Web
Nmap discovered a Web server on the target port 9998
The running service is Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/algernon]
└─$ curl -I http://$IP:9998/
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 132
Content-Type: text/html; charset=utf-8
Location: /interface/root
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
Date: Sat, 22 Mar 2025 13:27:32 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/algernon]
└─$ curl -I http://$IP:9998/interface/root
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 5199
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/10.0
X-AspNetMvc-Version: 5.2
Date: Sat, 22 Mar 2025 13:27:38 GMT/Practice/Algernon/2-Enumeration/attachments/{06688A51-4DD4-46CA-B717-DA8EE623215F}.png)
Webroot
Redirected to a SmarterMail login page
No credential is known at this time.
/Practice/Algernon/2-Enumeration/attachments/{A11656EF-BDD8-48AD-BCB9-BE050AEB364D}.png)
Checking the source code reveals the version information; 100.0.6919
Vulnerabilities
/Practice/Algernon/2-Enumeration/attachments/{949DF734-0971-43A2-B09C-C52A3D8F139A}.png)
Looking it up online for known vulnerability reveals an RCE exploit for CVE-2019-7214, which targets the communication endpoint on the port 17001