Web
Nmap discovered a Web server on the target port 80
The running service is Microsoft IIS httpd 10.0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ curl -I -X OPTIONS http://$IP/
HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, DELETE, MOVE, PROPPATCH, MKCOL, LOCK, UNLOCK
Server: Microsoft-IIS/10.0
Public: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
DAV: 1,2,3
MS-Author-Via: DAV
X-Powered-By: ASP.NET
Date: Thu, 01 May 2025 12:50:07 GMT
Content-Length: 0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ curl -I http://$IP/
HTTP/1.1 200 OK
Content-Length: 703
Content-Type: text/html
Last-Modified: Wed, 04 Nov 2020 05:35:35 GMT
Accept-Ranges: bytes
ETag: "965c9516cb2d61:0"
Server: Microsoft-IIS/10.0
X-Powered-By: ASP.NET
Date: Thu, 01 May 2025 12:50:10 GMTThe target Web server has WebDAV enabled
/Practice/Hutch/2-Enumeration/attachments/{F1C76BDC-DBA0-4C64-A2FC-9EBD65DB4C07}.png)
Webroot
It’s the default IIS installation page
WebDAV
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ cadaver http://$IP/
Authentication required for 192.168.187.122 on server `192.168.187.122':
Username:
Password: The target WebDAV server requires authentication No credential is known at this time
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP/FUZZ -ic -e .html,.txt,.aspx -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.187.122/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .aspx
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
Index.aspx [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 874ms]
aspnet_client [Status: 301, Size: 160, Words: 9, Lines: 2, Duration: 28ms]
index.aspx [Status: 500, Size: 3420, Words: 774, Lines: 81, Duration: 243ms]
:: Progress: [81920/81920] :: Job [1/1] :: 1351 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$IP/FUZZ/ -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.187.122/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
[Status: 200, Size: 703, Words: 27, Lines: 32, Duration: 69ms]
[Status: 200, Size: 703, Words: 27, Lines: 32, Duration: 34ms]
:: Progress: [207631/207631] :: Job [1/1] :: 2020 req/sec :: Duration: [0:03:38] :: Errors: 0 ::N/A
Virtual Host / Sub-domain Discovery
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hutch]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.hutch.offsec' -ic -mc all -fs 703
________________________________________________
:: Method : GET
:: URL : http://192.168.187.122/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.hutch.offsec
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 703
________________________________________________
:: Progress: [114437/114437] :: Job [1/1] :: 2040 req/sec :: Duration: [0:01:04] :: Errors: 0 ::N/A