InfoSec LAB

Fish_Web_8181

Created: 4 min read

Web

Nmap discovered a Web server on the target port 8181 The running service is Sun GlassFish Open Source Edition 4.1

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ curl -k -I -X OPTIONS https://$IP:8181/
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition  4.1 
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.1  Java/AdoptOpenJDK/1.8)
Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS
Date: Sat, 30 Oct 2021 04:19:16 GMT
Content-Length: 0
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ curl -k -I https://$IP:8181/        
HTTP/1.1 200 OK
Server: GlassFish Server Open Source Edition  4.1 
X-Powered-By: Servlet/3.1 JSP/2.3 (GlassFish Server Open Source Edition  4.1  Java/AdoptOpenJDK/1.8)
Accept-Ranges: bytes
ETag: W/"12113-1621220744000"
Last-Modified: Mon, 17 May 2021 03:05:44 GMT
Content-Length: 12113
Content-Type: text/html
Date: Sat, 30 Oct 2021 04:19:19 GMT
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ openssl s_client -connect $IP:8181 
Connecting to 192.168.219.168
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
verify error:num=10:certificate has expired
notAfter=Aug 18 13:30:10 2024 GMT
verify return:1
depth=0 C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
notAfter=Aug 18 13:30:10 2024 GMT
verify return:1
---
Certificate chain
 0 s:C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
   i:C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 21 13:30:10 2014 GMT; NotAfter: Aug 18 13:30:10 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDmTCCAoGgAwIBAgIEMeuNnzANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExGzAZ
BgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UECxMJR2xhc3NGaXNoMRIw
EAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwODIxMTMzMDEwWhcNMjQwODE4MTMzMDEw
WjB9MQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxML
U2FudGEgQ2xhcmExGzAZBgNVBAoTEk9yYWNsZSBDb3Jwb3JhdGlvbjESMBAGA1UE
CxMJR2xhc3NGaXNoMRIwEAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCWpLMWHmNZb8HNZ95LmBfkyMKcJlpn8AWajtEui7yV
XdR7o+N2mpx/dP1SX1fkKPVM+rmbMCV6jkNHyKX7uam1YtnlKpM0Hc3jQT1S03p2
pWTLusK9Tr+sMQf4E7J0EUNM/TaPvyB0P+2d65mdVPdMxX19KKpfkJ26fLMtzyBp
W2mvVzVWgYfrjXPv7RVGayX2Ii7FC7VWC3xCiOKg6vT+kfw7uxOWhsp/utu7Aoo/
vHFTbM1ZeocTshlaFsqjTOYH0wMfVibEICca6nuC88OzE5aOnklMZXxyURivh/Qq
C+e8IIhqtGWIQV91KdhgqVp+g7HgpJzvm03r2c41BidBAgMBAAGjITAfMB0GA1Ud
DgQWBBQTVdt9qTFxozNAVtNJqXdCkKNZOTANBgkqhkiG9w0BAQsFAAOCAQEAB+Xx
ljjOVTMcZaVaOJDrmFmhrhlfv19Tvs82VC8DXV6dITzczMmhXuALcTE2zjrbu3hA
7Vv7CvDmAVrDKc0L4aENqZnt2Ch42hsvFSVGhdizj+d5D+83alUG4C0MZ/NgRqvC
9axwXp887+MzYTTE+ctagxCC5drzFR0osvneU/AQcnlIurSs7EkWktimSLWnOm83
FQL0ZmaUjIIsV3pFBDMx9pt8agSwCgGOjrkxnpqsU/fLOPbl24b/8tg5dzRHX3/s
8zd5COtZtZA/2X7ocMP03RfstBnQCCZ+y2RGF7gI2KeZHs/xK3mG8SJvxAWU4U/h
ZOTwR42VlQhP/vlg5A==
-----END CERTIFICATE-----
subject=C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
issuer=C=US, ST=California, L=Santa Clara, O=Oracle Corporation, OU=GlassFish, CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 1413 bytes and written 564 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Protocol: TLSv1.2
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: AAC08712FA02E17377598353C78CC1C98FF16983806559C9C2B7F6BE543B805C
    Session-ID-ctx: 
    Master-Key: FF19621DF56794D78115B06D929FEB71D8D1CB4FE2A26768835F133F75B6555B814025770C8991348B7F9C25FC8D7A51
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1745071280
    Timeout   : 7200 (sec)
    Verify return code: 10 (certificate has expired)
    Extended master secret: yes
---

Webroot Data Web application The instance is also hosted on the target port 8080

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP:8181/FUZZ -ic -e .html,.txt -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : https://192.168.219.168:8181/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
css                     [Status: 301, Size: 183, Words: 8, Lines: 7, Duration: 27ms]
images                  [Status: 301, Size: 186, Words: 8, Lines: 7, Duration: 32ms]
index.html              [Status: 200, Size: 12113, Words: 4670, Lines: 285, Duration: 28ms]
j_security_check        [Status: 401, Size: 1090, Words: 55, Lines: 1, Duration: 24ms]
js                      [Status: 301, Size: 182, Words: 8, Lines: 7, Duration: 22ms]
:: Progress: [61434/61434] :: Job [1/1] :: 1612 req/sec :: Duration: [0:00:42] :: Errors: 0 ::
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fish]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP:8181/FUZZ/ -ic -fc 403
________________________________________________
 :: Method           : GET
 :: URL              : https://192.168.219.168:8181/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 403
________________________________________________
                        [Status: 200, Size: 12113, Words: 4670, Lines: 285, Duration: 25ms]
%c0                     [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 38ms]
external%5cx-news       [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 21ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1470 req/sec :: Duration: [0:02:18] :: Errors: 0 ::

j_security_check

j_security_check Endpoint

Basic HTTP authentication at the j_security_check endpoint Likely linked to the admin console on the targe port 4848

Interactive Graph View

Backlinks