Webroot
Webroot of the target port 80
Nmap has identified that the target system is hosting a web server off of Apache httpd 2.2.22 on the port 80
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt -u http://$IP/FUZZ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.79/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 200, Size: 38, Words: 2, Lines: 2, Duration: 30ms]
decode.php [Status: 200, Size: 552, Words: 73, Lines: 26, Duration: 28ms]
:: Progress: [35325/35325] :: Job [1/1] :: 1399 req/sec :: Duration: [0:00:28] :: Errors: 1 ::Fuzzing the web server reveals a file; /decode.php
Navigating to the /decode.php file
It’s a decoder
As there is /decode.php, there is also /encode.php
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt -u http://$IP/FUZZ/ -ic
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.10.79/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-directories.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
cgi-bin [Status: 403, Size: 287, Words: 21, Lines: 11, Duration: 36ms]
dev [Status: 200, Size: 1097, Words: 62, Lines: 16, Duration: 33ms]
doc [Status: 403, Size: 283, Words: 21, Lines: 11, Duration: 30ms]
index [Status: 200, Size: 38, Words: 2, Lines: 2, Duration: 30ms]
icons [Status: 403, Size: 285, Words: 21, Lines: 11, Duration: 29ms]
server-status [Status: 403, Size: 293, Words: 21, Lines: 11, Duration: 27ms]
encode [Status: 200, Size: 554, Words: 73, Lines: 28, Duration: 35ms]
:: Progress: [62284/62284] :: Job [1/1] :: 1371 req/sec :: Duration: [0:00:48] :: Errors: 3 ::Additional fuzzing for directory reveals a few; /dev/ /encode/
/dev/ looks particularly interesting
This is the /dev/ directory.
There is directory indexing
hype_key & notes.txt
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ wget http://10.10.10.79/dev/hype_key ; wget http://10.10.10.79/dev/notes.txt
--2022-10-08 00:05:18-- http://10.10.10.79/dev/hype_key
connecting to 10.10.10.79:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 5383 (5.3K)
saving to: ‘hype_key’
hype_key 100%[=====================================================================>] 5.26K --.-KB/s in 0s
2022-10-08 00:05:18 (463 MB/s) - ‘hype_key’ saved [5383/5383]
--2022-10-08 00:05:18-- http://10.10.10.79/dev/notes.txt
connecting to 10.10.10.79:80... connected.
HTTP request sent, awaiting response... 200 OK
length: 227 [text/plain]
saving to: ‘notes.txt’
notes.txt 100%[=====================================================================>] 227 --.-KB/s in 0s
2022-10-08 00:05:18 (9.47 MB/s) - ‘notes.txt’ saved [227/227]Downloading the two files via wget
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ cat hype_key
2d 2d 2d 2d 2d 42 45 47 49 4e 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d 0d 0a 50 72 6f 63 2d 54 79 70 65 3a 20 34 2c 45 4e 43 52 59 50 54 45 44 0d 0a 44 45 4b 2d 49 6e 66 6f 3a 20 41 45 53 2d 31 32 38 2d 43 42 43 2c 41 45 [........................................................................]hype_key is a file containing hex codes
┌──(kali㉿kali)-[~/…/htb/labs/valentine/dev]
└─$ hurl -x
"[...6 37 36 59 2f 59 4d 72 6d 6e 4d 39 6b 2f 31 78 53 47 49 73 6b 77 43 55 51 2b 39 35 43 47 48 4a 45 38 4d 6b 68 44 33 0d 0a 2d 2d 2d 2d 2d 45 4e 44 20 52 53 41 20 50 52 49 56 41 54 45 20 4b 45 59 2d 2d 2d 2d 2d...]"
original hex :: [...2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0d0a50726f632d547...]
