Web
Nmap [[Scrutiny_Recon#|discovered]] a Web server on the target port 80
The running service is nginx/1.18.0 (Ubuntu)
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ curl -I -X OPTIONS http://onlyrands.com/
HTTP/1.1 405 Not Allowed
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 07 Apr 2025 18:06:40 GMT
Content-Type: text/html
Content-Length: 166
Connection: keep-alive
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ curl -I http://onlyrands.com/
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Mon, 07 Apr 2025 18:06:44 GMT
Content-Type: text/html
Content-Length: 23375
Last-Modified: Mon, 03 Jun 2024 21:59:43 GMT
Connection: keep-alive
ETag: "665e3ccf-5b4f"
Accept-Ranges: bytes/Practice/Scrutiny/2-Enumeration/attachments/{BA1C4265-8882-47DD-97F9-6C59AA220982}.png)
Webroot
Possible Username Disclosure
/Practice/Scrutiny/2-Enumeration/attachments/{31DF948E-7E0F-462C-B019-5378297D6350}.png)
Possible username disclosure at the Testimonial section
/Practice/Scrutiny/2-Enumeration/attachments/{82638600-2C2A-45F8-AEA1-BBD49857001B}-1.png)
Another possible username disclosure for mail
Virtual Host / Sub-domain
/Practice/Scrutiny/2-Enumeration/attachments/{C9C4F4BF-F914-4C9C-8D2E-5CCF09D9FB4D}.png)
/Practice/Scrutiny/2-Enumeration/attachments/{26555C74-7465-42B0-A78E-E5EE0395FF3D}.png)
The Login button at the footer leads to a virtual host / sub-domain; teams.onlyrands.com
/Practice/Scrutiny/2-Enumeration/attachments/{52343E3A-581A-4748-90F4-A40CDF7CA386}.png)
The domain information has been appended the /etc/hosts file on Kali for local DNS resolution
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://onlyrands.com//FUZZ -ic -e .html,.txt,.php -fc 403
________________________________________________
:: Method : GET
:: URL : http://onlyrands.com//FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Extensions : .html .txt .php
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 403
________________________________________________
about.html [Status: 200, Size: 10278, Words: 3719, Lines: 319, Duration: 27ms]
category.html [Status: 200, Size: 9992, Words: 3821, Lines: 327, Duration: 21ms]
css [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 18ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 17ms]
index.html [Status: 200, Size: 23375, Words: 9003, Lines: 678, Duration: 20ms]
js [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 20ms]
work.html [Status: 200, Size: 11993, Words: 4667, Lines: 354, Duration: 21ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1869 req/sec :: Duration: [0:00:46] :: Errors: 0 ::
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://onlyrands.com/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://onlyrands.com/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 23375, Words: 9003, Lines: 678, Duration: 33ms]
images [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 24ms]
css [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 25ms]
js [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 20ms]
:: Progress: [207630/207630] :: Job [1/1] :: 1801 req/sec :: Duration: [0:01:57] :: Errors: 0 ::N/A
Virtual Host / Sub-domain discovery
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/scrutiny]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.onlyrands.com' -ic -mc all -fs 23375
________________________________________________
:: Method : GET
:: URL : http://192.168.219.91/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.onlyrands.com
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response size: 23375
________________________________________________
teams [Status: 401, Size: 66, Words: 8, Lines: 2, Duration: 239ms]
:: Progress: [114437/114437] :: Job [1/1] :: 1666 req/sec :: Duration: [0:01:19] :: Errors: 0 ::