Web
Nmap discovered a Web server on the target port 443
The running service is Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ curl -k -I -X OPTIONS https://$IP/
HTTP/1.1 200 OK
Date: Fri, 18 Apr 2025 17:38:03 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10
Allow: GET,POST,OPTIONS,HEAD,TRACE
Content-Length: 0
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ curl -k -I https://$IP/
HTTP/1.1 200 OK
Date: Fri, 18 Apr 2025 17:38:07 GMT
Server: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.3.10
Last-Modified: Tue, 24 Aug 2021 18:26:08 GMT
ETag: "5984-5ca524471f000"
Accept-Ranges: bytes
Content-Length: 22916
Content-Type: text/html
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ openssl s_client -connect $IP:443
Connecting to 192.168.156.180
CONNECTED(00000003)
Can't use SSL_get_servername
depth=0 CN=localhost
verify error:num=18:self-signed certificate
verify return:1
depth=0 CN=localhost
verify error:num=10:certificate has expired
notAfter=Nov 8 23:48:47 2019 GMT
verify return:1
depth=0 CN=localhost
notAfter=Nov 8 23:48:47 2019 GMT
verify return:1
---
Certificate chain
0 s:CN=localhost
i:CN=localhost
a:PKEY: rsaEncryption, 1024 (bit); sigalg: RSA-SHA1
v:NotBefore: Nov 10 23:48:47 2009 GMT; NotAfter: Nov 8 23:48:47 2019 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIBnzCCAQgCCQC1x1LJh4G1AzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDkxMTEwMjM0ODQ3WhcNMTkxMTA4MjM0ODQ3WjAUMRIwEAYD
VQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMEl0yfj
7K0Ng2pt51+adRAj4pCdoGOVjx1BmljVnGOMW3OGkHnMw9ajibh1vB6UfHxu463o
J1wLxgxq+Q8y/rPEehAjBCspKNSq+bMvZhD4p8HNYMRrKFfjZzv3ns1IItw46kgT
gDpAl1cMRzVGPXFimu5TnWMOZ3ooyaQ0/xntAgMBAAEwDQYJKoZIhvcNAQEFBQAD
gYEAavHzSWz5umhfb/MnBMa5DL2VNzS+9whmmpsDGEG+uR0kM1W2GQIdVHHJTyFd
aHXzgVJBQcWTwhp84nvHSiQTDBSaT6cQNQpvag/TaED/SEQpm0VqDFwpfFYuufBL
vVNbLkKxbK2XwUvu0RxoLdBMC/89HqrZ0ppiONuQ+X2MtxE=
-----END CERTIFICATE-----
subject=CN=localhost
issuer=CN=localhost
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 847 bytes and written 518 bytes
Verification error: certificate has expired
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Protocol: TLSv1.3
Server public key is 1024 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 10 (certificate has expired)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A12FDDF929E542611C17366DBFA76C026748DC34EE3FB70C8F98C1BDA509B55C
Session-ID-ctx:
Resumption PSK: E6B32D20769BEDE2FAE046DF0958858FB2C0FEF904141314407833F792B2B642BD7712C89BF12D4C11ABFCAA38D2D877
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c1 d5 0a 7f fb 2b 5c 61-02 ed 47 36 88 e2 4f 30 .....+\a..G6..O0
0010 - 5c c2 e6 7e 11 54 b3 87-7b 91 e8 64 28 56 36 86 \..~.T..{..d(V6.
0020 - 85 3a 70 42 c4 bf db 1e-de d2 8f b6 d6 67 61 20 .:pB.........ga
0030 - ee 92 8e f5 51 49 f2 e8-53 71 05 9b a7 8d fe ae ....QI..Sq......
0040 - ac 53 ce 79 7e f4 d0 0b-b6 32 3d 60 94 5b 1f 44 .S.y~....2=`.[.D
0050 - 82 d7 b3 54 cf a2 0c 71-7c ee e9 5f cd 1f f7 b6 ...T...q|.._....
0060 - 96 f4 70 e4 2d b9 ab 48-3d 6e b7 16 ef 6f ec db ..p.-..H=n...o..
0070 - db 70 cf 7d 6b 26 ea 75-80 82 68 47 4d b7 d4 cf .p.}k&.u..hGM...
0080 - 3b 79 a4 b0 d0 20 7b e7-5e 3d b8 e5 44 5f 87 65 ;y... {.^=..D_.e
0090 - 46 c5 82 4f 2d 6d d9 f4-12 76 9c fc cf 1e ff 44 F..O-m...v.....D
00a0 - 8c 02 2d 68 92 8c 17 3b-a5 25 00 bc a8 91 91 65 ..-h...;.%.....e
00b0 - c4 d4 84 bc ce 50 3a 3d-43 05 38 46 eb 25 3c c0 .....P:=C.8F.%<.
00c0 - 48 33 57 b8 c3 71 4b aa-7b 37 9d 9b 62 ba a1 85 H3W..qK.{7..b...