ascii/raw decoded ::
-----BEGIN RSA PRIVATE KEY-----
proc-type: 4,ENCRYPTED
dek-info: AES-128-CBC,AEB88C140F69BF2074788DE24AE48D46
DbPrO78kegNuk1DAqlAN5jbjXv0PPsog3jdbMFS8iE9p3UOL0lF0xf7PzmrkDa8R
5y/b46+9nEpCMfTPhNuJRcW2U2gJcOFH+9RJDBC5UJMUS1/gjB/7/My00Mwx+aI6
0EI0SbOYUAV1W4EV7m96QsZjrwJvnjVafm6VsKaTPBHpugcASvMqz76W6abRZeXi
Ebw66hjFmAu4AzqcM/kigNRFPYuNiXrXs1w/deLCqCJ+Ea1T8zlas6fcmhM8A+8P
OXBKNe6l17hKaT6wFnp5eXOaUIHvHnvO6ScHVWRrZ70fcpcpimL1w13Tgdd2AiGd
pHLJpYUII5PuO6x+LS8n1r/GWMqSOEimNRD1j/59/4u3ROrTCKeo9DsTRqs2k1SH
QdWwFwaXbYyT1uxAMSl5Hq9OD5HJ8G0R6JI5RvCNUQjwx0FITjjMjnLIpxjvfq+E
p0gD0UcylKm6rCZqacwnSddHW8W3LxJmCxdxW5lt5dPjAkBYRUnl91ESCiD4Z+uC
Ol6jLFD2kaOLfuyee0fYCb7GTqOe7EmMB3fGIwSdW8OC8NWTkwpjc0ELblUa6ulO
t9grSosRTCsZd14OPts4bLspKxMMOsgnKloXvnlPOSwSpWy9Wp6y8XX8+F40rxl5
XqhDUBhyk1C3YPOiDuPOnMXaIpe1dgb0NdD1M9ZQSNULw1DHCGPP4JSSxX7BWdDK
aAnWJvFglA4oFBBVA8uAPMfV2XFQnjwUT5bPLC65tFstoRtTZ1uSruai27kxTnLQ
+wQ87lMadds1GQNeGsKSf8R/rsRKeeKcilDePCjeaLqtqxnhNoFtg0Mxt6r2gb1E
AloQ6jg5Tbj5J7quYXZPylBljNp9GVpinPc3KpHttvgbptfiWEEsZYn5yZPhUr9Q
r08pkOxArXE2dj7eX+bq65635OJ6TqHbAlTQ1Rs9PulrS7K4SLX7nY89/RZ5oSQe
2VWRyTZ1FfngJSsv9+Mfvz341lbzOIWmk7WfEcWcHc16n9V0IbSNALnjThvEcPky
e1BsfSbsf9FguUZkgHAnnfRKkGVG1OVyuwc/LVjmbhZzKwLhaZRNd8HEM86fNojP
09nVjTaYtWUXk0Si1W02wbu1NzL+1Tg9IpNyISFCFYjSqiyG+WU7IwK3YU5kp3CC
dYScz63Q2pQafxfSbuv4CMnNpdirVKEo5nRRfK/iaL3X1R3DxV8eSYFKFL6pqpuX
cY5YZJGAp+JxsnIQ9CFyxIt92frXznsjhlYa8svbVNNfk/9fyX6op24rL2DyESpY
pnsukBCFBkZHWNNyeN7b5GhTVCodHhzHVFehTuBrp+VuPqaqDvMCVe1DZCb4MjAj
Mslf+9xK+TXEL3icmIOBRdPyw6e/JlQlVRlmShFpI8eb/8VsTyJSe+b853zuV2qL
suLaBMxYKm3+zEDIDveKPNaaWZgEcqxylCC/wUyUXlMJ50Nw6JNVMM8LeCii3OEW
l0ln9L1b/NXpHjGa8WHHTjoIilB5qNUyywSeTBF2awRlXH9BrkZG4Fc4gdmW/IzT
RUgZkbMQZNIIfzj1QuilRVBm/F76Y/YMrmnM9k/1xSGIskwCUQ+95CGHJE8MkhD3
-----END RSA PRIVATE KEY-----I can use hurl to decode the hex codes.
hype_key turns out to be an encrypted RSA key (PEM) encoded in hexadecimal
It’s password-protected, and there is nothing that I can do for now.
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ cat notes.txt
to do:
1) Coffee.
2) Research.
3) Fix decoder/encoder before going live.
4) Make sure encoding/decoding is only done client-side.
5) Don't use the decoder/encoder until any of this is done.
6) Find a better way to take notes.The notes.txt file has a to-do list, pointing out a few key points
Testing the web app
Testing /encode.php
I submitted “qwe”
cXdl came out
Testing /decode.php now
I will decode the output of /encode.php above
“qwe”
It works.
/encode/
There was a directory named, /encode/
It was discovered from the fuzzing earlier
It has the encoder as well.
seems to function the same way
What about the decoder?
It’s supposed to be the decoder, but it still says “Secure Data Encoder”
on top of that, the file is /encode/decode.php
I submitted the output of /encode/encode.php
But something else came out. This decoder isn’t the same as /decode.php above
┌──(kali㉿kali)-[~/archive/htb/labs/valentine]
└─$ hurl -b 'Y1hkbA=='
Original string :: Y1hkbA==
base64 DEcoded string :: cXdl/encode/decode.php encodes input strings into base64 strings
That’s about it with the web server on the port 80.