Web
Nmap discovered a Web server on the target port 8080
The running service is Jetty 1.0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ curl -I -X OPTIONS http://$IP:8080/
HTTP/1.1 404 Not Found
Content-Length: 0
Server: Jetty(1.0)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ curl -I http://$IP:8080/
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=iso-8859-1
Cache-Control: must-revalidate,no-cache,no-store
Content-Length: 1365
Server: Jetty(1.0)/Practice/Pelican/2-Enumeration/attachments/{863DCF71-B670-4234-9B94-E360817306F7}.png)
404
/Practice/Pelican/2-Enumeration/attachments/{42F287DB-06BE-4802-B617-69545319A006}.png)
Interestingly, sending some special characters results in code 500
and it leaks the underlying technology stack
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -recursion -u http://$IP:8080/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://192.168.132.98:8080/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
* [Status: 500, Size: 3479, Words: 1019, Lines: 57, Duration: 28ms]
:: Progress: [207630/207630] :: Job [1/1] :: 2083 req/sec :: Duration: [0:02:03] :: Errors: 0 ::N/A
Exhibitor for Zookeeper
An endpoint was discovered from the web server running on the target port 8081, pointing to the /exhibitor/v1/ui/index.html endpoint
/Practice/Pelican/2-Enumeration/attachments/Pasted-image-20250321210541.png)
Its Exhibitor for the possible Zookeeper instance on the target port 2181
The version is 1.0
/Practice/Pelican/2-Enumeration/attachments/Pasted-image-20250321210924.png)
Heading over to the Config tab reveals the installation directory as well as the client port, which is 2181
/Practice/Pelican/2-Enumeration/attachments/{A884FF5C-CFAE-421D-8FAB-EB3AD116C053}.png)
Log tab reveals that there is a cleanup task being executed in the background with an interval of 3 minutes
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/pelican]
└─$ searchsploit exhibitor
------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------ ---------------------------------
Exhibitor Web UI 1.7.1 - Remote Code Execution | java/webapps/48654.txt
------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsChecking the instance for vulnerabilities reveals a remote code execution exploit for the web UI version 1.7.1
Given that the target instance is much older, it might be vulnerable