InfoSec LAB

Web

Nmap discovered a Web server on the target port 8172 over SSL The running service is Microsoft IIS httpd 10.0

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ curl -k -i https://$IP:8172/                      
HTTP/2 404 
server: Microsoft-IIS/10.0
date: Tue, 30 Jan 2024 13:57:48 GMT
content-length: 0

while this web server also uses http/2, much like the one on the port 443, the webroot returned 404

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ openssl s_client -connect $ip:8172
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN = WMSvc-SHA2-RESEARCH
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN = WMSvc-SHA2-RESEARCH
verify return:1
---
Certificate chain
 0 s:CN = WMSvc-SHA2-RESEARCH
   i:CN = WMSvc-SHA2-RESEARCH
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Apr  7 09:05:25 2020 GMT; NotAfter: Apr  5 09:05:25 2030 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC7TCCAdWgAwIBAgIQcJlfxrPWrqJOzFjgO04PijANBgkqhkiG9w0BAQsFADAe
MRwwGgYDVQQDExNXTVN2Yy1TSEEyLVJFU0VBUkNIMB4XDTIwMDQwNzA5MDUyNVoX
DTMwMDQwNTA5MDUyNVowHjEcMBoGA1UEAxMTV01TdmMtU0hBMi1SRVNFQVJDSDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALXrSYHlRsq+HX01zrmC6Ddi
/+vL/iDzS9endY3CRjfTjBL85qwvU5dkS+cxYTIkDaK5M9eoLcaVSARIcyrGIGuq
DwIFQuYuaoGeQgiaQCqU5vXgsZ/xE8DRmlnZ2DeiAcHhx72TOHoUoUP4q2EqRoVr
q5RCBGITT7hdRQd0vuTIHoLxdO2U5wZVCoN5vsp0Du43/LCgXExUpcHAHu9aVAzt
pXWFY8B3XEFZjafffOHXiK6C2UzX4DddYweKR+ItMfQzX8T2MbX1qVm7D526/gU9
WRGa7F/tj8+qvzZc4SQZ6Td9PWpMKCPGqqYTGmHlEW8ZowGoMSH62QaCilFxckEC
AwEAAaMnMCUwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDgYDVR0PBAcDBQCwAAAAMA0G
CSqGSIb3DQEBCwUAA4IBAQAlGUrh9gLK7Er/BzEjyWebPPf18m3XxgZ13iFllhJ0
5tBUb3hczHIr3VOj/OWUJygxw8O10OrBZJZf29TPZ2nXKGbJRpYe+baii49LsGjr
DiOM5XVZv5qiPBNts7fKyhpzTy0DdnIKAXUIYy/7nQ6rHetXApz89ZEzU6vAN0g0
Zxq/NolqIVnehFn/36tjc65v1wgo6KnHAQUt6zWufueeYS3k2f4JzvFn4aPtUYRi
nQgTuGbJTlxdVJ5DJjld9pLyJ+OctGeI1jRITiYlu5p3JwhxU0+mQjGT5mQZ+Umu
abMpffugMOPYnyHu8poRZWjKgNBN0ygmnqGbTjx57No5
-----END CERTIFICATE-----
subject=CN = WMSvc-SHA2-RESEARCH
issuer=CN = WMSvc-SHA2-RESEARCH
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 1273 bytes and written 581 bytes
verification error: self-signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 253800001099E6723DF3225EACE9EA23A1A50E54EBDB5236260DDDEC9EA6A448
    Session-ID-ctx: 
    Master-Key: 48229CFE0CB46C6FFB3366B320E501569888E68842CB5986C0F18F3539E901B3973179D74D41A2D7CF874BECBE9DF672
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1706623419
    Timeout   : 7200 (sec)
    Verify return code: 18 (self-signed certificate)
    Extended master secret: yes
---

Checking the certificate revealed that it’s generated by WMSvc wmsvc is the iis remote web management service

Unfortunately, this alone does not lead anywhere

Fuzzing

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u https://$IP:8172/FUZZ -ic
________________________________________________
 :: Method           : GET
 :: URL              : https://10.10.11.129:8172/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 200
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [20476/20476] :: Job [1/1] :: 268 req/sec :: Duration: [0:00:56] :: Errors: 0 ::

Nothing shows up

InfoSec LAB

Explorer

Search_Web_8172

Web

Fuzzing

Interactive Graph View

Table of Contents

Backlinks