from the whole java session cookie thing above, there’s likely a Tomcat instance
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/seal]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://seal.htb/admin/FUZZ -ic -e .jsp,.txt,.html
________________________________________________
:: Method : GET
:: URL : https://seal.htb/admin/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .jsp .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
dashboard.html [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 92ms]
dashboard [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 92ms]
dashboard.txt [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 92ms]
dashboard.jsp [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 92ms]Fuzzing the /admin/ directory revealed some, but they all returned with the code 403
/manager/
Upon sending a GET request to the /manager/ directory, I got re-directed to /manager/html
This is very much likely from Tomcat
It’s possible it’s running off Apache Tomcat 9.0.31 on the differnt socket, and re-routed through the Nginx HTTPS proxy over the port 443
Nevertheless, I do not have any credential for now.