CUPS
Nmap discovered a CUPS server on the target port 631
The running service is CUPS 2.2
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ curl -I -X OPTIONS http://$IP:631/
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Language: en_US
Content-Length: 0
Date: Fri, 21 Mar 2025 19:37:20 GMT
Keep-Alive: timeout=10
Accept-Encoding: gzip, deflate, identity
Allow: GET, HEAD, OPTIONS, POST, PUT
Server: CUPS/2.2 IPP/2.1
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ curl -I http://$IP:631/
HTTP/1.1 403 Forbidden
Connection: close
Content-Language: en_US
Content-Length: 343
Content-Type: text/html; charset=utf-8
Date: Fri, 21 Mar 2025 19:37:24 GMT
Accept-Encoding: gzip, deflate, identity
Server: CUPS/2.2 IPP/2.1
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'/Practice/Pelican/2-Enumeration/attachments/{20F14EBF-82CC-48D3-A878-9BE81EDDF800}.png)
Webroot 403
/Practice/Pelican/2-Enumeration/attachments/{928C9857-3E92-447C-903E-8FA20CEAA1D1}.png)
Appending the X-Forwarded-For header returned a different response.
Code 400 but it leaked the version information; CUPS v2.2.10
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:631/FUZZ -H 'X-Forwarded-For: localhost' -ic -fc 403
________________________________________________
:: Method : GET
:: URL : http://192.168.132.98:631/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Header : X-Forwarded-For: localhost
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
:: Progress: [20478/20478] :: Job [1/1] :: 177 req/sec :: Duration: [0:00:22] :: Errors: 0 ::N/A