Web
Nmap discovered a Web server on the target port 443 over SSL
The running service is Microsoft IIS httpd 10.0
Webroot
It appears to be identical static web app seen on the port 80
HTTP/2
Except, it uses HTTP/2
There is a known vulnerability where if the target web server is configured to translate incoming HTTP/2 packets back to HTTP/1.1, requests may be forged to contain malicious data in the header field. It only works if the proxy layer wouldn’t check that.
However, this appears rather irrelevant in the current assessment
/certsrv
The /certsrv endpoint is also present here over TLS
/certenroll
The /certsrv endpoint can also be seen with the same response from the web server
/staff
While every enumerated endpoint appears identical here over TLS as shown above, the /staff endpoint is different.
The web server doesn’t even respond to the request and Burp Suite returns an error instead.
This suggests that whatever resource is hosted at the /staff endpoint does not like being proxied over TLS, resulting in completely ignoring requests
I could access the endpoint using a standalone chromium browser without proxying to Burp Suite
However, it still shows the same 403
This endpoint appears rather interesting as it behaves much differently compared to others.
CLEARTEXT Credential in the Image
It turns out that the issue lies in the Our Features section of the static index page
As ridiculous as it appears, there is a CLEARTEXT credential apparently
(It would appear that the author wanted to showcase the extremely-highly-unlikely scenario of an organization accidently leaking a CLEARTEXT credential on their website.)
Moving on to the Exploitation phase