Web
Nmap discovered a Web server on the target port 44330
The running service is BarracudaServer.com (Windows)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -k -I -X OPTIONS https://$IP:44330/
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2025 16:47:49 GMT
Server: BarracudaServer.com (Windows)
Connection: Keep-Alive
Allow: OPTIONS, GET, HEAD, PROPFIND, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
DAV: 1, 2
MS-Author-Via: DAV
Content-Length: 0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -k -I https://$IP:44330/
HTTP/1.1 200 OK
Date: Fri, 11 Apr 2025 16:48:03 GMT
Server: BarracudaServer.com (Windows)
Connection: Keep-Alive
Last-Modified: Tue, 19 Feb 2013 19:58:47 GMT
Content-Length: 8295
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ openssl s_client -connect $IP:44330
Connecting to 192.168.156.127
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
verify error:num=10:certificate has expired
notAfter=Aug 25 14:40:47 2019 GMT
verify return:1
depth=0 C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
notAfter=Aug 25 14:40:47 2019 GMT
verify return:1
---
Certificate chain
0 s:C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
i:C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=demo CA, emailAddress=ginfo@realtimelogic.com
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-MD5
v:NotBefore: Aug 27 14:40:47 2009 GMT; NotAfter: Aug 25 14:40:47 2019 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICsTCCAhoCAQUwDQYJKoZIhvcNAQEEBQAwgZkxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTEWMBQGA1UEBxMNTGFndW5hIE5pZ3VlbDEYMBYGA1UEChMPUmVhbCBU
aW1lIExvZ2ljMREwDwYDVQQLEwhTaGFya1NTTDEQMA4GA1UEAxMHZGVtbyBDQTEm
MCQGCSqGSIb3DQEJARYXZ2luZm9AcmVhbHRpbWVsb2dpYy5jb20wHhcNMDkwODI3
MTQ0MDQ3WhcNMTkwODI1MTQ0MDQ3WjCBpzELMAkGA1UEBhMCVVMxCzAJBgNVBAgT
AkNBMRYwFAYDVQQHEw1MYWd1bmEgTmlndWVsMRgwFgYDVQQKEw9SZWFsIFRpbWUg
TG9naWMxETAPBgNVBAsTCFNoYXJrU1NMMR4wHAYDVQQDExVzZXJ2ZXIgZGVtbyAx
MDI0IGJpdHMxJjAkBgkqhkiG9w0BCQEWF2dpbmZvQHJlYWx0aW1lbG9naWMuY29t
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI9kHT2xeC8GaBWFcTTqBLU2iF
Jt8gu5khgjW1LMkOQ1GgX53+siZP4QxPaua0pIEaGXh/qe1wYmucEjxJvidsyFyN
vgUjS7yP8AMCRGqdxhkbM4A5mcnmxu/8cRxFf19CIVnsD+netpHrscJfmk5f70cz
QLQQ2NlT8exLSh+5cQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAJFWpZDFuw9DUEQW
Uixb8tg17VjTMEQMd136md/KhwlDrhR2Dqk3cs1XRcuZxEHLN7etTBm/ubkMi6bx
Jq9rgmn/obL94UNkhuV/0VyHQiNkBrjdf4eY6zNY71PgVBxC0wULL5pcpfo0xUKc
IDMYIaRX7wyNO/lZcxIj0xmxTrqu
-----END CERTIFICATE-----
subject=C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=server demo 1024 bits, emailAddress=ginfo@realtimelogic.com
issuer=C=US, ST=CA, L=Laguna Niguel, O=Real Time Logic, OU=SharkSSL, CN=demo CA, emailAddress=ginfo@realtimelogic.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1276 bytes and written 668 bytes
Verification error: certificate has expired
---
New, TLSv1.2, Cipher is DHE-RSA-AES256-SHA256
Protocol: TLSv1.2
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256
Session-ID: FFFFFFD667F9480000E1D4505F71CB34CE57251CFCFB9337DFDF2EC4233B9D48
Session-ID-ctx:
Master-Key: 48E4B77C2E3BE560F89EA398A96DD02BB7DF1F07AF16E98B955A5592319A02E8D64EA8648153FC67638276C67BCCBB84
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1744390145
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
---/Practice/Medjed/2-Enumeration/attachments/{270CE121-A394-4540-A604-3D78B2699895}.png)
Webroot
Redirected to what appears to be an initialization page for BarracudaDrive Server; /Config-Wizard/wizard/SetAdmin.lsp
It appears to be a mirror instance of web server on the target port 8000
Initialization
/Practice/Medjed/2-Enumeration/attachments/{1EED8757-AA63-4DB5-9A19-7C42B28FB8C5}.png)
Initialization was made at the other web server on the port 8000
Version Information
/Practice/Medjed/2-Enumeration/attachments/{022B12CD-1073-4771-A893-D2F9CE1132CA}.png)
The version information is disclosed at the /rtl/about.lsp endpoint
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ searchsploit BarracudaDrive 6.5
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
BarracudaDrive v6.5 - Insecure Folder Permissions | windows/local/48789.txt
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThe exploit is for local privilege escalation