00d0 - 23 23 25 40 d4 94 ef 25-23 a7 d1 54 db 7a cb 85 ##%@...%#..T.z..
Start Time: 1744997928
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7D804CEAD53BD84DF6933C601355B4CF916CD225FCCEEDA60B5314385B43B155
Session-ID-ctx:
Resumption PSK: 58148436A37F99DD1B841BCB796BD955A22B9EA07C2460E5C9F92053F2913F41605A2575746FFC234D54524380881496
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - c1 d5 0a 7f fb 2b 5c 61-02 ed 47 36 88 e2 4f 30 .....+\a..G6..O0
0010 - d8 31 b5 23 db 96 07 5a-08 7f ff 2d 59 56 34 fa .1.#...Z...-YV4.
0020 - eb 00 2e 79 09 9d 9d db-a7 f7 4c e3 5a 10 89 b8 ...y......L.Z...
0030 - b7 29 03 d8 7c 70 78 83-a5 f6 89 9b c9 9d 6b 01 .)..|px.......k.
0040 - b7 1d 3c 70 18 a9 5d d2-87 64 5e 44 6e 75 56 6a ..<p..]..d^DnuVj
0050 - cd d9 ac a2 00 db 86 54-50 e7 ec 6f 76 41 02 9a .......TP..ovA..
0060 - a3 a6 74 c4 82 67 92 a4-9b 0b db db a8 ad 1f fb ..t..g..........
0070 - ad 80 68 3d 36 39 2d 28-fc ea be 9e 1d 0d e6 0e ..h=69-(........
0080 - e6 25 65 a8 af 9e 3d ec-b9 27 43 c1 92 a6 4b 7a .%e...=..'C...Kz
0090 - 7e 28 97 22 a8 ab 75 d5-49 af 88 45 73 10 ab af ~(."..u.I..Es...
00a0 - 2e f6 a6 c9 86 e7 91 d6-93 fb d4 96 9d 49 08 fe .............I..
00b0 - d8 7d 6e ed b9 22 55 31-b5 6e 04 9f 8e 9c 13 cd .}n.."U1.n......
00c0 - b3 dc 67 7f 94 ec df 8e-de a0 0f 07 0c 3d 26 5d ..g..........=&]
00d0 - f2 c1 06 15 c2 3d 6e 14-2a 10 96 ce f8 a8 ed 79 .....=n.*......y
Start Time: 1744997928
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK/Practice/Monster/2-Enumeration/attachments/{D0D80AF1-BEBE-4A4B-A801-5236A48B9AE9}.png)
Webroot
It appears to be a personal website showcasing a photofolio
The web application is also hosted on port 80
/Practice/Monster/2-Enumeration/attachments/{FFE2D06F-1CB3-44F2-B04E-F7F6D6D4DD1F}.png)
Wappalyzer identified technologies involved
About
/Practice/Monster/2-Enumeration/attachments/Pasted-image-20250418200346.png)
The About section contains a possible username disclosure; wazowski
Contact
/Practice/Monster/2-Enumeration/attachments/{64D511B8-E036-49E1-B6C4-4871B2C36F3E}.png)
/Practice/Monster/2-Enumeration/attachments/{8B4967C0-F949-418E-B0CD-1B410194829D}.png)
The Contact section includes a form submission but it appears to be dummy
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u https://$IP/FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : https://192.168.156.180/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
Blog [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 40ms]
Index.html [Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 27ms]
assets [Status: 301, Size: 346, Words: 22, Lines: 10, Duration: 25ms]
blog [Status: 301, Size: 344, Words: 22, Lines: 10, Duration: 38ms]
index.html [Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 34ms]
:: Progress: [81912/81912] :: Job [1/1] :: 469 req/sec :: Duration: [0:03:08] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/monster]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u https://$IP/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : https://192.168.156.180/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 22916, Words: 8056, Lines: 540, Duration: 42ms]
cgi-bin [Status: 403, Size: 1056, Words: 103, Lines: 43, Duration: 70ms]
icons [Status: 200, Size: 74798, Words: 7383, Lines: 1005, Duration: 76ms]
assets [Status: 200, Size: 1606, Words: 184, Lines: 20, Duration: 62ms]
blog [Status: 200, Size: 4228, Words: 206, Lines: 98, Duration: 941ms]
:: Progress: [207630/207630] :: Job [1/1] :: 431 req/sec :: Duration: [0:07:47] :: Errors: 0 ::ffuf found an endpoint; /blog/
/blog/
/Practice/Monster/2-Enumeration/attachments/{4314ABCC-6EE0-45AE-AD6C-9E4C8A88B75A}.png)
The /blog/ endpoint claims to be MIke’s blog and is a default Monstra installation page
/Practice/Monster/2-Enumeration/attachments/{F6D11CA2-9DC3-4870-A69C-AA13C448A3AF}.png)
CSS is not loaded because links are pointing to a domain; monster.pg
Interestingly, it only points to the HTTP instance on port 80
Continuing on the HTTP instance on port 80