Web
Nmap discovered a Web server on the target port 80
The running service is Microsoft IIS httpd 10.0
Webroot
It’s the default Windows IIS installation page
Wappalyzer identified technologies involved
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .asp,.aspx,.txt
________________________________________________
:: Method : GET
:: URL : http://10.10.10.203/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .asp .aspx .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 703, Words: 27, Lines: 32, Duration: 95ms]
%22julie%20roehm%22.aspx [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 104ms]
%22james%20kim%22.aspx [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 98ms]
%22britney%20spears%22.aspx [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 100ms]
:: Progress: [882188/882188] :: Job [1/1] :: 387 req/sec :: Duration: [0:37:59] :: Errors: 0 ::Nothing found
Virtual Hosts / Sub-domains
The moved.txt file in the Subversion server confirms the domain that the target system is part of; worker.htb
2 virtual hosts or sub-domains have been identified; dimension.worker.htb and devops.worker.htb
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ curl -s http://$IP/ | wc -c
703
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ curl -s http://dimension.worker.htb/ | wc -c
14588
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ curl -s http://devops.worker.htb/ | wc -c
20029While no proxy appears to be configured for the Subversion server, it isn’t the same with the Web server here
In contrast, testing the Web server reveals notable differences in content size, with dimension.worker.htb and devops.worker.htb returning significantly larger responses even compared to the default IP.
This suggests that the Microsoft IIS web server application is likely configured with a proxy to handle distinct virtual hosts / sub-domains for the identified instances. Further analysis of the web server configuration is recommended to understand these discrepancies.
Before jumping into those instances, I will be fuzzing the host portion of HTTP header to further discover other possible virtual hosts/sub-domains that might be present in the web server
Virtual Hosts / Sub-domains Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.worker.htb' -fs 703
________________________________________________
:: Method : GET
:: URL : http://10.10.10.203/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.worker.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 703
________________________________________________
alpha [Status: 200, Size: 6495, Words: 391, Lines: 171, Duration: 156ms]
story [Status: 200, Size: 16045, Words: 1068, Lines: 356, Duration: 146ms]
cartoon [Status: 200, Size: 14803, Words: 927, Lines: 398, Duration: 164ms]
lens [Status: 200, Size: 4971, Words: 294, Lines: 112, Duration: 147ms]
dimension [Status: 200, Size: 14588, Words: 846, Lines: 369, Duration: 98ms]
spectral [Status: 200, Size: 7191, Words: 446, Lines: 174, Duration: 173ms]
twenty [Status: 200, Size: 10134, Words: 641, Lines: 275, Duration: 143ms]
:: Progress: [114441/114441] :: Job [1/1] :: 312 req/sec :: Duration: [0:05:09] :: Errors: 0 ::ffuf uncovered 6 additional virtual hosts / sub-domains
Those 6 additional virtual hosts / sub-domains have been appended to the /etc/hosts file on Kali for local DNS resolution
Due to the current scale of Web enumeration, each virtual hosts / sub-domain will have its dedicated page;