Web
Nmap Shibboleth a web server on the target port 80
The running service is Apache httpd 2.4.41
I got redirected to a domain;shibboleth.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Webroot
It states that it provide an enterprise solution to design websites
it also shows flexstart flexstart is a creative and modern Bootstrap website template. FlexStart is created for individuals and companies who want to build websites for software, startup, mobile app, digital agency, SaaS, internet services, fintech and related services and products websites.
While the majority of the buttons in the nav header doesn’t seem to be working, the Blog button leads to a static file at blog.html
/blog.html
The /blog.html file contains a search bar but it is not functional
While there are several posts, they all points to a single page; blog-single.html, which contains some comments
They all seem very much dummy
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-medium.txt -u http://shibboleth.htb/FUZZ -ic -e .php,.txt,.html
________________________________________________
:: Method : GET
:: URL : http://shibboleth.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
blog.html [status: 200, Size: 19196, Words: 5073, Lines: 426, Duration: 94ms]
index.html [status: 200, Size: 59474, Words: 17014, Lines: 1324, Duration: 1420ms]
assets [status: 301, Size: 317, Words: 20, Lines: 10, Duration: 93ms]
forms [status: 301, Size: 316, Words: 20, Lines: 10, Duration: 94ms]
changelog.txt [status: 200, Size: 499, Words: 76, Lines: 16, Duration: 93ms]
readme.txt [status: 200, Size: 218, Words: 11, Lines: 7, Duration: 95ms]
[WARN] Caught keyboard interrupt (Ctrl-C)ffuf returned some undiscovered files/directories
/changelog.txt
The /changelog.txt file contains the version information.
It uses FlexStart 1.2.0 with Bootstrap 5.0.0-beta3
It also shows the use of several updated 3rd-party libraries and PHP
/Readme.txt
Dummy data
/forms/
While directory indexing is present at the /forms/ directory, I can see 2 files in it
Those two files don’t strike me as useful
/forms/Readme.txt
It’s just a default dummy data
/forms/contact.php
Unable to load the file from the client side
Sub-domain / Virtual host discovery
┌──(kali㉿kali)-[~/archive/htb/labs/shibboleth]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.shibboleth.htb' -fc 302
________________________________________________
:: Method : GET
:: URL : http://10.10.11.124/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.shibboleth.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response status: 302
________________________________________________
monitor [status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 108ms]
monitoring [status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 112ms]
zabbix [status: 200, Size: 3689, Words: 192, Lines: 30, Duration: 112ms]
:: Progress: [114441/114441] :: Job [1/1] :: 428 req/sec :: Duration: [0:04:33] :: Errors: 0 ::ffuf found 3 sub-domain / virtual hosts Based on the returned byte lengths, they all appear to be identical
monitor.shibboleth.htbmonitoring.shibboleth.htbzabbix.shibboleth.htb
zabbix.shibboleth.htb
They all point to the same instance of Zabbix
Zabbix is an open-source software tool to monitor IT infrastructure such as networks, servers, virtual machines, and cloud services. Zabbix collects and displays basic metrics.
I tried both weak/default credentials and none of them worked. I would need a valid credential to proceed forward