Web
Nmap discovered a Web server on the target port 80
The running service is Apache Tomcat (language: en)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.1 200
Allow: GET,HEAD,OPTIONS
Content-Length: 0
Date: Sun, 30 Mar 2025 18:11:00 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -I http://$IP:8080/
HTTP/1.1 200
Content-Type: text/html;charset=UTF-8
Content-Language: en-US
Content-Length: 3755
Date: Sun, 30 Mar 2025 18:11:03 GMT/Practice/Hunit/2-Enumeration/attachments/{AD95FDC3-37B6-46E5-96B9-8C56828B2CA4}.png)
Webroot
This appears to be a static personal blog and there are several articles, which includes 4 possible users;
JamesJulieJenniferRichard
/Practice/Hunit/2-Enumeration/attachments/{43F68DBA-3F1C-45A0-B89F-1AD0398C6E2F}.png)
This comment was found in the source codes of every article.
API
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -s http://$IP:8080/api/ | jq
[
{
"string": "/api/",
"id": 13
},
{
"string": "/article/",
"id": 14
},
{
"string": "/article/?",
"id": 15
},
{
"string": "/user/",
"id": 16
},
{
"string": "/user/?",
"id": 17
}
]2 API endpoints available; /article/ and /user/
/article/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -s http://$IP:8080/api/article/ | jq
[
{
"title": "The Taste of Rain",
"headline": "Jack Kerouac",
"content": "The taste, Of rain, —Why kneel?",
"author": {
"login": "jvargas",
"password": "OuQ96hcgiM5o9w",
"firstname": "James",
"lastname": "Vargas",
"description": "Editor",
"id": 10
},
"slug": "the-taste-of-rain",
"addedAt": "2024-08-02T20:52:46.732111",
"id": 12
},
{
"title": "In a Station of the Metro",
"headline": "Ezra Pound",
"content": "The apparition of these faces in the crowd; Petals on a wet, black bough.",
"author": {
"login": "jvargas",
"password": "OuQ96hcgiM5o9w",
"firstname": "James",
"lastname": "Vargas",
"description": "Editor",
"id": 10
},
"slug": "in-a-station-of-the-metro",
"addedAt": "2024-08-02T20:52:46.731283",
"id": 11
},
{
"title": "Over the Wintry",
"headline": "Natsume Soseki",
"content": "Over the wintry Forest, winds howl in rage, With no leaves to blow.",
"author": {
"login": "jwinters",
"password": "KTuGcSW6Zxwd0Q",
"firstname": "Julie",
"lastname": "Winters",
"description": "Editor",
"id": 7
},
"slug": "over-the-wintry",
"addedAt": "2024-08-02T20:52:46.72979",
"id": 9
},
{
"title": "A Poppy Blooms",
"headline": "Katsushika Hokusai",
"content": "I write, erase, rewrite. Erase again, and then, A poppy blooms.",
"author": {
"login": "jwinters",
"password": "KTuGcSW6Zxwd0Q",
"firstname": "Julie",
"lastname": "Winters",
"description": "Editor",
"id": 7
},
"slug": "a-poppy-blooms",
"addedAt": "2024-08-02T20:52:46.728878",
"id": 8
},
{
"title": "Lighting One Candle",
"headline": "Yosa Buson",
"content": "The light of a candle, Is transferred to another candle—, Spring twilight",
"author": {
"login": "jsanchez",
"password": "d52cQ1BzyNQycg",
"firstname": "Jennifer",
"lastname": "Sanchez",
"description": "Editor",
"id": 3
},
"slug": "lighting-one-candle",
"addedAt": "2024-08-02T20:52:46.726653",
"id": 5
},
{
"title": "A World of Dew",
"headline": "Kobayashi Issa",
"content": "A world of dew, And within every dewdrop, A world of struggle. ",
"author": {
"login": "jsanchez",
"password": "d52cQ1BzyNQycg",
"firstname": "Jennifer",
"lastname": "Sanchez",
"description": "Editor",
"id": 3
},
"slug": "a-world-of-dew",
"addedAt": "2024-08-02T20:52:46.725776",
"id": 4
},
{
"title": "The Old Pond",
"headline": "Matsuo Basho",
"content": "An old silent pond, A frog jumps into the pond—, Splash! Silence again.",
"author": {
"login": "rjackson",
"password": "yYJcgYqszv4aGQ",
"firstname": "Richard",
"lastname": "Jackson",
"description": "Editor",
"id": 1
},
"slug": "the-old-pond",
"addedAt": "2024-08-02T20:52:46.717419",
"id": 2
}
]These are the 7 articles that are shown in the blog More importantly, they contain user credentials
/user/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ curl -s http://$IP:8080/api/user/ | jq
[
{
"login": "rjackson",
"password": "yYJcgYqszv4aGQ",
"firstname": "Richard",
"lastname": "Jackson",
"description": "Editor",
"id": 1
},
{
"login": "jsanchez",
"password": "d52cQ1BzyNQycg",
"firstname": "Jennifer",
"lastname": "Sanchez",
"description": "Editor",
"id": 3
},
{
"login": "dademola",
"password": "ExplainSlowQuest110",
"firstname": "Derik",
"lastname": "Ademola",
"description": "Admin",
"id": 6
},
{
"login": "jwinters",
"password": "KTuGcSW6Zxwd0Q",
"firstname": "Julie",
"lastname": "Winters",
"description": "Editor",
"id": 7
},
{
"login": "jvargas",
"password": "OuQ96hcgiM5o9w",
"firstname": "James",
"lastname": "Vargas",
"description": "Editor",
"id": 10
}
]- Total of 5 credentials, including that of those 4 users found earlier
- Additionally, the username convention was identified;
<FIRSTNAME_INITIAL>+<LASTNAME> - Another observation is that the admin user,
dademola, is the only user with a “normal” password;ExplainSlowQuest110- The rest has all gibberish passwords
Fuzzing /api/
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -u http://$IP:8080/api/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.185.125:8080/api/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 148, Words: 1, Lines: 1, Duration: 87ms]
article [Status: 200, Size: 2352, Words: 102, Lines: 1, Duration: 28ms]
user [Status: 200, Size: 609, Words: 1, Lines: 1, Duration: 37ms]
:: Progress: [1185241/1185241] :: Job [1/1] :: 1562 req/sec :: Duration: [0:15:20] :: Errors: 0 ::N/A
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:8080/FUZZ -ic -e .txt,.html,.php
________________________________________________
:: Method : GET
:: URL : http://192.168.185.125:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .txt .html .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
error [Status: 500, Size: 105, Words: 3, Lines: 1, Duration: 24ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1408 req/sec :: Duration: [0:01:05] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP:8080/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.185.125:8080/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 3755, Words: 170, Lines: 138, Duration: 28ms]
api [Status: 200, Size: 148, Words: 1, Lines: 1, Duration: 24ms]
error [Status: 500, Size: 105, Words: 3, Lines: 1, Duration: 23ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1169 req/sec :: Duration: [0:02:25] :: Errors: 0 ::/error
/Practice/Hunit/2-Enumeration/attachments/{2D0867F5-9CB5-40D6-9E4D-C059722162D6}.png)
The /error endpoint reveals Whitelabel Error Page, which is a generic error page displayed by Spring Boot applications