InfoSec LAB

Talkative_Web_80

Created: 2 min read

Web

Nmap discovered a web server on the target port 80 The running service is Apache httpd 2.4.52

Webroot It appears to be a communication platform

Wappalyzer identified technologies involved. it’s powered by bolt cms with PHP 7.4.28

bolt is a free, open-source content management system based on PHP. It was released in 2012 and developed by Two Kings and the Bolt community. Bolt uses Twig for templates and includes features for content and user management. Bolt can be installed on any Apache or Nginx web server with SQLite, MySQL or MariaDB and PHP 7.2.9 or later

Scrolling down a little, there is a section showcasing the team behind. These 3 executives could be potentially used for username enumeration

There are also dedicated pages for each individual with their email addresses including usernames janit matt saul

The product section shows 3 available plans for the service. While the free plan in the middle is available, the other 2 appear to be in the development and those are linked to the jamovi service running on the port 8080 and the Rocket.Chat service on the port 3000

The website also has a search bar Test result came out negative for SQLi

That’s about it for the website. I will move on to the next service.

Fuzzing

Fuzzing doesn’t seem to be possible as the web server appears to have a mitigation set, effectively blocking the Kali’s IP address

Virtual Host / Sub-domain Discovery

┌──(kali㉿kali)-[~/archive/htb/labs/talkative]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.talkative.htb' -fc 301
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.155/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.talkative.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response status: 301
________________________________________________
 
:: Progress: [114441/114441] :: Job [1/1] :: 93 req/sec :: Duration: [0:04:42] :: Errors: 0 ::

Nothing found

Interactive Graph View

Backlinks