Web
Nmap discovered a Web server on the target port 9090
The running service is Cockpit web service 198 - 220
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/cockpit]
└─$ curl -I -X OPTIONS http://$IP:9090/
HTTP/1.1 405 Method Not Allowed
Content-Type: text/html; charset=utf8
Transfer-Encoding: chunked
X-DNS-Prefetch-Control: off
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/cockpit]
└─$ curl -I http://$IP:9090/
HTTP/1.1 301 Moved Permanently
Content-Type: text/html
Location: https://192.168.152.10:9090/
Content-Length: 73
X-DNS-Prefetch-Control: off
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff/Practice/Cockpit/2-Enumeration/attachments/{E3DB6AAA-7FF1-4560-9B11-C6BACA8304F6}.png)
Webroot
It’s a login page to a Cockpit installation
It revealed the hostname; BLAZE
/Practice/Cockpit/2-Enumeration/attachments/{742068E3-2789-48A0-9C7A-BE5A3C18FF0C}.png)
The /etc/hosts file on Kali has been updated
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/cockpit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP:9090/FUZZ -ic -fw 9983
________________________________________________
:: Method : GET
:: URL : https://192.168.152.10:9090/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response words: 9983
________________________________________________
favicon.ico [Status: 200, Size: 9662, Words: 572, Lines: 3, Duration: 69ms]
ping [Status: 200, Size: 24, Words: 4, Lines: 1, Duration: 37ms]
:: Progress: [20478/20478] :: Job [1/1] :: 246 req/sec :: Duration: [0:01:33] :: Errors: 0 ::/ping
/ping
/Practice/Cockpit/2-Enumeration/attachments/{DA575B3D-508F-4FBC-8144-A47D87949CE8}.png)
N/A