InfoSec LAB

Hunit_Web_18030

Created: 3 min read

Web

Nmap discovered a Web server on the target port 18030 The running service is Apache httpd 2.4.46 ((Unix))

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -I -X OPTIONS http://$IP:18030/
HTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 18:12:19 GMT
Server: Apache/2.4.46 (Unix)
Allow: OPTIONS,HEAD,GET,POST,TRACE
Content-Length: 0
Content-Type: text/html
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -I http://$IP:18030/        
HTTP/1.1 200 OK
Date: Sun, 30 Mar 2025 18:12:21 GMT
Server: Apache/2.4.46 (Unix)
Last-Modified: Fri, 06 Nov 2020 17:59:22 GMT
ETag: "376-5b373f8e89951"
Accept-Ranges: bytes
Content-Length: 886
Content-Type: text/html

Webroot

It’s a JavaScript game

scripts.js

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl http://$IP:18030/scripts.js 
const holes = document.querySelectorAll('.hole'),
      scoreBoard = document.querySelector('.score'),
      moles = document.querySelectorAll('.mole');
 
let timeUp = false,
    score = 0,
    lastHole;
 
function randomTime(min, max) {
  return Math.round(Math.random() * (max - min) + min);
}
 
function randomHole(holes) {
  const index = Math.floor(Math.random() * holes.length),
        hole = holes[index];
 
  if (hole === lastHole) {
    return randomHole(holes)
  }
 
  lastHole = hole;
  return hole;
}
 
function peep() {
  const time = randomTime(200, 1000),
        hole = randomHole(holes);
 
  hole.classList.add('up');
 
  setTimeout(() => {
    hole.classList.remove('up');
 
    if (!timeUp) peep();
  }, time);
}
 
function startGame() {
  scoreBoard.textContent = 0;
  timeUp = false;
  score = 0;
  peep();
 
  setTimeout(() => timeUp = true, 10000);
}
 
function bonk(e) {
  if (!e.isTrusted) return;
 
  score++;
  this.classList.remove('up');
  scoreBoard.textContent = score;
}
 
moles.forEach(mole => mole.addEventListener('click', bonk));

N/A

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:18030/FUZZ -ic -e .txt,.html,.js
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.185.125:18030/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .js 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.htpasswd.js            [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htaccess               [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htaccess.html          [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htpasswd.txt           [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 34ms]
.htaccess.txt           [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htpasswd               [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htaccess.js            [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 33ms]
.htpasswd.html          [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 34ms]
index.html              [Status: 200, Size: 886, Words: 136, Lines: 44, Duration: 23ms]
scripts.js              [Status: 200, Size: 1053, Words: 161, Lines: 56, Duration: 21ms]
~bin                    [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 39ms]
~ftp                    [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 30ms]
~nobody                 [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 29ms]
~mail                   [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 29ms]
~root                   [Status: 403, Size: 969, Words: 100, Lines: 43, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1190 req/sec :: Duration: [0:00:58] :: Errors: 0 ::
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:18030/FUZZ/ -ic
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.185.125:18030/FUZZ/
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
                        [Status: 200, Size: 886, Words: 136, Lines: 44, Duration: 22ms]
icons                   [Status: 200, Size: 73983, Words: 7383, Lines: 1005, Duration: 65ms]
error                   [Status: 403, Size: 983, Words: 101, Lines: 43, Duration: 21ms]
:: Progress: [207630/207630] :: Job [1/1] :: 112 req/sec :: Duration: [0:02:44] :: Errors: 0 ::

N/A

Interactive Graph View

Backlinks