Web
Nmap discovered a Web server on the target port 80
The running service is Caddy httpd
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ curl -I http://$IP/
HTTP/1.1 302 Found
Location: http://yummy.htb/
Server: Caddy
Date: Sat, 05 Oct 2024 19:31:41 GMT302 to a domain; yummy.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
Webroot
It’s a restaurant
Wappalyzer identified technologies involved
The web application is written in Go and hosted over Caddy
book-a-table
The book-a-table section contains a form submission
It makes a POST request to the /book endpoint and the browser is given a session cookie
manage from my account?
Testimonials
The testimonials section contains possible usernames
Saul GoodmanSara WilssonJena KarlisMatt BrandonJohn Larson
Chefs
The chefs section also contains possible usernames
Walter WhiteSarah JhonsonWilliam Anderson
Contact
The contact section contains a form submission
It doesn’t appear to be as functional
It might be dummy
Register
Register page is available at /register
There is a button that leads to the login page
Creating a testing account
Login
There is a login page at the /login endpoint
There is a button that leads to the register page
Logging in using the testing account
The server replied with the access_token, which appears to be a JWT
Being redirected to the /dashboard endpoint with the given JWT
Dashboard
Redirected to the /dashboard endpoint from the logging in above
It seems that the web app uses the iCalendar feature
I will attempt to Book A Table again
Booking a table with the testing account
Booking
I will head back to the /dashboard endpoint
There appears the reservation that was just made
I will check out that iCalendar feature
iCalendar
Saving
Interestingly, it makes a GET request to the /reminder/21 endpoint, which the server replies to another endpoint that appears to be showing the exported ics file; /export/Yummy_reservation_20241005_202151.ics
Regular response is a ics file with the PRODID attribute set to isc.py
LFI
Changing the directory to /etc/passwd
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ cat ~/Downloads/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
dev:x:1000:1000:dev:/home/dev:/bin/bash
mysql:x:110:110:MySQL Server,,,:/nonexistent:/bin/false
caddy:x:999:988:Caddy web server:/var/lib/caddy:/usr/sbin/nologin
postfix:x:111:112::/var/spool/postfix:/usr/sbin/nologin
qa:x:1001:1001::/home/qa:/bin/bash
_laurel:x:996:987::/var/log/laurel:/bin/falseLFI confirmed
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -t 200 -u http://yummy.htb/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://yummy.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 200
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
book [Status: 200, Size: 39296, Words: 10892, Lines: 902, Duration: 118ms]
dashboard [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 103ms]
logout [Status: 302, Size: 199, Words: 18, Lines: 6, Duration: 120ms]
login [Status: 200, Size: 6893, Words: 1575, Lines: 164, Duration: 282ms]
register [Status: 200, Size: 7816, Words: 1954, Lines: 175, Duration: 815ms]
:: Progress: [20476/20476] :: Job [1/1] :: 297 req/sec :: Duration: [0:00:43] :: Errors: 0 ::N/A
Virtual Hosts / Sub-domain Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.yummy.htb' -ic -mc all -fs 39296
________________________________________________
:: Method : GET
:: URL : http://10.129.91.212/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.yummy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 39296
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 68 req/sec :: Duration: [0:48:45] :: Errors: 40 ::N/A