Web

Nmap discovered a Web server on the target port 7742 The running service is nginx

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer]
└─$ curl -I -X OPTIONS http://$IP:7742/
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Mar 2025 19:19:40 GMT
Content-Type: text/html
Content-Length: 1219
Last-Modified: Thu, 24 Sep 2020 19:27:39 GMT
Connection: keep-alive
ETag: "5f6cf32b-4c3"
Accept-Ranges: bytes
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer]
└─$ curl -I http://$IP:7742/        
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Mar 2025 19:19:45 GMT
Content-Type: text/html
Content-Length: 1219
Last-Modified: Thu, 24 Sep 2020 19:27:39 GMT
Connection: keep-alive
ETag: "5f6cf32b-4c3"
Accept-Ranges: bytes

A fake login page

Fuzzing

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:7742/FUZZ -ic -e .txt,.html,.php 
________________________________________________
 :: Method           : GET
 :: URL              : http://192.168.113.100:7742/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
 :: Extensions       : .txt .html .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
default                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 17ms]
index.html              [Status: 200, Size: 1219, Words: 130, Lines: 65, Duration: 20ms]
zipfiles                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 22ms]
:: Progress: [81912/81912] :: Job [1/1] :: 1886 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

/default/
/zipfiles/

`/default/`

Another fake 404

`/zipfiles/`

The /zipfiles/ endpoint, on the other hand, contains 4 ZIP archives. Those names appear to be usernames

Downloaded them all

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ 7z l francis.zip
 
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
 
Scanning the drive for archives:
1 file, 2834 bytes (3 KiB)
 
Listing archive: francis.zip
 
--
Path = francis.zip
Type = zip
Physical Size = 2834
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38 D....            0            0  home/francis
2019-04-18 05:12:36 .....          220          158  home/francis/.bash_logout
2019-04-18 05:12:36 .....          807          392  home/francis/.profile
2019-04-18 05:12:36 .....         3526         1592  home/francis/.bashrc
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38               4553         2142  3 files, 1 folders
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ 7z l miriam.zip
 
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
 
Scanning the drive for archives:
1 file, 2826 bytes (3 KiB)
 
Listing archive: miriam.zip
 
--
Path = miriam.zip
Type = zip
Physical Size = 2826
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38 D....            0            0  home/miriam
2019-04-18 05:12:36 .....          220          158  home/miriam/.bash_logout
2019-04-18 05:12:36 .....          807          392  home/miriam/.profile
2019-04-18 05:12:36 .....         3526         1592  home/miriam/.bashrc
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38               4553         2142  3 files, 1 folders
 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ 7z l sofia.zip 
 
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
 
Scanning the drive for archives:
1 file, 2818 bytes (3 KiB)
 
Listing archive: sofia.zip
 
--
Path = sofia.zip
Type = zip
Physical Size = 2818
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38 D....            0            0  home/sofia
2019-04-18 05:12:36 .....          220          158  home/sofia/.bash_logout
2019-04-18 05:12:36 .....          807          392  home/sofia/.profile
2019-04-18 05:12:36 .....         3526         1592  home/sofia/.bashrc
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:38               4553         2142  3 files, 1 folders
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ 7z l max.zip    
 
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
 
Scanning the drive for archives:
1 file, 8274 bytes (9 KiB)
 
Listing archive: max.zip
 
--
Path = max.zip
Type = zip
Physical Size = 8274
 
   Date      Time    Attr         Size   Compressed  Name
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:39 D....            0            0  home/max
2019-04-18 05:12:36 .....          220          158  home/max/.bash_logout
2019-04-18 05:12:36 .....          807          392  home/max/.profile
2020-09-24 20:27:39 D....            0            0  home/max/.ssh
2020-09-24 20:27:39 .....          738          592  home/max/.ssh/id_rsa.pub
2020-09-24 20:27:39 .....          836          654  home/max/.ssh/authorized_keys
2020-09-24 20:27:39 .....         3381         2101  home/max/.ssh/id_rsa
2020-09-24 20:27:39 .....         1991          983  home/max/tomcat-users.xml.bak
2019-04-18 05:12:36 .....         3526         1592  home/max/.bashrc
2020-09-24 20:27:39 .....          133           96  home/max/scp_wrapper.sh
------------------- ----- ------------ ------------  ------------------------
2020-09-24 20:27:39              11632         6568  8 files, 2 folders

These are ZIP archives of all those users home directories Notably, the max user’s archive contains more interesting files, including SSH-related files and a Bash script

`max` User

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ 7z x max.zip  
 
7-Zip 24.09 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-11-29
 64-bit locale=C.UTF-8 Threads:128 OPEN_MAX:1024, ASM
 
Scanning the drive for archives:
1 file, 8274 bytes (9 KiB)
 
