Web
Nmap discovered a Web server on the port 8080 of the dc01.heist.offsec(192.168.198.165) host.
The running service is Werkzeug httpd 2.0.1 (Python 3.9.0).
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Allow: GET, HEAD, OPTIONS
Content-Length: 0
Server: Werkzeug/2.0.1 Python/3.9.0
Date: Mon, 07 Jul 2025 14:22:28 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ curl -I http://$IP:8080/
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 21
Server: Werkzeug/2.0.1 Python/3.9.0
Date: Mon, 07 Jul 2025 14:22:46 GMT/Practice/Heist_OffSec/2-Enumeration/attachments/{9C56015D-E47C-43EB-AFB2-BFCFF1C80E96}.png)
Webroot
Web browser.
SSRF
/Practice/Heist_OffSec/2-Enumeration/attachments/{9ADA59F3-1AA1-4A8F-9C1B-E72C977A30E2}.png)
/Practice/Heist_OffSec/2-Enumeration/attachments/{0BF72633-8D8E-419B-A8F8-BAA043AE9BA6}.png)
SSRF confirmed.
It’s using the Win32 API likely containing a NTLM auth request.