InfoSec LAB

Search_Web_80

Created: 3 min read

Web

Nmap discovered a Web server on the target port 80 The running service is Microsoft IIS httpd 10.0

Webroot It appears to be providing some kind of online service for business

Identical web app is available through the hostname

Wappalyzer identified technologies involved

There is the Out Team section that contains 8 individual profile, which may be potential domain users

Moreover, the Testimonials section contains 4 additional profiles

There is a contact form, but it does not appear to be functioning

2 additional potential users are found at the Our Blog section

Those images in the Our Blog section points to the single.html file, which was also picked up by the Burp Suite’s crawler

single.html

The single.html file appears to be the blog article It shows that it was posted by admin

The article itself it pretty much arbitrary There is what appears to be a search bar, but it’s not functional

At the bottom, There is a comment section with some comments and a form, which doesn’t work So far, the website appears strictly static

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/common.txt -t 200 -u http://$IP/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://10.10.11.129/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
certenroll              [status: 301, Size: 154, Words: 9, Lines: 2, Duration: 111ms]
certsrv                 [status: 401, Size: 1293, Words: 81, Lines: 30, Duration: 112ms]
css                     [status: 301, Size: 147, Words: 9, Lines: 2, Duration: 78ms]
fonts                   [status: 301, Size: 149, Words: 9, Lines: 2, Duration: 31ms]
images                  [status: 301, Size: 150, Words: 9, Lines: 2, Duration: 36ms]
index.html              [status: 200, Size: 44982, Words: 13260, Lines: 1030, Duration: 40ms]
js                      [status: 301, Size: 146, Words: 9, Lines: 2, Duration: 42ms]
staff                   [status: 403, Size: 1233, Words: 73, Lines: 30, Duration: 68ms]
:: Progress: [4723/4723] :: Job [1/1] :: 4504 req/sec :: Duration: [0:00:01] :: Errors: 0 ::

ffuf discovered endpoints at /certenroll, /certsrv, and /staff

presence of both /certenroll and /certsrv endpoints indicate that the target dc host has adcs configured along with the web enrollment service. While this is rather expected since certsrv.exe was confirmed to to be present on several MSRPC endpoint, I will take a look at those web endpoints

/staff

403

/certenroll

403 as expected

/certsrv

The /certsrv prompts for the basic HTTP authentication, which is mostly configured with the credential of a domain admin

Interactive Graph View

Backlinks