Web
Nmap discovered a Web server on the target port 17445
The running service is Apache Tomcat
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -I -X OPTIONS http://$IP:17445
HTTP/1.1 200
Allow: GET,HEAD,OPTIONS
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Length: 0
Date: Sat, 08 Mar 2025 14:26:57 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ curl -I http://$IP:17445/
HTTP/1.1 200
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 1252
Date: Sat, 08 Mar 2025 14:38:06 GMT/Practice/Hawat/2-Enumeration/attachments/{C10B9C8E-64C7-49FB-AF68-E327C07BBEC1}.png)
Webroot
This appears to be a Java application, given it’s hosted by Apache Tomcat
/register
/Practice/Hawat/2-Enumeration/attachments/Pasted-image-20250308154859.png)
Registering a testing account
/login
/Practice/Hawat/2-Enumeration/attachments/{0C8F9038-A5D6-4692-8FFA-A0D87A80C916}.png)
/Practice/Hawat/2-Enumeration/attachments/{F3D1FFEF-1F71-4E2A-85E4-800436143DB1}.png)
Successfully authenticated and redirected to the /user/list endpoint
It reveals the existing 2 accounts; clinton and dummy
SQLi & SSTI testing returned negative
Password Reset
/Practice/Hawat/2-Enumeration/attachments/{D351BA61-FE07-48E7-9854-6C60B6C91B4E}.png)
/Practice/Hawat/2-Enumeration/attachments/{07DDF1A7-C210-4BB6-B298-FA8513565151}.png)
It would appear that I can just reset password of users
Add User
/Practice/Hawat/2-Enumeration/attachments/{C8FDF106-7520-4944-B9BC-134E5CF43FF4}.png)
/Practice/Hawat/2-Enumeration/attachments/{AB4A3672-F9C3-4125-A282-C1A76B741880}.png)
/Practice/Hawat/2-Enumeration/attachments/Pasted-image-20250308155619.png)
There is also an endpoint, /user/add to add user.
This appears to be different from the regular registration
SQLi & SSTI testing returned negative
Issue
/Practice/Hawat/2-Enumeration/attachments/{2FE830A1-DD5B-4828-ADAA-0450EE2B1FC5}.png)
Editing existing issues and creating one is possible through the /issue/list endpoint
SQLi & SSTI testing returned negative
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:17445/FUZZ -ic -fc 302
________________________________________________
:: Method : GET
:: URL : http://192.168.162.147:17445/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 302
________________________________________________
login [Status: 200, Size: 1167, Words: 54, Lines: 47, Duration: 66ms]
register [Status: 200, Size: 1603, Words: 116, Lines: 58, Duration: 45ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1282 req/sec :: Duration: [0:00:15] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hawat]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:17445/FUZZ/ -ic -fc 302
________________________________________________
:: Method : GET
:: URL : http://192.168.162.147:17445/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 302
________________________________________________
:: Progress: [207630/207630] :: Job [1/1] :: 1459 req/sec :: Duration: [0:02:39] :: Errors: 0 ::N/A