Web
Nmap discovered a Web server on the target port 9091
The running service is Apache Hadoop
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ curl -k -I -X OPTIONS https://$IP:9091/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 19:52:29 GMT
Allow: GET,HEAD,POST,OPTIONS
Content-Length: 0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ curl -k -I https://$IP:9091/
HTTP/1.1 200 OK
Date: Sun, 06 Apr 2025 19:52:34 GMT
Last-Modified: Tue, 02 Aug 2022 12:04:43 GMT
Content-Type: text/html
Accept-Ranges: bytes
Content-Length: 115
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fired]
└─$ openssl s_client -connect $IP:9091
Connecting to 192.168.201.96
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=localhost
verify return:1
---
Certificate chain
0 s:CN=localhost
i:CN=localhost
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 28 07:02:39 2024 GMT; NotAfter: Jun 27 07:02:39 2029 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIIbgECN6DaQ+wwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UE
AwwJbG9jYWxob3N0MB4XDTI0MDYyODA3MDIzOVoXDTI5MDYyNzA3MDIzOVowFDES
MBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEA0kAENEQochDNPuEOjx6OVtw065xn/4VFEJnvIkNltcmy71HGxn8sEjmhlUlI
uQ5oMm+CAf0yk+jZI00eoM/Hdv2BcSKFE0cn20vc1Ht6crRAg1QOYE1qHFf8WADj
k8P9PAPzyHd6nkwg3dl1LFjqQ8+tUxNGH3QADJDwZvln+iCD1LFLpBdKEpphnLYm
sN5SW1UandvlwvQKAaHk0k804m1/clJiCD7RLwENqTOmpS4ZBo+j2rNye1ZkWDrv
akPsW0dXoJwJOF6XmvFY+etbGjL0r+KZLeNXwtmmHPKgnXiRgK6tJHDrOs9YFed6
LSWuBUVMRDiCofzDry1RAfF2EwIDAQABo2UwYzAhBgNVHREEGjAYgglsb2NhbGhv
c3SCCyoubG9jYWxob3N0MB0GA1UdDgQWBBTCfjZX0g2ZzFubIKxpJUUtDkCmRDAf
BgNVHSMEGDAWgBTCfjZX0g2ZzFubIKxpJUUtDkCmRDANBgkqhkiG9w0BAQsFAAOC
AQEAF+a26AV7ATql2PmevKuMO6HvAw75WsdIHYem0vCDUewiq2Ru9kaUc+yOSzCP
jZOc3zFvHAyVBKal5w+EPDTU3CxiKkZJtN0sLNCwQy5TDSfllyZxYdiEP3siHTRy
T2KB2GsNfopJfZliPqKf+xCyvuTPH7/jj46BKehFLhBDJ8cgcgIIKUt2UYp95Ipp
IeMzBeH1OT4QCXbMz4J4Y2YbIULhG46Cm2dyHfnrILYTJz1EdQq+MfFx6aNE8/GF
Lz9UdhWZ9Ne4bS/hMqTOu0vcLe7/HL3jupwv5wSK4ZQaUe9YMbi9HA5+Ycyr39GK
ZtbikUcLXOiuewBkRoOhLi2GxA==
-----END CERTIFICATE-----
subject=CN=localhost
issuer=CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1319 bytes and written 518 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: EE592BDF5F4C98B16F0966AA608575C72AF5908886A21FF4D2A127303B03DABB
Session-ID-ctx:
Resumption PSK: 9BBE2261C31CF66B141AAE5E5300A16E5E5508FF0313F2591A16553A60DE277A1138BDCC4B112334A10B10BB4915BC96
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - c4 92 8a e9 90 57 ec 3e-2a 55 f5 ba c7 89 38 59 .....W.>*U....8Y
0010 - e9 d7 c3 65 90 0f ed e7-d8 9c 7a f0 aa 4d f2 a2 ...e......z..M..
Start Time: 1743969187
Timeout : 7200 (sec)
Verify return code: 18 (self-signed certificate)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK/Practice/Fired/2-Enumeration/attachments/{D9548696-AADF-42B6-88FB-C2CB32D2A126}.png)
Webroot
Redirected to a login page for Openfire Administration Console
This appears to be a clone of the other instance
/Practice/Fired/2-Enumeration/attachments/Pasted-image-20250406215457.png)
Openfire (previously known as Wildfire, and Jive Messenger) is an instant messaging (IM) and groupchat server for the Extensible Messaging and Presence Protocol (XMPP). It is written in Java and licensed under the Apache License 2.0.
Source code is available for review
Version Information
/Practice/Fired/2-Enumeration/attachments/{8F4F43B5-9A05-49E3-9B81-BA97DCDF5D5E}.png)
The version information is disclosed; 4.7.3
Vulnerabilities
/Practice/Fired/2-Enumeration/attachments/{9AFD186A-B241-43EA-84FC-BAE59EC797C2}.png)
Looking it up online for vulnerabilities reveals an authentication bypass exploit; CVE-2023-32315