Extracting archive: max.zip
--
Path = max.zip
Type = zip
Physical Size = 8274
 
Everything is Ok
 
Folders: 2
Files: 8
Size:       11632
Compressed: 8274
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/sorcerer/7742]
└─$ cd home/max ; ll           
total 32K
4.0K drwxrwxr-x 3 kali kali 4.0K Mar 28 21:46 ..
4.0K drwxr-xr-x 3 kali kali 4.0K Sep 24  2020 .
4.0K drwxr-xr-x 2 kali kali 4.0K Sep 24  2020 .ssh
4.0K -rwxr-xr-x 1 kali kali  133 Sep 24  2020 scp_wrapper.sh
4.0K -rw-r--r-- 1 kali kali 2.0K Sep 24  2020 tomcat-users.xml.bak
4.0K -rw-r--r-- 1 kali kali  220 Apr 18  2019 .bash_logout
4.0K -rw-r--r-- 1 kali kali 3.5K Apr 18  2019 .bashrc
4.0K -rw-r--r-- 1 kali kali  807 Apr 18  2019 .profile

Extracting content

`scp_wrapper.sh`

┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ cat scp_wrapper.sh
#!/bin/bash
case $SSH_ORIGINAL_COMMAND in
 'scp'*)
    $SSH_ORIGINAL_COMMAND
    ;;
 *)
    echo "ACCESS DENIED."
    scp
    ;;
esac

The Bash script seems interesting

SSH

┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ ssh max@$IP -i .ssh/id_rsa
PTY allocation request failed on channel 0
ACCESS DENIED.
usage: scp [-346BCpqrv] [-c cipher] [-F ssh_config] [-i identity_file]
           [-l limit] [-o ssh_option] [-P port] [-S program] source ... target
Connection to 192.168.113.100 closed.
 
┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ cat .ssh/authorized_keys
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty,command="/home/max/scp_wrapper.sh" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC39t1AvYVZKohnLz6x92nX2cuwMyuKs0qUMW9Pa+zpZk2hb/ZsULBKQgFuITVtahJispqfRY+kqF8RK6Tr0vDcCP4jbCjadJ3mfY+G5rsLbGfek3vb9drJkJ0+lBm8/OEhThwWFjkdas2oBJF8xSg4dxS6jC8wsn7lB+L3xSS7A84RnhXXQGGhjGNfG6epPB83yTV5awDQZfupYCAR/f5jrxzI26jM44KsNqb01pyJlFl+KgOs1pCvXviZi0RgCfKeYq56Qo6Z0z29QvCuQ16wr0x42ICTUuR+Tkv8jexROrLzc+AEk+cBbb/WE/bVbSKsrK3xB9Bl9V9uRJT/faMENIypZceiiEBGwAcT5lW551wqctwi2HwIuv12yyLswYv7uSvRQ1KU/j0K4weZOqDOg1U4+klGi1is3HsFKrUZsQUu3Lg5tHkXWthgtlROda2Q33jX3WsV8P3Z4+idriTMvJnt2NwCDEoxpi/HX/2p0G5Pdga1+gXeXFc88+DZyGVg4yW1cdSR/+jTKmnluC8BGk+hokfGbX3fq9BIeiFebGnIy+py1e4k8qtWTLuGjbhIkPS3PJrhgSzw2o6IXombpeWCMnAXPgZ/x/49OKpkHogQUAoSNwgfdhgmzLz06MVgT+ap0To7VsTvBJYdQiv9kmVXtQQoUCAX0b84fazWQQ== max@sorcerer

SSH fails because the authorized_keys file contains command="/home/max/scp_wrapper.sh", executing the Bash script, preventing establishing a SSH connection This may be bypassed

`tomcat-users.xml.bak`

┌──(kali㉿kali)-[~/…/sorcerer/7742/home/max]
└─$ cat tomcat-users.xml.bak
<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
 
      http://www.apache.org/licenses/LICENSE-2.0
 
  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
 
  <role rolename="manager-gui"/>
  <user username="tomcat" password="VTUD2XxJjf5LPmu6" roles="manager-gui"/>
</tomcat-users>

However, the tomcat-users.xml.bak file contains a possible credential for the Tomcat instance on the target port 8080; tomcat:VTUD2XxJjf5LPmu6

InfoSec LAB

Explorer

Sorcerer_Web_7742

Web

Fuzzing

`/default/`

`/zipfiles/`

`max` User

`scp_wrapper.sh`

SSH

`tomcat-users.xml.bak`

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Sorcerer_Web_7742

Web

Fuzzing

/default/

/zipfiles/

max User

scp_wrapper.sh

SSH

tomcat-users.xml.bak

Interactive Graph View

Table of Contents

Backlinks

`/default/`

`/zipfiles/`

`max` User

`scp_wrapper.sh`

`tomcat-users.xml.bak`