Web
Nmap discovered a Web server on the port 80 of the 192.168.207.136 host.
The running service is Apache httpd 2.4.18 ((Ubuntu))
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 16:09:29 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 3245
Content-Type: text/html; charset=UTF-8
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Date: Wed, 02 Jul 2025 16:09:34 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8/Play/Monitoring/2-Enumeration/attachments/{90B08BEC-4BE6-453B-894F-446DD5D17603}.png)
Webroot
It’s a Nagio XI instance.
/Play/Monitoring/2-Enumeration/attachments/Pasted-image-20250702181246.png)
Nagios is an event monitoring system that offers monitoring and alerting services for servers, switches, applications and services. It alerts users when things go wrong and alerts them a second time when the problem has been resolved.
Nagios XI is a proprietary interface using Nagios Core as the back-end, written and maintained by the original author, Ethan Galstad, and Nagios Enterprises. CentOS and RHEL are the currently supported operating systems. It combines Nagios Core with other technologies. Its main database and the ndoutils module that is used alongside Nagios Core use MySQL. While the front-end of Nagios Core is mainly CGI with some PHP, most of the Nagios XI front-end and back-end are written in PHP including the subsystem, event handlers, and notifications, and Python is used to create capacity planning reports and other reports. RRDtool and Highcharts are included to create customizable graphs that can be displayed in dashboards.
This appears to be mirrored on the other web server.
Authentication
/Play/Monitoring/2-Enumeration/attachments/{DB028653-9100-4AEC-A5C5-BE73271D2132}.png)
/Play/Monitoring/2-Enumeration/attachments/{BAA2056F-548F-45F0-8B8D-F655E6C63E30}.png)
Clicking into the Access Nagios XI button leads to a login page.
/Play/Monitoring/2-Enumeration/attachments/{94550703-1FE5-498A-A2F4-01C7EED62BE9}.png)
/Play/Monitoring/2-Enumeration/attachments/{5593D214-A72B-444F-8493-7A9367A2A625}.png)
Attempting authenticate using the default credential, root:nagiosxi, leads to an ambiguous message mentioning a potential user, dave
Continuing on the other web server.
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.207.136/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htaccess [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
.htaccess.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htaccess.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.txt [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
.htpasswd.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
cgi-bin/.html [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
cgi-bin/ [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
cgi-bin/.php [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 22ms]
index.php [Status: 200, Size: 3245, Words: 786, Lines: 75, Duration: 24ms]
javascript [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 21ms]
nagios [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 19ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 19ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1941 req/sec :: Duration: [0:00:47] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.207.136/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 3245, Words: 786, Lines: 75, Duration: 2106ms]
icons [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 60ms]
javascript [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 43ms]
cgi-bin [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 2154ms]
nagios [Status: 401, Size: 462, Words: 42, Lines: 15, Duration: 20ms]
server-status [Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 20ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1980 req/sec :: Duration: [0:01:58] :: Errors: 0 ::N/A